Cybersecurity is lost: The story of the man in the van

Exploring the human side of cybersecurity, this post delves into personal stories, industry challenges, and the urgent need for innovation and collaboration.

Countless days I’ve spent hunched over screens, all in the name of a nobler cause. Striving to detect and protect. Of late, my thoughts are shifted. Something feels off.

I can’t shake the feeling that it’s all for nothing.

I stood at a tranquil lookout last week, it’s the kind of place that softens your gaze, and soothes your shoulders. People come here to defrag.

A stranger sat with me and told a story. He is 60-something years old, and lives in a van with two dogs. He should have retired on his farm, but he was scammed out of his life savings. He lost everything.

He wasn’t sure how it happened, but it sounded as though scammers were able to gain access to his online banking portal and transfer the funds away. He had saved and scrimped for 5-odd decades to fund his retirement. Gone.

I saw the bitterness in his eyes. His final years on earth would likely be spent homeless. I feel personally responsible. If this can still happen in 2023, we are failing miserably as an industry.

I’ve tried it all:

Fooled SOCs, picked locks, honeypots, port knocks. 

Prevented dox (unlike Mt Gox), but most of all, I’ve just ticked box.

I’ve done phishing and vishing, but there’s still something missing. The work I’ve done has left the world wishing.

$150 billion was spent on cybersecurity in 2021, growing by 12.4% annually. Despite this, 50% of the Fortune 100 companies have experienced data breaches in the last decade, including 7 of the top 10. These are just the public breaches – I’d be surprised if they hadn’t all suffered data breaches, to some extent. I can look up PII of almost anyone in public breach data. APTs can slice sophisticated security defences like butter. Raggle taggle ransomware gangs subjugate organizations without breaking a sweat.

This is difficult to admit, but without admission, we have no chance of success. We are losing.

Perhaps we are not doing enough, focussing on the wrong things. Perhaps the cold claws of capitalism have diverted noble intentions to profitable ones. Perhaps $150 billion just isn’t enough. That seems crazy though, doesn’t it?

We can solve world hunger with $40 billion per year, but we can’t stop data breaches with $150 billion? It’s tempting to think; why bother?

But here’s the thing: every challenge, every setback, every moment of doubt is an opportunity for growth, innovation, and change. While it’s easy to get lost in the statistics and the failures, there’s still hope for the future.

The story of the man at the lookout is heartbreaking, but it’s also a testament to the resilience of people. Despite his circumstances, he found solace in the company of his dogs and the beauty of nature. He found strength in sharing his story with a stranger, hoping it might make a difference. And it did. It reminded me of why I started cybersecurity in the first place: to protect people, and it inspired this blog post.

Cybersecurity isn’t just about numbers, statistics, or even technology. It’s about people. It’s about ensuring that individuals can live in a digital age without fear. It’s about ensuring technology is used to improve the human experience, safeguarding our personal stories, our memories, our identities, and our livelihoods.

The challenges we face today are pushing us to think outside the box, to innovate, and to collaborate. Turning the tables in our favour will require huge shifts in the way that we perceive cybersecurity. Some of the shifts that I think we’ll see include:

  • We’ll start assuming that PII is publicly accessible, and therefore should not be relied upon for identity verification.
  • Cybersecurity will become more of a public service, funded by tax payers and considered a necessity, even for individuals.
  • We’ll become far less blasé about the use of 3rd party libraries in code, due to supply chain attacks.
  • There’ll be a greater emphasis on behavioural analytics of humans to detect anomalies.
  • We’ll see more GDPR-style privacy legislation around the world.
  • AI and machine learning will force us to reconsider security bounds, as results stemming from a machine are highly unpredictable for the first time ever.
  • Cybersecurity will become less of an independent cause, rather it will be embedded in every other aspect of businesses and life by default.

What now? – the answer is simple. We keep going. We keep innovating. We keep collaborating. We keep educating. We keep fighting. Because the work we do matters.

In the end, it’s not about winning or losing. It’s about innovating fast enough to keep up. We need to view cybersecurity beyond flashy marketing and vendor stalls. We need good people collaborating on good solutions, with their time and brain-power free to explore and experiment. We need to shift our focus back to people, like the man at the lookout.

Take risks, innovate fearlessly, stay human.

The future needs you.