网络安全行业，我们应该是乐观还是悲观

网络安全行业，我们应该是乐观还是悲观

In the cybersecurity industry, should we adopt an optimistic or pessimistic outlook?

作者 樊山 上海观安信息技术股份有限公司

本文英文部分为腾讯元宝提供翻译，如有偏差敬请谅解

面对高速发展的数字化时代，网络安全行业是不是真的适应了这个时代的发展？从技术角度而言，数字化带来的数字安全或者传统所言的网络安全（Cybersecurity）、数据安全以及隐私保护的问题，已经成为一种巨大的挑战，甚至是一种恐惧。

Is the cybersecurity industry truly adapting to the rapid evolution of the digital age? From a technical perspective, the challenges posed by digital transformation—including digital security, traditional cybersecurity (Cybersecurity), data security, and privacy protection—have become a daunting concern, even bordering on existential dread.

从某种意义而言，媒体、专业人士可能会站在商业角度去为这种恐惧提供一种遥不可及的“安慰剂”，如同你做完手术后想让医生给你一点止痛药时，医生会给你一片维生素一般。服用者只是从精神上获得一丝慰籍罢了；但是更让整个行业担忧的是，原本这种无可厚非的商业行为中增加了越来越多的专业人士来渲染这种商业氛围。导致患者开始神话各种“专业产品”和“专业技术”。从思想上产生了对网络安全的乐观。

In a sense, media and industry professionals may leverage commercial interests to offer a ‘placebo’ for this fear—much like a doctor prescribing vitamin pills instead of painkillers when a patient asks for relief after surgery. The recipient gains only superficial solace; yet more alarmingly, legitimate commercial practices are increasingly tinged with professional rhetoric that amplifies fear-mongering. This dynamic causes stakeholders to mythologize ‘premium products’ and ‘cutting-edge technologies,’ fostering a collective delusion of cybersecurity invincibility.

数字化产业的发展并非一帆风顺，实际上从IT角度而言，我们渴望一种理想的状态，比如：系统安全工程、全生命周期管控、安全三同步、能力成熟度模型等等最佳实践；的确组织也在不断追求这种最佳实践尝试来提搞自身的安全保障水平和能力。尤其近年来受到合规性的压迫和大模型以及合成数据带来的业务变革；更多的利用数据作为产业形成新的收益模式的产业链的快速发展，使得组织不得不考虑安全与业务的平衡；然而现实却是异常残酷。业务优于防护，孱弱的IT部门或者安全部门很难在具体实现中占有一席之地，高速迭代的业务挤压下，实现数字化业务最基本的软件开发问题成为焦点中的焦点。实至今日，软件开发行业从诞生到现在经历了近百年的历史，理论上已经是一种非常成熟的产业和能力，其实，我们发现，在现实生活中，软件的成熟更多表现在功能实现的多样化、硬件单元的多元化，通信传输的多层次化，软件构建的便捷化；但在软件架构、技术融合、环境配比等问题上，两级分化迅速加剧，成熟的开发组织和不成熟的开发组织成为实现软件开发的两个极端，往往不成熟的开发组织会用成熟的开发组织所构建的最佳实践去说服客户接受自己的产品，但真正在实现过程中，却发现这是一个遥不可及的过程。

The evolution of the digital industry has never been smooth. From an IT perspective, we aspire toward an ideal state—best practices such as systems security engineering, whole-life cycle management, three synchronous security practices (design, development, and operations), and Capability Maturity Model Integration (CMMI). Organizations indeed continuously pursue these benchmarks to enhance their security posture and operational resilience. However, recent years have intensified pressures from regulatory compliance, business disruption driven by large language models (LLMs) and synthetic data, and the rapid rise of data-driven revenue models. These forces compel organizations to balance security with business agility. Yet reality falls starkly short. Under-resourced IT or security departments struggle to gain traction, as hyper-iterative business demands marginalize even foundational software development practices—the bedrock of digital transformation.

