Let me be blunt: Current cybersecurity solutions do not adequately protect businesses from modern cyberthreats, and, in the current landscape, it’s not a matter of if your organization will be attacked, it’s a matter of when. Therefore, if attacks are going to happen, organizations must proactively ensure the security of their data, assets and network. This can be achieved through the implementation of an offensive cybersecurity strategy. In my first blog of this series, I provided an overview of offensive cybersecurity and a few of the most common techniques used. Essentially, offensive cybersecurity is preparing for possible attacks before they occur by simulating the activity of attackers. In other words, offensive cybersecurity professionals attack their networks looking for vulnerabilities so that the organization can fix them before a real attacker tries. This enables improved responses to attacks because the organization is looking for issues before attackers do.

However, despite the benefits of a proactive approach, offensive cybersecurity techniques are not yet widely implemented across cybersecurity organizations. Let’s explore why.

Budgets

It is a universally understood fact that businesses are operating with finite resources, and, since cybersecurity does not often directly generate revenue for a business, budgetary restrictions are a significant hurdle for any cybersecurity program. If programs are fighting for every allocated dollar to keep what they have operating, it takes no stretch of the imagination to see that the prospect of investing time and resources into building an offensive component to the cybersecurity program can be tenuous.

Lack of understanding/awareness

While the cybersecurity industry has made great strides over recent years in educating the rest of an organization on why security is important and how everyone plays a role in it, there is still a long way to go. As an emerging field within the cybersecurity industry, offensive cybersecurity professionals have a lot of work to do to garner the awareness and understanding necessary to be successful. Not only will internal security stakeholders need to understand how to implement and perform offensive components to a cybersecurity program, they will also have to help non-technical stakeholders understand the benefits of doing so.

Too many options

The astronomical costs associated with cybercrime have provided an incredible motivation for security companies and vendors to develop and market cybersecurity solutions to businesses. Though cybersecurity budgets are increasing with better understanding of the field by all stakeholders in an organization, businesses are falling into the convenience trap promised by cybersecurity solution vendors. This commercialization of cybersecurity solutions contributes to issues with effective allocation of cybersecurity budgets across the board. Like a child at the fairgrounds, cybersecurity professionals are bombarded by bright displays that compete to grab attention in hopes that some of the limited budget of cybersecurity programs finds its way into vendors’ sales figures, and, similar to the prizes won from fairground games, the unfortunate reality is that these tools are leaving much to be desired after the sale.

Offensive cybersecurity may be faced with all of the same obstacles as traditional cybersecurity programs, but cyberattacks are still growing in frequency and complexity. As we’ve discussed before, companies are spending more and more on cybersecurity without seeing improved results. To me, this indicates that we need a massive shift in how we approach cybersecurity and using offensive cybersecurity strategies could be the missing solution. Indeed, having a stronger cybersecurity system saves on costs associated with breaches—contributing to better financial health overall.

In my next blog post of this series, I will explore the specifics on how going on offense may be able to solve longstanding cybersecurity issues within the healthcare industry.