It has become a common headline in the news. Company X has fallen victim to a Cyber Security Data Breach. Most recently the victim was Capital One but the ghosts of Adobe, Ashley Madison, Heartland Payment Systems, Yahoo and JP Morgan Chase echo in the distance. It has become so common that the general public has become tone deaf. It is not a shock that a breach has occurred. Instead, the general public focuses on if the Russian Roulette of failed data security has fired the bullet in their direction and what needs to be done to mitigate the damage.

Perhaps the better question is to focus on the smoking gun. With all of the investment in Cyber Security and data protection, why is this still so common?

Cyber Security History 101

To fully understand how we got to this point, we need to go back to 1995. The Dot Com Era begins and companies race to find a place on the World Wide Web. Windows 95 is making its way to the home computer, allowing millions access to the web. The Information Age has begun its first descent into mainstream life for the developed world. Sites such as Amazon.com launch their sites marking the birthplace of online shopping. The need for an online presence becomes paramount to stay relevant in the retail world.

It is this need for haste that overrides security. The business need for a functional website became more important to most companies versus the security upon which the framework was built. The web was built upon sharing of data files and was not designed for the complexities and potential exploitation of connecting websites to databases. The first seeds of a flawed internet are sown.

Fast forward to the 2000's era and we are still doing things wrong. For example, the Cisco 2950 series Switch, a staple in this era of computer networking doesn't even have the means to leverage SSH. It's console or Telnet. Not particularly compelling options. This is not the only issue by any stretch of the imagination. The web is becoming a very automated place, full of things like online banking, eCommerce sites and company stores. The need for function dominates the landscape and the security of the web at the time is still quite poor. Password policies are often as simple as someone sticking a post it to a workstation.

We also begin to see some major corporations fall victim to large scale data breaches. In 2005, TJX, the parent company to TJ Maxx fell victim to the first massive scale Cyber Security breach. A series of very basic cyber security failures allowed a malicious actor the ability to hack into a poorly secured wireless network at a retail store and turn that into 45 million customer records. This would be the start of a disturbing trend of breaches and really began to show just how poor the cyber security of most corporations was at the time.

Moving into the 2010s and the volume of corporations collecting, using and storing data becomes commonplace. Since security has not evolved at the same pace as technology, the same story continues to unfold. Dozens of corporations fall victim to massive cyber security breaches on a seemingly endless basis. The failures of basic cyber hygiene are well documented and need no retelling. But the basic question remains; why is this still so bad?

Cyber Security wasn't mainstream fast enough

The bottom line is cyber security is hurting because we didn't cultivate the mindset, the talent and the infrastructure years ago and we are having trouble shifting the landscape, recruiting the talent and reversing the polarity. We are still using things we shouldn't from Operating Systems to Passwords. We are still short on talent in the industry as a whole and the result is a stagnated round robin of data breaches. Politicians seem to believe the answer to solving these problems is punitive, much like smacking your dog on the nose with a newspaper is when trying to prevent him from peeing in the house. It's an blunt approach and one that doesn't fix the problem. it just puts pressure on the folks who are already struggling to keep up. Cyber Security is a daunting challenge, one that will take investment, outreach and fundamental changes to the way we use the web. Despite all the technical issues and potential problems, the single most important fix begins with people.

Most cyber security professionals did not start as such. They were Network Engineers or DBAs prior to becoming part of the Cyber landscape. The reality is the IT industry as a whole exploded faster than we could keep it safe. And that process continues today with IOT devices, self driving cars, the list goes on. We need more people to learn the technology. This is perhaps the most difficult portion of the equation as Cyber Security is not very beginner friendly. There is a baseline of knowledge that is required to perform the job function and that requires time and experience. In its simplest form, this is the THE single largest problem. But the overall mantra is simple:

Too many threats; too many insecure means of doing things; too little margin of error and not enough qualified people to do the work.

The Fix Starts with the next generation of Cyber Security Professionals

The reality is nothing changes unless we have more people conscience of the incredibly connected world they traverse every day. Cyber Security Professionals are the front lines but this includes the world as a whole. Learning basic things like not clicking on links within emails, using two factor authentication and not using open Wi-Fi make large differences in the world they live in. But there has to be more done to evangelize these principles. For the vast majority of the world, no one taught them anything about Cyber Security. They have learned what they know from the web, the news or God help us, Television.....

As an aside, the video below is perhaps THE SINGLE most brain dead hacking scene of all time. This is not Cyber Security, Hacking or anything associated with our profession. This is Television Diarrhea:

How do we fix it?

For those of us in the industry, we have a wonderful opportunity to create a better situation for the next generation and for those that leverage the Age of Information. We need to help cultivate talent by giving those who want to learn a means to do so. We need to change the things about the Cyber world that don't work (I'm looking at you Passwords) and replace them with better, more elegant solutions. We need to take a step back from the corporate engine of progression and evaluate the situation using the mantra of " Just because we CAN doesn't mean we SHOULD" (Here I am looking directly at self driving cars). This blog and website will do as much as possible to provide anyone who wants to know how to become a Cyber Security Professional a road map to do so. The World has stuck its head in the sand for over 25 years. It's time to come up for air.