Ironically, despite nearly a century of development, the software industry remains paradoxically immature. While functional diversity, hardware heterogeneity, layered communications, and rapid deployment tools have flourished, critical areas like architectural coherence, technology integration, and environment configuration exhibit a glaring two-tier divergence. Mature organizations excel, while immature ones leverage superficially 'mature' best practices to market products. In practice, however, these claims crumble under scrutiny—a stark reminder of the industry's myth of maturity.

从客户角度而言，快速业务发展逼迫数字化部门和组织不得不为应对功能实现疲于奔命，不断重复的系统安全开发活动只能抛于脑后，在现实安全开发中，威胁建模作为整个度量软件全生命周期活动的重要过程受到人员能力、成本、时间等问题的影响，基本被放弃，仅仅是在代码交付阶段才会通过渗透测试和源代码审计去度量软件风险问题。结果是，即使软件存在风险，客户也只能在投入大量的补偿性控制成本（比如：购买第三方产品、插件以及安全服务或者“保护费”）来弥补这些风险，即使如此，组织依旧面临着第三方组件风险、硬编码带来的令牌风险、业务逻辑绕行、功能确认、认证不健全等诸多问题，从而导致被勒索、爬库、应合规带来的处罚等问题。

From the client perspective, rapid business expansion forces digital departments and organizations to prioritize functional implementation at the expense of security practices. Threat modeling—a critical process for measuring software security across the entire lifecycle—is abandoned due to resource constraints (e.g., personnel competency, budget, timelines). Instead, risk assessment is deferred until code delivery, relying solely on penetration testing and source code audits. Consequently, clients resort to costly compensatory controls (e.g., third-party products, plugins, or 'security service fees') to mitigate residual risks. Even then, organizations remain vulnerable to third-party component vulnerabilities, hardcoded token risks, business logic bypasses, authentication flaws, and compliance failures—leading to ransomware attacks, data breaches, and regulatory penalties.

理性的来看，悲观并不是一件坏事，可能很多业内人士会认为这种悲观是杞人忧天，但是正如同我们通常所说“乐观者发明了飞机，而悲观者发明了降落伞”所以，在一些执行专业飞行任务的飞机上都会搭配降落伞，将悲观与乐观相互融合。当然由于降落伞需要专业的训练和操作才能形成有效使用，所以通常民航客机并不会配置不是因为民航客机很安全，而是怕不专业的操作增加更多的风险。所以我们可以把安全控制措施看成是降落伞，即使你具有一个非常专业的降落伞，但是要把降落伞交给谁去使用成为网络安全工作中的一个问题。专业的事情应该由专业的人员完成，但现实中，是不是专业的人在做专业的事，这就成为一个谜题。诸如数据安全工作，实际上传统的数据安全更多的是在数据依托网络环境下所产生的机密性、完整性和可用性的融合，但是这里有一个问题，网络安全可以不依托于业务，也就是说，我们撤除所有的网络安全控制手段，业务并不会因此而发生中断或改变（排除人为攻击行为因素）；但是数据与业务紧相关，也就是说，一旦数据在其整个处理活动的任一阶段发生异常，有可能会直接或间接导致业务崩塌，不管是人为因素还是非人为因素。这就使得，我们在关注数据安全时，不仅要考虑来自于人的攻击行为，还要更多的去关注业务实现过程中的行为。

From a rational perspective, pessimism is not inherently negative. While many industry insiders may dismiss such skepticism as unfounded alarmism, the adage 'optimists invent airplanes, pessimists invent parachutes' underscores a critical truth: in specialized aviation missions, parachutes are standard equipment. Their deployment, however, hinges on rigorous training and operational protocols—hence their absence in commercial airliners, not due to inherent safety but to mitigate risks from untrained misuse. Similarly, cybersecurity controls can be likened to parachutes. Even the most sophisticated safeguards become ineffective if misassigned to unqualified personnel.

