"Cyber Security 1.0” was vulnerability based, and has what I would argue limited and decreasing levels of success as public breaches continue at a record pace even though IT and IT security spending continues to be an increasing leadership and spending priority. The problem as I see it is that, at least in North America, we have always bench-marked our security programs, our risk assessments, and our solution designs against regulations and whatever we thought were “best practices.”
As pointed out to me by my security intelligence colleagues, absent adversary insight, our strategies focus our work hunting vulnerabilities within our own environment, which in many cases today have already been exploited. This ‘close the barn door after the horse is already out’ approach leaves us in a reactive only management position which is well known to be expensive and ineffective from a risk management perspective.
“Cyber Security 2.0” must better manage our environment in light of the adversary's capabilities and attack methods. That means defining our security management, priorities and methodologies in terms of the ‘real’ threat in terms of the people who would seek to do our organization’s harm, rob our shareholder value, and damage the organization’s brand. Doing this requires a new approach that is responsive to changing marketing conditions and a program that can defend against the “new normal” of increased threat pace and adversary capabilities.