Finding problems that matter

July 30, 2020 | Roger Thornton

This blog was jointly authored with Ed Amoroso. See their previous blog for more!

Towards the end of the 19th century, large cities like New York were facing a vexing problem so devastating that many questioned whether such cities could be sustained at all. People could no longer cross the street without assistance, stumbling was a common problem, disease was spreading, and even those issues had nothing on the horrendous stench emanating from every corner. 

We are talking, of course, about horse manure.

150,000 horses in service to pull streetcars, freight wagons, and private carriages resulted in millions of pounds of manure carpeting the city streets with a wet muck every day. All manner of ingenuity was used to remedy the situation: City drainage was improved; Manure was sold as fertilizer; Men with shovels were employed to constantly clear the streets; There were even “crossing sweepers” to help pedestrians on their way. Most figured that this was a problem to live with, not to solve. Nothing much could be done, and 3.5 million people was the maximum New York City would ever support.

The solution to this odious obstacle was ultimately not civil engineering, manual labor, nor public policy, but rather the invention of the “horseless carriage”—first, street cars and then automobiles. Soon the horses were gone, along with their unwelcome calling cards. “Problem solved,” (and on to the issue of all those cars clogging up the roads and polluting the atmosphere).

Cyber security’s most challenging problems

Fast forward to 2020. In the world of cybersecurity, we have our own, ever-expanding piles of manure to contend with. Like our 19th century predecessors, we are primarily in the business of “managing” rather than “eliminating” these problems. And most people simply tread around them carefully, hoping none ends up on their boot heels. There are three particularly stinky problems which require an awful lot of “shoveling:”

The software problem

If the cyber challenge were a category five hurricane and our technology products were ships sailing into the storm, you might notice that many of the ships seem to be made of papier mâché. Any listener of the SANS or other podcasts is aware of the constant deluge of software vulnerabilities that make  the protection of modern systems nearly impossible. You can also have a look at the results of the annual Pwn2Own contest at CanSecWest over the last 12 years. Back in 2008, it took Charlie Miller just two minutes to break into the industry’s leading notebook computer. Guang Gong and a team from Qihoo 360 needed half that time to infiltrate a popular smartphone in 2016. And at the 2019 event, everything from the mobile devices to electric automobiles were taken down to the tune of hundreds of thousands of dollars in prizes. There has been little change in a span of more than a decade.

These companies, making the products that were so easily taken apart at CanSecWest, are some of the most experienced, smartest, and best-funded in the business. And yet still, red teams and bug bounty hunters go through them like butter. That tells you something about security’s undersized role at the development stage. Imagine if tech products were skyscrapers. Instead of using structural engineers from the design stage to make sure that the building is resilient to gravity, fire, wind, and earthquakes, we would just put them up as fast as possible and let some other team deal with the problems later. A lot of the time, that’s exactly what happens with technology products—we grossly undercompensate for the “physics” of cyber-attacks during construction.

The adversarial asymmetry problem:

In the Old West, it was always better to be a bank than a bank robber—banks could see the robbers coming and a sheriff’s posse could usually hunt them down, even if they succeeded in making away with the loot. In today’s landscape, cyber attackers include large criminal organizations and well-funded nation state actors who are invisible and virtually untouchable. Of course, most targets don’t get the unlimited help from local law enforcement or national defense agencies that they might like, and they can even be arrested for pursuing the perpetrators or trying to recover their stolen data. When your enemy has those kinds of resources and you can’t do much to stop them, the classic defender’s dilemma is amplified one hundred-fold. It is even worse for small companies with scant IT resources, who simply can’t afford to pursue the strategies used by their much larger peers.

The cost and complexity problem

Defending against cyber threats and maintaining regulatory compliance today requires at least a dozen controls. In the case of most well-defended large enterprises, that number can span into the many dozens or hundreds. Before you can satisfy this battery of requirements, you first must consider amongst the many thousands of cyber security products on the market. After you have finally selected your defensive weapons of choice, they still require high levels of expertise to install, tune, and maintain them. Of course, all of that costs an enormous amount of money—10’s-100’s of millions of dollars for large enterprises.