The core dilemma lies in delineating 'who should hold the parachute.' While cybersecurity demands specialized expertise, the industry faces a paradox: are professionals truly handling specialized tasks?

This complexity intensifies when addressing data security. Traditional cybersecurity focuses on safeguarding network-dependent confidentiality, integrity, and availability (CIA triad). However, data security is fundamentally intertwined with business continuity. Unlike network security—which remains operational even if controls are removed (excluding deliberate attacks)—data anomalies at any processing stage can trigger cascading business failures, whether through human error or systemic flaws. Consequently, securing data requires not only defending against malicious actors but also rigorously scrutinizing operational behaviors embedded in business workflows.

从业务角度分析，数据在实现业务过程中首先应保证其最大的可用性；安全矛盾再于机密性与可用性之间所存在的本质矛盾，既要合规又要确保业务，这使得安全控制应深入与业务去分析，业务最终需要数据的目的以及如何在最大化实现用户目的前提下通过隐私计算、脱敏、去标识化等技术手段实现隐私保护和合规；这使得数据安全工作者应具备一定的业务素养，同时应将数据安全部门与业务部门形成良好的沟通和衔接。

From a business perspective, data must prioritize availability as its core value during operational implementation. The fundamental security paradox lies in the inherent conflict between confidentiality and availability: compliance requirements and business continuity demands create a tug-of-war, forcing security controls to deeply integrate with business logic. This necessitates a dual focus: understanding the business purpose of data while achieving privacy compliance through technical means such as privacy-preserving computation, dynamic data masking, and de-identification—methods that safeguard sensitive information without obstructing user objectives. Consequently, data security practitioners must cultivate business acumen, and cross-functional collaboration between security and business units becomes non-negotiable.

很难从技术角度将数据安全工作割裂成不同的技术域，似乎在传统的网络安全工作中，大家会细分主机安全、操作系统安全、网络安全、软件开发安全等等相关领域，然后为每个领域专门设置培训和教育，甚至岗位和职能以及操作手册。然后数据安全的独特性再于数据在整个处理过程中完美的跨越了所有的领域和环境，使得在分析数据安全问题的时候，必须将支撑其数据活动的所有组件技术都纳入其中；比如：我们可能已经忘记了OSI/ISO七层协议，但是数据安全工作中一个基本的问题“请问，一个数据行为审计工具，您应该部署在哪里”这是一个看似简单的问题，但是为什么很多客户会投诉厂商，“你们的产品没有任何的响应，并且会产生大量的漏报和误报！”可能很多人会吐槽厂商的产品太烂等等原因，实际上我们在很多用户场景中发现，作为一个应用层审计设备，大多数用户为了降低对业务产生的额外负载，喜欢将其部署在三层网络设备之上，通过端口镜像的模式捕获数据包进行分析。显而易见的是，数据访问行为的状态包是通过七层协议进行传递，我们在三层环境下如何对七层协议中产生的数据请求行为进行解读和分析呢？这是一个小小的示例，也就是说，我们在数据安全工作中，不管是甲方和乙方，都不能单纯的从一个技术域去考虑数据安全问题；精细化的技术是为技术细节提供支撑而不是为整个技术架构提供专业性指导。

It is challenging to compartmentalize data security into distinct technical domains from an engineering perspective. In traditional cybersecurity practices, fields like host security, OS security, network security, and secure software development are siloed with dedicated training, job roles, operational manuals, and compliance frameworks. However, data security’s uniqueness lies in its transversal nature—it permeates all technical layers and environments. Analyzing data security issues therefore demands holistic integration ofall supporting technologies involved in data workflows.

