Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

08:00 AM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Articles

Cybersecurity's Lament: There Are No Cooks in Space

Cybersecurity staff are on edge for the same reason that there are no cooks on the ISS: Organizations are carefully watching expenses for jobs that don't require dedicated team members.

(Image: studiostoks VIA Adobe Stock)

(Image: studiostoks VIA Adobe Stock)

There are no cooks in space.

Think about it: When we picture the great seagoing voyages of discovery, there were cooks, chandlers, medics, and all sorts of other support staff. But that's not the case in space. And the reasons why have critical echoes for professionals in cybersecurity.

Today, it costs roughly $10,000 to put one pound into orbit. If you pick a weight of 150 pounds for a space cook, that means it would cost $1.5 million just to get the cook into orbit. Add in food, clothes, and all the other material required to support a human, and it starts to be an awful lot of money for someone to sling hash for astronauts.

The cost of putting stuff in orbit means that everything that goes into the payload section of a rocket has to be directly tied to the mission at hand. There just isn't room in the budget for much in the way of support.

When you talk to executives in enterprise IT today, you hear some of the same language. Everything -- everything -- that companies are doing right now is focused on bringing in revenue. If it isn't tied to the balance sheet's top line, it's not a priority.

Core Competency
We all have to admit that security is rarely tied to increasing revenue. Business trends have somewhat predictably swung between definitions of "core competency" that were laser-focused on the primary product or service being sold, and those that include all important support tasks. A global pandemic has moved the needle squarely toward the "laser focus" side of the spectrum. And that means many security professionals find themselves feeling like a NASA astro-cook: It's a nice idea but an awfully expensive way to get the job done.

At the same time, though, what we haven't seen is a broad enterprise move to the modern astronaut model in IT. On modern space flights, there are no cooks because the astronauts -- typically highly trained test pilots, PhD scientists and engineers, or both rolled into a very highly skilled package -- cook their own food. They also straighten up after themselves, clear any sanitation issues, and act as mechanics for the craft when something goes wrong.

In all of these cases, the focus is on the mission and the people carrying out the mission. The support functions are simply tacked onto their primary tasks. In business, you tend to see this degree of task-stacking in only the smallest companies, where the assumption is that the various support tasks won't actually be done very well. Specialization and expertise are benefits that larger enterprises are presumed to be able to access: Will the coronavirus epidemic take away these advantages as it takes office culture and free coffee?

Competence, Cost, and Core Business
Anecdotally, enterprises are responding in a couple of ways. First, they have for some time been shifting perimeter protection and security analysis to managed security service providers (MSSPs). As I talk with CISOs and CIOs, it seems that the pandemic has accelerated this transition, even as organizations work to firm up the knowledge necessary to properly write contracts and manage relationships with the service providers.

Next, there are companies that have decided to list security in the "nice to have" category, accepting the risk that they might have a security incident before they're able to restart their normal spending.

Some companies say they're adopting something closer to the astronaut model, adding security responsibilities to the job descriptions of IT generalists and even line-of-business employees. While some IT generalists can become quite competent at IT security, turning enterprise "mission specialists" into cybersecurity staff isn't realistic if for no other reason than the fact that cybersecurity has become a complex and demanding specialty. Most organizations feel they've done well if they can take employees out of the "adversary" category and into a neutral classification -- pulling them all the way into the "security staff" is an orbit too far.

Security's Value
Ultimately, the question will come down to security's value to the organization's mission. Over the past few years I've had many conversations with CISOs and other senior cybersecurity executives about what might take security out of the purely expense accounting category. While I've heard many optimistic statements about reducing transitional friction for customers and employees, most experts acknowledge that security is an expense rather than a revenue-producing activity.

Right now companies of all sizes are re-evaluating expenses once thought to be essential. The expense for office space is one such example that comes immediately to mind as ripe for rethinking. Cybersecurity isn't in that category because almost everyone can see that working from home requires a different security strategy than one in which most employees are coming into the office. (That new model requires a new analogy and another column, so I won't get into it here.)

The fact is that, until business revenue increases on a broad basis and cybersecurity's profile in the enterprise is raised, executives will see most cybersecurity staff in the same light as astronaut cooks: something that's really useful, but an awfully expensive way to get the job done.

Related Content:


Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
7/25/2020 | 10:16:25 AM
Very flawed analogy
I understand the point of your article, but you start off with an extremely flawed analogy.  The cybersecurity professionals aren't like the cook on the station.  The cybersecurity staff are more akin to the key staff in mission control, helping to ensure that the astronauts stay alive and healthy.  And last time I check, there isn't any single space mission that doesn't have ground support staff (spoken as someone who has actually worked at NASA in the past).  All that said, having everyone be responsible for cybersecurity is critical for it to be a successful program.  If those on the front lines aren't doing their part, there is little the professionals can do to keep them secure.  One has only to look at all the careless things that those on the front lines due every day that cause the security lapses we see, from not security cloud services, to checking credentials into public code repositories.  When left to their own without proper checks and balances, they will always error on the side of expediency.  And that is just what those looking to steal our data are counting on.

So no, cybersecurity's lament isn't that there are no cooks in space.  It's that those in space think that they are infallible and are above thone who help keep them alive while they are in space.  (my apologies to all astronauts, it wasn't my analogy and I'm certain that you all are very appreciative of the work done by those that enable you to go into space and come home safely).
Flash Poll