The practice of developing a new widget for every new vulnerability that comes along has proven unsustainable for all but the largest and most sophisticated customers. Those who find better ways to integrate vendors and reduce the cost-complexity burden will find a ready market of fed-up enterprise CISOs ready to take a meeting. This disruption alone has the potential to transform the infosec industry.

Entrepreneurs bring unexpected solutions
So what's the answer to these seemingly impossible security challenges? Specifically, we don’t know. But in our previous article, we (Ed and Roger), promised to share what we see as some of the industry’s most vexing challenges and here they are. We also proposed that entrepreneurship is the ultimate solution to many, if not most large-scale business problems. Along the way to solving these problems, entrepreneurship also creates jobs and provides lasting and meaningful satisfaction for those involved.

It’s worth keeping in mind that, just like the modern street car and automobile solved the “unsolvable” horse manure problem from outside the expected domains, today’s cybersecurity problems may come from innovators working completely outside the cyber field. Perhaps the solution will simply be better cooperation between governments in fighting crime or an entirely different way of constructing software. But more likely than not, they will be solved by someone like yourself, with cybersecurity expertise and a strong passion to do your best work to solve the impossible.

Small problems need solving too
If the enormity of problems above are too much for you, don’t worry—small problems need solving too. If you are employed, you may not even have to leave your own company to find such problems to solve. There are so many places where innovation will make a meaningful difference in the world.

Here’s an example: Ellen (not her real name) is an incident response manager for an airline that is now cutting large amounts of IT staff. I (Ed) met Ellen last year at a meeting of privacy enthusiasts to debate how to find the balance between surveillance needed for security and individual liberty. Ellen’s passion during the meeting was evident.

Now, we understand the difficult financial implications that being laid off might have on Ellen. But it also gives Ellen the opportunity to turn her passion for privacy into a full-time vocation. Today there are certainly more privacy groups that have funding to advance this cause than there are airlines expanding their IT staff.

Then there’s Fran (not his real name). As lead researcher for a conventional gaming company, Fran watched as the revenue from slot machines and other favorites took a nosedive due to the pandemic. It would be easy for Fran to just shrug his shoulders and wait for the eventual layoffs to begin. But he did the opposite: Fran invested his team’s energy into new electronic gaming platforms. The resulting products enforce social distancing during gaming and also create entirely new gaming experiences, complete with virtual dealers, virtual tables, and other innovations. Ask Fran today, and he will tell you that these new solutions will be an important part of the future of his company.

So what does this all mean for you?

Well, we believe it is time for those of you who are so inclined to take action. As should be evident with Ellen and Fran, their respective decisions to channel fear and emotional uncertainty into new opportunities had powerful impacts on their lives. In each case, they faced a crisis by being creative, and addressed fear by being bold.

This is how successful people transform their lives. This can be done on a small or a large scale, whether you are a teacher, a designer, an engineer, or a 19th century manure sweeper. The key to successful entrepreneurship is to first find a problem worthy of your time, talents, and passion. Now is a great time to reset, get creative and bold, address problems that matter.  Find a way to solve problems on your own street corner, and then do your best work. You will have the greatest time of your life—and may just create a lot of jobs for others in the process.

How about getting started right now? Let us know your story and how you are translating a challenging time into the best work of your life.

Roger Thornton

About the Author: Roger Thornton

Roger Thornton has more than 25 years of experience in the computer and network security industry. He has driven the formation and growth of dozens of new companies including Fortify Software and hundreds of products, serving in a wide range of roles from engineering, marketing, and management, to investor/advisor. Roger earned his BS and MS degrees in Engineering with honors at San Jose State University.

Read more posts from Roger Thornton ›

TAGS: devsecops

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial