Too Much to Do? You’re a Security Risk

Most major security breaches are not caused by a brilliant attack; they’re caused by a run-of-the-mill attack against a poor defense. The recent Equifax breach is a perfect case in point – the cause was an unpatched web application vulnerability…and the patch was readily available.

I’ll take a wild guess that the Equifax patch issue was not a function of laziness or stupidity. It was more likely a function of security personnel having too much to do, so patching that particular application was somewhere down the “to do” list, giving the attackers time to siphon off 143 million consumer records. Humans having too much to do is the single biggest problem facing the cybersecurity industry. I don’t care how good you are -- if you’re given too much to do, you’ll be reduced to mediocrity or worse.

According to researcher K. Anders Ericsson, the optimal amount of time for employees to spend on highly focused work is 4.5 hours per day. After that, performance degrades. The average cybersecurity pro is expected to spend at least double that time in highly focused work – which is how things like Equifax happen.

In the context of threat detection and response, incident response teams have way too much to do, thanks to the thousands of alerts bombarding them every day. And yet, while the solution to this problem would seem to be obvious – reduce the number of useless alerts – the industry’s response has been to avoid the root cause. Rather than focusing on new strategies for reducing alert overload, we see the introduction of additional threat detection technologies (artificial intelligence (AI) being the shiny object du jour), technologies designed to automate the “busywork” of incident response teams, and, when all else fails, throwing more bodies at the problem.

Unfortunately, these approaches are making the problem worse, not better. AI is actually increasing the alert load, automating alert processing is simply increasing the velocity of wasteful activity, and more bodies means higher operations costs for no material benefit. In the world of business clichés, this would qualify as “throwing good money after bad.”

The Equifax breach is bad. But don’t expect it to change anything. As long as people have too much to do, there will be openings in defenses that make it relatively easy for hackers to do their deplorable deeds. Reducing the alert load is critical if we are ever to reduce the likelihood of another Equifax breach.