Cybersecurity Is Too Complicated. I’m Here to Decode It.

Why I Started decodingCyber to Help You Win the Cyber Game

Since I can recall, cybersecurity has been far too complicated. Why? There are a few reasons, but a big one is that cybersecurity organizations are pushing new and overly complex ideas. They often want to pave a new industry standard or appeal to a tiny subset of the population. 

But most people don’t speak “cyber.” They tend to disengage when they hear about something they perceive as a complex cyber problem. Then, the problem in their organization is likely to persist. Unfortunately, a cybersecurity problem is a cyber bad actor’s opportunity. 

Imagine this as a game. You versus your opponent in a high-stakes winner-take-all affair. If the game is too complex, you can’t prepare, you can’t put up a good fight, and you will lose — especially if your opponent is a pro. And trust me, cyber bad actors are professionals. They play a lot, and they win far too much.

I want to level the playing field. I want to get you and your business back in the game. Not just to compete but to win — to win big.

How? Let’s break it down into three parts, sticking with the game analogy.

1. Cyber threats are growing, i.e., your opponents are improving

Cyber threats are constantly increasing worldwide in both volume and sophistication. I expect this to continue for the foreseeable future. From our opponents’ mindset, there is only an upside to cybercrime. Remember, they are playing the game nonstop and only have to be right once, whereas you have to be right every time.

This creates pressure on you while keeping their stakes low. Think about it. If they win, they can land millions of dollars, if not more. Sure, they committed a crime, but they might never get caught. If they do get caught, they may never see a day in prison if they live in a country that does not have an extradition treaty with the country alleging wrongdoing or if they are operating at the direction of a nation-state government. For example, do you think the US's National Security Agency would hand over an employee to Russia if Russia said the US employee compromised Russia's infrastructure (seemingly at the behest of the US)?

An added aspect of this discussion is that cybercrime is getting easier to execute. The tools developed by bad actors are easier to use and are becoming more widely available than in the past. In other words, your opponents are improving, which makes your game more challenging (and makes concepts like zero trust all the more critical to understand).

2. Cybersecurity is increasingly complex, i.e., you’re at risk of disengaging

The industry is getting too complex and convoluted, even for the experts. When something becomes too complex or challenging, we risk losing interest and disengaging. Let’s look at what I am referring to: take defense in depth, a crucial concept in cybersecurity. I define it as:

Using multiple layers (and different types) of cyber defenses to stop an attack. If one fails, another is there to help prevent the attack from succeeding. 

BAM! Easy, right? Well, it should be.

Now let’s see the definition at CSRC at NIST — that’s the Computer Security Resource Center of the National Institute of Standards and Technology (even their name is hard to understand):

The application of multiple countermeasures in a layered or stepwise manner to achieve security objectives. The methodology involves layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another.

Got all that? It’s a great definition... if you’re a technophile or Ph.D. candidate in computer science. 

NIST isn’t the only offender out there. The entire cybersecurity industry is littered with examples of people and organizations over-complicating basic cyber concepts. When people hear complicated definitions, they tend to stop listening. If they stop listening, how can they understand?

Don’t get me wrong — many elements of cybersecurity are genuinely complex and nuanced on a technical level. By a show of hands, has anyone been to a cybersecurity conference and listened to an entire lecture on malware reserve engineering? I have... and oh my, that is tough to follow! Cyber bad actors are working day and night to enhance the complexity of their operations to tilt the game in their favor. So, cybersecurity defenses must respond. 

Regardless of why it is complex, here’s the rub: the people who need it the most — the owners of one-person business operations, small and midsize businesses, the board of directors, and everyday people trying to stay safe online — are lost. How are they expected to play a game they can’t even understand?

3. Cybersecurity is critical for business success, i.e., losing isn’t an option

Businesses must understand how to address all cyber matters; their bottom line is at stake. Some estimate that cybercrime will cost the world $10.5 trillion annually by 2025. It’s an astonishing figure that speaks to a simple reality: for your business to thrive, it must operate in a safe environment. A cyberattack can derail everything, so you must be prepared for everything your opponent throws at you. 

Here’s the thing: you might feel you’re prepared, but what if your opponent does something unexpected, such as not playing by the rules or changing the rules during the game? In other words, what if your opponent plays the game with zero concern for rules, with zero legal limitations, and, most of the time, zero fear of reprisal?

