From the Editor-in-Chief

Hello,

1977 was a great year, for so many reasons.  Not least among them was the release of the Ramones’ Rocket to Russia album, on side one (remember when albums had sides?) of which, Joey sang:

• I don’t care (He don’t care)
• I don’t care (He don’t care)
• I don’t care about these words
• I don’t care about that girl
• I don’t care (He don’t care)

Ah, those were the days…the days of (to quote Billy Joel, also from 1977) engineer boots, leather jackets, and tight blue jeans.  However, in addition to providing part of the soundtrack to my misspent youth, the Ramones accurately prophesized the current state of American cybersecurity.  Got your attention?  Good.  Read on.

Fast forward to 2014, when the National Institute of Standards and Technology (NIST) released the first version of its Cybersecurity Framework.  Hailed by many in the community as being right up there with the discovery of fire, the wheel, chocolate chunk cookies, and divine events identified by no fewer than sixteen major religions (no, really, if you were at Black Hat 2014, you know…), the document brought us the (in)famous Five Functions with which we’re all intimately familiar:  Identify, Protect, Detect, Respond, and Recover.  And ever since, the world has settled into an idyllic, tranquil existence, right?

Not so fast.  Let’s circle back to 1977, and hearken unto Joey’s words, specifically the part where he croons “I don’t care.”  Why?  Because while those of us in the cybersecurity world repeat the Five Functions in a Gregorian chant as though they were a catechism, the vast majority of American businesses are singing the Ramones.  They don’t care about your cybersecurity.  What they care about is how fast they can be back in business after a bad thing happens.  (And, any actuary will tell you, the probability of bad things happening at some point approaches one.)  They don’t really care whether that bad thing is an act of nature, an act of war, or malicious cyber activity.  They just want to resume operations as soon as possible.  In cybersecurity terms, they want to do a little responding and a whole lot of rapid recovering.

You’d think that given this, industry would focus on those two areas.  But no.  Recent surveys have indicated that most cyber products and services are geared toward identifying, protecting, and detecting (within the context of the Framework).  And that’s great, if the goal of the cybersecurity industry is to sell to the cybersecurity industry.  Unfortunately, this focus may not be solving the right problems.  And it seems to leave many of our most important constituents out in the cold.  Singing the Ramones.

Happy National Cybersecurity Awareness Month.

We can do better.