Take a seemingly simple question:‘Where should a data activity auditing tool be deployed?’ Many clients complain about vendor products generating excessive false negatives/positives or failing to trigger alerts. While finger-pointing often targets ‘poor-quality’ products, real-world scenarios reveal systemic misunderstandings. For instance, most customers deploy application-layer auditing tools at Layer 3 network nodes using port mirroring to minimize business latency. Yet Layer 3 devices cannot interpret Layer 7 protocol semantics (e.g., HTTP headers, API payloads) inherent in data access behaviors. This mismatch between tool deployment and data context exemplifies a critical paradox:

In data security, neither vendors nor enterprises can address challenges through isolated technical domains. Granular technical optimizations (e.g., network packet inspection) serve as building blocks, not architectural blueprints. True solutions require integrating cross-layer visibility—from Layer 7 application logic to Layer 1 infrastructure—while aligning threat models with business process dependencies.

人的问题永远是网络安全最大的悲剧，很多网络安全事件并不源自于高明的对手而是传统意义的猪队友，弱口令、第三方违规接入、点击不明链接、随意的下载和收取电子邮件等等常识性问题，往往会将一个组织完善的网络安全防御体系打的千疮百孔；员工越多的组织，管理负担越重，这让我们不得不考虑，网络安全工作，我们到底应该是悲观还是乐观。

Human error remains the most tragic vulnerability in cybersecurity. Most breaches stem not from sophisticated adversaries but from ‘incompetent insiders’—weak passwords, third-party compliance violations, phishing click-throughs, casual malware downloads, or careless email practices. These mundane lapses routinely dismantle even the most robust security architectures. As organizations scale, the management burden grows exponentially: more employees mean more human weak links. This reality forces us to confront a stark paradox: should cybersecurity professionals adopt optimism or pessimism in the face of such systemic fragility?

实际上大家可以回想新冠疫情三年的经历。可以说，这是我国第一次在非战时状态所形成跨部门协作最密集的一次。但是正是这种跨部门合作使得仅仅三年的时间，我们付出了比别的国家损失更小的代价成功的渡过了新冠危机。在这三年中的成功经验，首先是强有力的国家政策和规范，必须去做什么，比如：新冠检测、预防针、发热门诊的专项、集中收治等等手段；降低感染率、尽早发现尽早隔离尽早治疗；如果当我们发现入侵开始并无法有效处置的时候，将受害主机拔掉网线，拒绝通信一样；其次认识危机能力，新冠期间，很多机构拒绝第三方人员进入办公环境，拒绝不可信人员进入办公区域等等措施最大化的保证了组织自己人员降低交叉感染的频率；如果在数字化时代，组织能够有效的隔离不可信第三方的接入，针对各个业务在运行过程中检查是否存在不知名或未知的API通信和传输，并针对这些通信实施阻断和监测的时候，我们能不能最大化的去识别数据的异常流动和传输呢？我们能不能识别数据是否是在约定的条件进行流通和传递呢？最后就是针对人的管理，实际上疫情三年中几次大规模疫情爆发更多是个别人不服从规定通过种种手段绕过疫情管控带来的快速传播；在网络安全工作中，我们同样面临着这种问题；尽可能小的区域化隔离和识别，及时对违规人员的查处和阻断，将是未来网络安全内部管理工作中的一项艰巨任务，人是最不可捉摸的生物，我们永远不能度量谁会在什么时间去做什么事，但是我们能够对人做哪些事可能存在风险进行稽核和发现。剩下的问题就是如何对这些人的行为进行处置而不是简单的对人的处置。

"The COVID-19 pandemic over the past three years offers critical lessons for cybersecurity. This was China’s first large-scale, cross-departmental collaboration during peacetime. Yet this very collaboration enabled the nation to weather the crisis with significantly lower losses compared to other countries, all within three years. Key takeaways include:

1.Centralized Policy Mandates:
Immediate enforcement of national policies—such as mandatory testing, vaccination drives, fever clinic networks, and centralized quarantine protocols—mirrors cybersecurity’s need for immediate containment. Just as disconnecting compromised hosts from networks halts malware spread, rapid policy execution reduced infection rates through early detection, isolation, and intervention.