Businesses, employees, and basically everyone online have been dealing with spam, ransomware, and supply chain threats forever. Maybe you know a victim of identity theft. Perhaps you have fallen prey to a sophisticated phishing campaign OR a not-so-sophisticated one. You may easily understand that cybersecurity is essential. So why, when you search it online, is it so confusing?

What if it wasn’t? What if it was simple to understand? Wouldn’t this make the problem of cybersecurity far easier to solve and the game much easier to play and win?

What makes us different?

I founded decodingCyber to be the opposite of complex. When you come here, we hope you feel welcome and at peace. Sure, cybersecurity is a serious business, but we aren’t trying to scare you into buying anything. Why? Well, for one, we are vendor-agnostic. We arm you with insights and point you in the right direction, not in one direction toward a particular vendor’s product or service. In other words, we explain the game so you can win it. We tell you the equipment and skills you need, not the best product or who to buy it from. We are thought leaders in the cybersecurity space.

We are also honest. For instance, I can honestly tell you that we cannot solve everyone’s cybersecurity problems. But we can give you a robust and comprehensive foundation of cybersecurity knowledge. We can offer you a new way of thinking about cyber: a way to decode it in a language that makes sense to everyday people. Hence, our motto is “cyber made simple.”

What can you do with this information?

As you dive in, you will start to understand how to play the game. If you’re running a small business, you will be able to discuss critical security concepts, like your attack surface (and all the other concepts you learn) with your IT department — even if it’s just you and Tom, your college intern who’s “good with computers,” running IT. Suppose you are on a board of directors. In that case, you can ask the CEO and Chief Information Security Officer (CISO) pointed questions about viable cybersecurity threats and have crucial conversations on addressing security gaps. If you’re a one-person operation, you can make informed decisions on what cyber threats you need to be concerned about, given your industry and security posture, and what you don’t.

Want to take it to the next level?

Use our vendor-agnostic content to show your audience you care about cybersecurity. Or we can curate content that is specifically tailored to your audience. Let’s chat!

You will also learn how not to act. When you only sell awesome T-shirts online, do you need 200 layers of the latest cybersecurity countermeasures? No, you’re probably good with the security basics your website hosting company offers. But you should still be dialed into the possibility of dealing with a ransomware attack or Tom leaving and taking your site’s access controls with him (If that sounds implausible, here’s where I mention I investigated this type of situation several times when I was in the FBI).

With this newfound understanding, you will be empowered to take meaningful action. In other words, you can put yourself in a position to win the game. What does winning look like? Staying ahead of your opponent and making yourself less of a target. Do that well, and the game becomes easier to win!

Explore our website!

So go ahead, click around! As you do, ask yourself, “What would I do differently in my organization regarding cybersecurity?” Maybe you don’t need to do anything — perhaps you’ve made suitable investments in your security, and you sleep easy at night (unless you’re like me and have your small children crawling into bed with you, LOL). If you’re a cybersecurity maven, tell people in your community how important cyber is, tell them how you did it, and if they have any questions you can’t answer, feel free to send them our way!

And know that you can always come back. Cybersecurity is never going away because cybercrime will never go away. Cybercrime is a form of theft; theft has been with us since the dawn of time. It is a reality of our digital universe. 

To close, I want to quickly revisit the idea of 200 layers of cybersecurity. Do you need that level of defense in depth when you’re a major global corporation? You might think so, but guess what? No one needs 200 layers of cybersecurity. 

Instead, you might need a team of 20+ highly trained, experienced, creative, and passionate cyber pros working under a CISO. A CISO who reports to the CEO and has the mandate to strategically build cybersecurity defenses that help the company protect its assets, achieve business goals, and address rapidly evolving GRC requirements all at once. We cover these ideas and a whole lot more!

Remember, if you ever feel overwhelmed, you can always contact us. We’re happy to chat!

Do you want to use our content for your site or training material, or would you like us to write curated white-label content for you? We can help you! Let’s talk.

Frankly, my dear, I don't give a damn… you should share this article with everyone you know! 😉

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD

Michael F. D. Anaya | Founder

I’m a techie who’s been in cybersecurity for over two decades. My passions are being a top-tier dad, helping others, speaking in public, and making cyber simple. I am also partial to cheesecake and bourbon, but not together… well, come to think of it, it might be a killer combo! TBD.

https://www.mfdanaya.com
Previous
Previous

5 Ways to Keep Your Kids Safe Online

Next
Next

Demystifying GRC in Cybersecurity: Governance, Risk, and Compliance Explained