Cybersecurity is not a sport we get to play on our own terms. Being on defense, will always be just that. And so, we have to adjust how we think about cybersecurity or we will continue to lose to our adversaries.
Being on defense, emboldens offense. And if either side were to play that exact formation forever, odds would suggest a 50% success/failure rate. That would be true if both sides had the same rules, the same equipment and the same finite resources to apply to the game.
Our adversaries on offense, don't. So, we have to change the way we play the game. It's been proven that irrespective of the processes, technologies and methodologies put in place by most organizations they are simply not sufficient to ensure security. We need to know, in advance and in realtime when the adversary is planning, staging and gaining ground. The only way to do that is to know what they know and to have the information they have.
Cybersecurity should look like a cyber offense. Organizations need to adopt the same reconnaissance methods employed by adversaries. And then, we need to deceive. In realtime. We should gamify our "targets", create wonderful rabbit holes, virtual realities that reflect the equivalent of holograms for adversaries.
In order to do so, we need to see what they see, and we need to move the way they move. Companies, organizations, targets. A company's digital footprint should become an indiscernible maze. Attack surfaces should be confusing beyond understanding. And false. Triangulation should lead to dead ends. But only after enough toil.