I like to think of cyber security like life on the savanna: we are all a pack of gazelles running from cheetahs. The cheetahs are faster than all of us. We have only two methods of survival: be faster than the other gazelles (more secure) or be scrawnier than the other gazelles (less gain). Being both is a great strategy.
Most cheetah are pretty lazy, and just take out the gazelle who let their guard down. And while it surprising how many of our fellow gazelles do this, maybe its because gazelles have so many other high priorities and its really expensive. Being a gazelle is pretty tough.
The really juicy gazelle have it tough, they have to be fast. But regardless of how fast they are, there are still cheetah that can catch them. Luckily, those really fast cheetah can get filled up with slower gazelle, and they do. But don't kid yourself, no gazelle is faster than all of the cheetah.
Now, it should be mentioned that all of the gazelles in our pack are faster than they used to be. 5-15 years ago, some gazelles weren't concerned about cheetah at all. As a pack, we all got faster, smarter and more aware. Unfortunately for us, the cheetah got faster also, seems they have been breeding too.
While it might be great if all of us gazelles focus on speed training, every one of us could become cheetah fast. However, knowing how tasty we are, the cheetah will just evolve as well.
In our savanna, there are park rangers. Some suggest that the best way to decrease all of the carnage is to punish the fallen. Every time a gazelle is taken, the park rangers should come and kick and stomp on the injured, this will serve as a warning to all of the other gazelle, and make sure they don't skip any of speed training sessions.
I would prefer another strategy. I think we should arm the park rangers, and they should hunt the cheetah. Smoke out their homes, search them out day and night, set traps. Learn their attack strategies and tell the gazelles. The park rangers could publish playbooks, set up drills for the gazelle. Anything that would deter the cheetah, make them consider hunting in another savanna where food is slower or stockier. Maybe we could alter our diet to be less tasty (can our EHRs get a button to delete all SSNs in the system please!).
And maybe, someday, all of the savannas will join together and put an end to this. We know the neighborhoods the cheetah live in, we know the currency and tools they use. With enough political will, this could be done.
(did you know that maritime piracy peaked in 2010 with 445 attacks? In 2022, there were 115 attacks. Many factors have contributed to the steep decline, including navy involvement, increased security, and targeting of originating countries. Oddly, no one suggested shooting holes in the hulls of the victims as an effective deterrence.)
Rebecca - 6 days ago
It makes some sense in creating regulations around baseline requirements because it gets the attention of senior leadership and board members that won't hear what should be included in a mature information security program. It's no so much the penalties as being on the "naughty list" and no one wants that. It also ups the bar on what peers are doing. The board is big on comparing to peer maturity levels but if peers don't have a great program, then it's a terrible barometer. Where things fall short is that for small and medium sized health care systems, money is tight. Many of these orgs want to do better but legitimately can't afford to spend the money on systems and people and don't qualify for the critical access hospital grants that are being offered now.
Living Free in New Hampshire - 1 week ago
The penalties don't work because they are too low. They need to be multiplied by at least ten times.
I like to think of cyber security like life on the savanna: we are all a pack of gazelles running from cheetahs. The cheetahs are faster than all of us. We have only two methods of survival: be faster than the other gazelles (more secure) or be scrawnier than the other gazelles (less gain). Being both is a great strategy.
Most cheetah are pretty lazy, and just take out the gazelle who let their guard down. And while it surprising how many of our fellow gazelles do this, maybe its because gazelles have so many other high priorities and its really expensive. Being a gazelle is pretty tough.
The really juicy gazelle have it tough, they have to be fast. But regardless of how fast they are, there are still cheetah that can catch them. Luckily, those really fast cheetah can get filled up with slower gazelle, and they do. But don't kid yourself, no gazelle is faster than all of the cheetah.
Now, it should be mentioned that all of the gazelles in our pack are faster than they used to be. 5-15 years ago, some gazelles weren't concerned about cheetah at all. As a pack, we all got faster, smarter and more aware. Unfortunately for us, the cheetah got faster also, seems they have been breeding too.
While it might be great if all of us gazelles focus on speed training, every one of us could become cheetah fast. However, knowing how tasty we are, the cheetah will just evolve as well.
In our savanna, there are park rangers. Some suggest that the best way to decrease all of the carnage is to punish the fallen. Every time a gazelle is taken, the park rangers should come and kick and stomp on the injured, this will serve as a warning to all of the other gazelle, and make sure they don't skip any of speed training sessions.
I would prefer another strategy. I think we should arm the park rangers, and they should hunt the cheetah. Smoke out their homes, search them out day and night, set traps. Learn their attack strategies and tell the gazelles. The park rangers could publish playbooks, set up drills for the gazelle. Anything that would deter the cheetah, make them consider hunting in another savanna where food is slower or stockier. Maybe we could alter our diet to be less tasty (can our EHRs get a button to delete all SSNs in the system please!).
And maybe, someday, all of the savannas will join together and put an end to this. We know the neighborhoods the cheetah live in, we know the currency and tools they use. With enough political will, this could be done.
(did you know that maritime piracy peaked in 2010 with 445 attacks? In 2022, there were 115 attacks. Many factors have contributed to the steep decline, including navy involvement, increased security, and targeting of originating countries. Oddly, no one suggested shooting holes in the hulls of the victims as an effective deterrence.)
It makes some sense in creating regulations around baseline requirements because it gets the attention of senior leadership and board members that won't hear what should be included in a mature information security program. It's no so much the penalties as being on the "naughty list" and no one wants that. It also ups the bar on what peers are doing. The board is big on comparing to peer maturity levels but if peers don't have a great program, then it's a terrible barometer. Where things fall short is that for small and medium sized health care systems, money is tight. Many of these orgs want to do better but legitimately can't afford to spend the money on systems and people and don't qualify for the critical access hospital grants that are being offered now.
The penalties don't work because they are too low. They need to be multiplied by at least ten times.