2.Threat Recognition Capabilities:
During the pandemic, institutions restricted third-party access and isolated high-risk zones to minimize cross-infection. Similarly, cybersecurity requires dynamic access controls to monitor unauthorized API communications and data flows. For example, detecting anomalous SaaS integrations or shadow IT channels could preempt data exfiltration, akin to spotting rogue Wi-Fi hotspots in enterprise networks.

3.Human-Centric Risk Management:
Most COVID-19 flare-ups stemmed from noncompliant individuals bypassing restrictions. In cybersecurity, insider threats account for 34% of breaches (Verizon DBIR 2023). Future challenges lie in granular behavioral monitoring—identifying high-risk actions (e.g., unauthorized data downloads) before escalation, rather than retroactive disciplinary measures.

The unresolved challenge? Translating behavioral audits into actionable protocols. Unlike static malware signatures, human intent remains unpredictable. Solutions may lie in adaptive frameworks like Zero Trust Architecture (ZTA), where continuous verification aligns with pandemic-era lessons:segment networks, restrict lateral movement, and prioritize context-aware controls over blanket policies."

网络安全行业不管是悲观还是乐观，都应该用一种理性的思维去讨论；更多的时候我们是否能够排除商业思维去考虑问题，新技术的快速跌打实际上是在加剧网络安全行业的悲观而不一定是乐观。任何一种新技术除了其在继承旧的技术路线风险的同时也会带来自身的新的技术风险。忽略了硬件机制、内存机制、软件开发水平能力、通用协议问题以及各种技术所产生的耦合问题的场景，都是对网络安全的不尊重。我们必须迎接从IT到OT的融合，从人的决策到人机决策和完全的人工智能决策的风险。最终我们到底是要信任人还是要信任人工智能，种种挑战逼迫我们产生必然的悲观；谁都不敢断言人工智能的觉醒是不是神话，但是从技术角度而言，这只是时间问题，恶意的开发者会加速这个时间；那么我们如何从技术角度来应对这种觉醒？真正从全维度去考虑网络安全问题时，我们必须面对这种挑战，为网络安全行业带来一种新的乐观。

The cybersecurity industry must approach optimism and pessimism through rational discourse, stripped of commercial biases. Rapid technological disruption—rather than inherent promise—often amplifies skepticism. Every new technology inherits legacy risks while introducing novel vulnerabilities. Disregarding hardware architectures, memory management systems, software development quality, universal protocol flaws, and technology coupling effects disrespects the fields complexity.

We face inevitable challenges:

IT-OT Convergence Risks: Merging operational technology (OT) with IT ecosystems introduces physical-world attack surfaces (e.g., industrial control systems hijacked via phishing).

Human-Machine Decision Boundaries: Shifting from human-in-the-loop systems to autonomous AI decision-making raises existential questions: Do we trust humans prone to bias, or algorithms vulnerable to adversarial manipulation?

AI Awakening Threats: While artificial general intelligence (AGI) remains speculative, malicious actors accelerating AI capabilities could weaponize autonomous systems. Technical mitigation requires:

lAdversarial Machine Learning defenses to counter AI-driven exploits;

lFormal Verification of AI decision pipelines to ensure alignment with ethical frameworks;

lZero Trust Architectures to restrict AI autonomy within bounded contexts.

True optimism lies not in denying risks but in systemic adaptation. Holistic cybersecurity strategies—integrating NIST AI Risk Management Framework, MITRE ATT&CK’s AI-specific tactics, and IEEE Ethically Aligned Design principles—must address these challenges. The path forward demands collaboration between policymakers, engineers, and ethicists to ensure technology remains a force for resilience, not existential dread.

原文始发于微信公众号（老烦的草根安全观）：网络安全行业，我们应该是乐观还是悲观