Are Microsoft and Google better at cybersecurity than the CIA? Um, yeah!

Here’s an article who’s title caught my attention immediately (to be honest, I didn’t even bother reading the actual article, just skimmed). The title poses the question of whether Microsoft and Google are better than the CIA since the CIA Director John Brennan recently had his personal account hacked.

The answer in my opinion is “absolutely” and “of course Microsoft and Google are better at cybersecurity”. Here’s why:

  • Security is a cost center, there’s no measurable ROI: Organizations won’t spend on security unless they know the pain, which is a lot different than perceived pain. We all know we should keep our systems secure, etc. but until you have been actually hacked, security is just one of those things you know you should do. Microsoft and Google have been hacked plenty of times so they know the pain already. The CIA is just starting.
  • Public sector versus private: The public sector has some really great security talent, in fact I’ve met some of these guys and they are scary. That said, the public sector is constantly competing with the private sector where the compensation is much higher (I am talking about $ to be clear). So attrition and retaining expertise is always a challenge.
  • As massive as Microsoft and Google are, the CIA is bigger: There are so many moving parts and different types of systems at the CIA, it’s difficult to defend all possible vectors. In fact, the CIA Director hack was on his personal email and nothing to do with the CIA systems. Microsoft and Google all deploy standardized systems, so while it’s not trivial to protect, it’s still easier to maintain and protect.
  • Who knows what the CIA does, but I know it’s not just tech: The CIA does all sorts of things, exactly what who knows. But I know for sure it’s not just tech. Microsoft and Google are tech companies so they have the advantage in that they are able to focus just on technical risks. CIA on the other hand has to be a jack of all trades: human, government, global and now cybersecurity.

Personally, I feel that the CIA given the resources they have are doing a great job. Can they improve, sure, everyone can, but clearly they are not behind which is more than you can say for some private sector companies.