Here’s a big problem that bugs me: Most people manage cyber risks the way they manage static risks. This is a big mistake.
Here’s an example: Fire is a static risk. Fire always needs fuel, oxygen, and heat to start and keep going. Take away one of those three ingredients and the fire goes out. Stop those three from coming together, and no fire will start. Over time, we’ve developed highly effective, reliable ways of controlling fire.
Most cyber risks are not like fire. They’re constantly changing because the people behind the attacks are regularly innovating their methods to work around our defenses.
Phishing is a great example. There’s no single, reliable mitigation that will stop, or greatly reduce the risk, of future phishing attacks. We have to constantly do new and often different things to keep up with the attacks (like adding new filters to our email server). Usually, we fall for a phish and have to clean up the mess. And simply throwing more technology at the problem isn’t enough.
OK, the really big problem (the part I hate) is regulatory regimes like PCI-DSS: Payment Card Industry Data Security Standard. It’s a mammoth checklist that doesn’t get updated very often and doesn’t keep up with the latest cyber attack innovations.
As a result, most credit card data breaches happen at retailers that are PCI compliant.