> 1st: most people outside of government don't know how much they are expected/"required" to do to protect their work against foreign nation states.
This is very true, sadly. It ought not to be, but level of practical cyber abilities seems sorely lacking. I see lots of "governance" style cyber, but not a lot of "deep technical expertise being allowed to develop defences".
University research lab type environments deserve a special call-out though for being near-impossible to defend. Most of the time these are "defended" by pooled central IT staff without specific awareness of the significance of the systems or threats faced. University networks are also notoriously open, and even in lab environments, they're often connected directly to the internet or campus network (airgapped computers for internet access are less convenient and someone would have to pay for them, and nobody wants to). Let's not even go into the various shadow IT remote access systems in use, which circumvent the institution firewall to let them get work done from home in the evenings...
University lab environments are an incredibly tough target to secure. And the researchers will find ever more ingenious workarounds to security measures that they find getting in the way of their work.
> Except for heavily regulated sectors (government, military, heavy industry, banking, core telecom, and more recently elections) very few companies will actually get help from 3-letter-agencies to actively protect against foreign nation state attacks.
Even some of these sectors sorely lack ability in cyber, at least in some very developed and otherwise capable countries. There is still a very real barrier between 3 letter agencies, and the industries you mentioned that need this help. Information sharing is often too little too late, or not specific enough to be actioned.
That said, I do think cyber security needs to be a bigger priority in all sectors, but nobody wants to pay for it, and as long as there's no routine cost to business, I don't see that changing. Not while traditional "value for money" metrics are used to measure and compare options - it's very hard for those reviewing tenders or proposalsto see and differentiate between good security and some "military grade, unbreakable, quantum sprinkles" snake-oil security that has SQL injections everywhere.
This is very true, sadly. It ought not to be, but level of practical cyber abilities seems sorely lacking. I see lots of "governance" style cyber, but not a lot of "deep technical expertise being allowed to develop defences".
University research lab type environments deserve a special call-out though for being near-impossible to defend. Most of the time these are "defended" by pooled central IT staff without specific awareness of the significance of the systems or threats faced. University networks are also notoriously open, and even in lab environments, they're often connected directly to the internet or campus network (airgapped computers for internet access are less convenient and someone would have to pay for them, and nobody wants to). Let's not even go into the various shadow IT remote access systems in use, which circumvent the institution firewall to let them get work done from home in the evenings...
University lab environments are an incredibly tough target to secure. And the researchers will find ever more ingenious workarounds to security measures that they find getting in the way of their work.
> Except for heavily regulated sectors (government, military, heavy industry, banking, core telecom, and more recently elections) very few companies will actually get help from 3-letter-agencies to actively protect against foreign nation state attacks.
Even some of these sectors sorely lack ability in cyber, at least in some very developed and otherwise capable countries. There is still a very real barrier between 3 letter agencies, and the industries you mentioned that need this help. Information sharing is often too little too late, or not specific enough to be actioned.
That said, I do think cyber security needs to be a bigger priority in all sectors, but nobody wants to pay for it, and as long as there's no routine cost to business, I don't see that changing. Not while traditional "value for money" metrics are used to measure and compare options - it's very hard for those reviewing tenders or proposalsto see and differentiate between good security and some "military grade, unbreakable, quantum sprinkles" snake-oil security that has SQL injections everywhere.