Generic cybersecurity solutions will fail – Kervin Pillay, CTO at Internet Solutions, and Haroon Meer, founder of Thinkst.
For the last twenty years, cybersecurity has been a commodity, purchased by investing in anti-virus software, servers, firewalls and technical teams. And the “set it and forget it” approach worked when cyberattacks were casual, random mischief.
A recent study on the costs of a data breach, funded by IBM, examined 419 companies and the relationship between how quickly data breach incidents are identified and contained, and the financial consequences of these breaches. The average time to identify a breach was 191 days – over six months – while containment took an average of 66 days – around two months. In other words, most corporate networks are not just vulnerable, they are compromised.
This is because cybercrime is now a highly profitable industry that is sometimes a business venture and other times state-sponsored terrorism. Attacks on high net-worth individuals and celebrities, governments, and private sector organisations are targeted, deliberate and highly-organised.
Generic security solutions are not currently adequate because they were not designed to protect organisations from professional, motivated adversaries.
At the same time, the avenues for attack are increasingly numerous and complex. Twenty years ago, information security technicians concentrated on preventing attacks on our computers. A modern laptop is made up of several different computers. The touch bar on a Mac is a computer, as is a modern VGA monitor. All smartphones are computers and any devices that you can control with a smartphone – an air conditioner, fridge or security camera – contain processors that can be attacked and subverted.
As IoT adds billions more devices to the Internet, including traffic lights, ovens, locks, smoke detectors and so on, the potential attack surface is enormous.
These are all avenues for attack where hackers haven’t begun to show their teeth yet.
As the technological landscape gets more complex, more connected and more fast-paced, the threat of cybercrime increases in scale alongside. We’re not yet seeing a commensurate increase in design-thinking for security solutions.
With so many attack vectors to consider, improved processes for detection first, and then containment, become the best means of defence. It is simply impossible to completely block access to digital information.
There is reason for some optimism. Advances in software-defined and self-healing networks are exciting because automated response to network irregularities are faster and more accurate than human discovery and intervention limiting organisations today.
There are corporate behemoths displaying resilience in the face of modern cybercrime – like Google, Facebook, Slack and others – but not by spending exponentially on out-the-box security solutions.
Instead, they have relatively small teams of security engineers developing software that is uniquely conceived to address the security challenges faced by their business, and easily scalable.
These companies are still purchasing equipment from security vendors. They are carefully choosing components and running their own configurations to build custom security software. What they are not doing is outsourcing their thinking to external ‘experts’.
While vendors get ahead of modern cybercrime – their revenue and reputation are at stake so there is incentive to do so – organisations must carefully consider their approach to cybersecurity. If the future of cybersecurity lies in software and building custom solutions, it means that developers are the key to remaining resilient against the voracious threat of cybercrime.
To an extent, computer science training in South Africa is not up to this task. Graduates leaving MIT launch software companies. South African graduates become IT department employees and install routers.
The ability to access information and training online today is such that South African computer science training – at universities in particular – risks becoming obsolete. Tertiary training is too academic, and while there is some corporate involvement in designing curricula, the intention is often to provide a flow of graduates directly into those companies.
This is a smart approach that can and should be replicated – either in partnership with universities that can then offer real-world business problems that require IT solutions – or through better-designed graduate and internship programmes.
Being able to code is increasingly a super-power in any job – even more so outside of the IT sector. It's a trend that our universities and our high schools should be addressing so that graduates are producers instead of merely consumers.
Recent findings from the JCSE skills survey suggests that South Africa doesn’t have enough software engineers to build a digital economy. We certainly don’t have sufficient engineers to secure it.
Enterprise and government needs to hire, train and nurture developers – and then unleash them with the singular goal of keeping our data safe.