The age-old adage, “Better the devil you know than the devil you don’t,” often implies that familiarity with risks is preferable. However, in the realm of cybersecurity, this perspective presents significant pitfalls. The “devils” we are familiar with are known vulnerabilities—documented flaws in software and applications that are on the rise and can cause severe consequences. Reports from Statista indicate that the annual discovery of common vulnerabilities and exposures (CVEs) continues to grow, with over 29,000 identified in 2023 alone; by August of this year, an additional 25,583 vulnerabilities have been recorded.
This situation can raise a critical question: if vulnerabilities are known, shouldn’t they be easily patched and secured? While this is theoretically possible, three core challenges complicate the matter.
The cybersecurity industry faces a pressing dilemma, and various strategies have been implemented to confront it. First, there is the approach of increasing personnel. Companies that opt for headcount expansion quickly realize the financial burden this entails, particularly as security efforts must mirror that growth linearly. This leads to a recurrent cycle where breaches prompt companies to bolster their security teams; however, fatigue can set in and the perceived benefits may not justify the costs, resulting in subsequent reductions in staff. Ultimately, this sets the stage for yet another breach.
Over the years, many security teams have focused on what I refer to as a “single shining pillar”—a specific, tangible achievement that resonates with executives and justifies cybersecurity expenditures. However, this focus risks obscuring the larger picture of security, especially as the landscape of vulnerabilities expands and the threat surface of technology continues to evolve. Moreover, relying solely on workforce expansion is not a sustainable solution.
The role of artificial intelligence (AI) in cybersecurity presents both opportunities and limitations. At DefectDojo, my company has successfully utilized machine learning (ML) to automate the triage process, eliminate duplicates, and enhance operational efficiency through the analysis of past human actions. While such automation can significantly enhance the capabilities of security teams, we are still far from a point where AI can comprehensively address cybersecurity challenges. Large AI models often struggle with accurately assessing risks due to the heterogeneous and intricate nature of security data. For instance, the processes for detecting and addressing cross-site scripting differ markedly from those for mitigating SQL injection attacks, despite both being categorized as injection vulnerabilities.
Trusting third-party AI models requires an inherent risk, especially when sensitive data is involved. Although organizations like OpenAI prioritize security, the data used to train these models represents a potentially attractive target for cybercriminals. History has shown, such as in the case of a 2023 breach involving OpenAI, that these repositories of information can be vulnerable, presenting significant risks.
Another promising response to cybersecurity challenges is the adoption of DevSecOps practices. This concept integrates security protocols into the fabric of development and operational processes. With DevSecOps, security evolves into a shared cultural responsibility rather than being confined to a dedicated department. This collaborative framework supports the scalability needed to secure complex technology environments, even as the number of known vulnerabilities grows.
DevSecOps emphasizes consistent security assessments throughout the entire software development lifecycle and fosters ongoing collaboration among development, security, and operational teams. Consequently, this approach ensures that security considerations are inherent in the software development process, leading to the proactive sealing of vulnerabilities before they can manifest as issues. In this context, companies are better equipped to address vulnerabilities, drawing on a centralized pool of data that can swiftly inform teams and facilitate timely remediation.
While the cybersecurity landscape is ever-evolving, establishing a solid foundation is crucial. As highlighted by Bessemer Venture Partners’ notion of a “back to basics” approach, organizations must attend to core practices. Even with advanced defenses against modern threats such as AI-driven attacks, a lack of foundational security can leave organizations vulnerable to breaches. Inadequate management of known vulnerabilities can leave numerous pathways open for malicious actors, emphasizing the need for a strategic approach to cybersecurity management.
Ad
Join our LinkedIn group Information Security Community!
