A while back, I had a nice chat with a venture capitalist about the cybersecurity industry. She was picking my brain about trends I had observed when she asked me a great question: “When you hear about a new cybersecurity solution, how do you predict whether or not a new solution will be truly successful?” My answer was surprisingly simple because, you see, preventing cybersecurity incidents is deceptively simple.
Now, before I continue, I’d like to make an important distinction. There’s a big difference between “simple” and “easy.” Simple is not always easy, though easy is usually simple. Hitting a home run at a Major League baseball game is very simple. The batter makes solid contact with the ball, with the angle and force required to knock it out of the park. There are no more steps. It’s very simple. But it’s not easy. The batter has, at most, 250 milliseconds to decide whether or not to swing, how hard, and at what angle.
Many of the principles and practices associated with defensive security are also simple. Things like the principle of least privilege, minimizing attack surface, vulnerability patching, and defense-in-depth are very simple concepts. The hard part is not explaining the value of these things — it’s implementing them.
Despite our best efforts, breaches are still a daily occurrence, and the global cost of cybercrime was over $6 trillion in 2021. Contrary to popular belief, most of these attacks are not carried out by über 1337 hax0rz with Einsteinian IQs. Most cybersecurity breaches are caused by a violation of simple security principles. According to Verizon’s 2022 DBIR, “82% of breaches … involved the human element.” The culprits are phishing, misconfigurations, unpatched software, poor OPSEC, and a failure to implement basic security controls.
So, how do I evaluate a cybersecurity solution? You may be surprised to find out that I’m not interested in the latest neural net-powered, blockchain-enabled, turbo encabulator-charged, alphabet soup product from Xtreme CyberStryke Solutions™. My answer is simple because security is simple: A valuable, successful cybersecurity solution is one that makes a fundamental cybersecurity principle faster, simpler, or easier to implement. Fancy buzzwords do not stop breaches. Fundamental principles do. A solution that helps an organization adopt and strengthen fundamental cybersecurity principles will prove its worth every day.