The silver bullet in your cybersecurity program is not an appliance, not a service, not even a framework – it’s YOU!

I grew up watching the Lone Ranger, who used silver bullets to wound and apprehend criminals but never to kill.  It was a reminder of how precious life and justice are to the Lone Ranger.  A silver bullet also represents a special type of ballistic that supposedly kills werewolf’s and supernatural beings.  To many the phrase “Silver Bullet” refers to a magic wand of sorts, which can cut through something complex and arrive at a solution.  In the world of cybersecurity all too often an appliance, service, or framework is embodied as a silver bullet yet we have the highest rates of fraud and cybersecurity incidents in the history of computing.

Around the turn of the century everyone clamored about something called a “network perimeter” (I know lol today!) soon along with the need to have anti-virus and a firewall installed and configured properly.  Then came “smarter” devices and services resulting in adoption of stateful firewalls, IPS, and SIEMs and other innovative solutions.  Don’t get me wrong, I’m a fan of all of these technologies based upon business need and capabilities for the cost.  The frustration many have had over the last decade is fighting to get funding for the latest and greatest technology, or at least something better than what you have (in a box BTW) and then it turns out you still have incidents, fraud losses, and cybersecurity issues.  Your reputation and buy-in by non-geeks and non-IT folks within your organization plummets.  This is the wrong approach despite it’s popularity in the industry.

I grew up on a small farm out in the woods.  When we didn’t have water we had to figure out what was wrong with the pump, go dig and fix the water source, however we could.  More often than not we learned how to fix things ourselves.  That type of rugged independence taught me that hard work and perseverance coupled with strong ownership and excellence in work built character and kept the water flowing, the animals alive, and the family.  I developed a sense of self-reliance when I needed it.  You don’t deserve a handout; you aren’t entitled to anything; sometimes it will be tough but you can persevere.  When you get a helping hand you’re thankful.  You don’t take your fresh water for granted, you worked for it and you earned it so you rejoice in it.  We made sure all the critical assets of the farm were reliable, and redundant if possible.

YOU are the silver bullet for your organization, not a service, not a product, not something in a box, not even a cybersecurity framework.  YOU must decide what your crown jewels are and identify where they are at, how they are at risk and how they are protected, and how to best govern your security.  I’m an advocate of cybersecurity frameworks and various other technical solutions, but they don’t solve any problems for YOU – YOU do.  Think about everything as a utility or information that empowers YOU to be the silver bullet for your organization.  It’s rare but I have worked with organizations that adopted this mind set – and their security plan governance for the entire organization.  In one case an organization successfully stopped successful espionage intrusion 100%, including new zero-days that followed, because of radical changes that they made in their governance against that specific risk.  In another case an organization dramatically lowered their risk exposure and rate of incidents related to opportunistic drive-by attacks, because they made it a priority and drove it home from through security governance for the entire organization.

In the end searching for a magic bullet is really something for sci-fi movies and Hollywood, but remember, the most important asset you’ll ever have is YOU and your colleagues.  Everything else should be working for YOU as you seek to mature a security posture within your organization to manage risk.