A lot of things have come together recently. While it may be reasonably quiet on the Cybersecurity news front, it is a good time to reflect on the effectiveness (or lack thereof) of our industry.
If you step back and look, you can see that we need to look at our own industry with some cynicism, or rather we need to split the industry up in order to see what is working and what it not.**Communications**: I was listening to the Securing Business Podcast (episode 3 @3:50) recently, and Brian Honan was speaking about how as an industry we communicate with business stakeholders. Then we had the whole BadLock scare, which now appears to be motivated more by marketing than security response.
We are poor at communicating in general, when we do, we do so largely from a technical perspective, and hide in our comfort zone of technical details about hacks and vulnerabilities. We don’t put enough effort or consideration into communicating and training business stakeholder about the implications and what it means for them. And here’s the irony, we complain about cybersecurity not being taken seriously at board room level. Well would you blame them, when we communicate in a different language and just look for more and more budget without quantifying some ROI for the shareholder – fear is not a foundation for communication at this level, it wears thin, quickly. We keep blaming businesses for not listening, whilst still mis-communicating in a different language.
More tools please, same for everyone:
Some Industry vendors are still flogging the traditional message of Fear, and why wouldn’t they - it has worked very well for years for them, and generated handsome revenues with plenty of ‘me-too’ products, little differentiation and little innovation, at least innovation hasn’t been able to keep pace with emerging threats. The Badlock fear marketing is a great example of that in practice.
What is interesting is other industries are getting ahead of the legacy main stream IT Security industry. Cybercrime is now included in UK crime figures, Europe has agreed new Data protection laws. Am I really saying law makers are faster moving than the IT Security industry? These are traditionally termed the slow movers and now are moving faster than our industry…maybe ? What we need is disruption, more on that in a while.
Everything has changed, except our industry.
At the RSA Conference in February Troels Oerting, CISO of Barclays, talks about the need to not only look at controls, but to look at the motivation behind the perpetrators of these crimes. See RSA video @ 20.15
Similarly at RSA’s Dubai conference last year, Amit Yoran from RSA made the point about what we need to focus on, the new security mindset and that old models don’t work. See the video here. The recent annual report from SecureWorks highlights how sophisticated the cybercrime market is, and legitimate business needs to work differently to respond to these cybercriminals. The first thing a business can do is to treat these cybercriminals as hidden competitors, and come up with a competitive strategy to defend against the competitive threat. After all the cybercriminals are trying to take market share from your business indirectly, by taking your data through compromise, taking your money through ransom, and causing disruption. Competitors try to damage your business by taking your customers and market share. Business knows how to respond to competitors.
The CISO’s that win this battle will be firmly looking at Cybercrime through a business lens and utilising the technology where appropriate, instead of looking at the latest and greatest tool to keep the criminals out. Let me give you some examples, by looking at some disruptions:
Who would have thought that bug bounty programs would work, we might scare the horses and loose customers, or open ourselves up to hackers. Of course a bug bounty initiative is not a complete solution, but part of the solution. Google, Microsoft, MIT and now even governments are realising this, stepping back and looking at the people in equation – what motivates them, why will they help you instead of hurting you, and how can you get others to help you fight the battle. Kudos to Kate Moussouris for her disruption in this space – truly eye opening on many levels, not least the effectiveness of the initiative, and the acceptance at the business level. Maybe Kate spoke to the business leaders in business appropriate language and not tech jargon?
Lessons Learnt: You need to collaborate to be stronger, the criminals are communicating but legitimate industry is embarrassed or afraid to communicate openly with peers, you need to consider the human factor after all computers only do what humans tell them to.
Example 2 - Disrupt the market value.
Have I Been Pawned (https://haveibeenpwned.com/) – if it’s free then its not worth my while sourcing and selling the data so I will look for some other ROI of my time. Taking the market out, takes the crime out.
Look at the success of HaveIbeenPwned by Troy Hunt. Now this is a double win as far as I see it. It is a tool that every infosec department should use to check their company’s domains, and it also disrupts the market by allowing people to be alerted and change their compromised credentials, irrespective of the organisation that has been breached. The sooner people are alerted that their details have been compromised the sooner they can change credentials and other details to devalue the breached data, and make it less attractive for hackers to undertake data theft.
Example 3 - Disrupt the Technology:
Letsencrypt.org has made it so easy for all website to be encrypted over HTTP it really will eliminate a number of vulnerabilities that exist at a global level. We can argue about the weaknesses of the automated certification process and different quality of various certs, but it does disrupt a technology problem that existed for years. Hats off to Microsoft, when it stopped all product rollouts to introduce their trustworthy computing initiative and a secure development lifecycle some years ago.!(/content/images/2016/04/LetsEncrypt.JPG)
Maybe the motivation behind this was to stop erosion of confidence with large corporate users of Microsoft products and therefore protect revenue. Or maybe it was a noble humanitarian mission undertaken by Microsoft – you can decide that one, but what is clear a whole lot of Microsoft technology is far safer as a result. However we haven’t seen such global initiatives since then.
Head in the Sand or open up to tighten up.
It’s well overdue that companies in similar industries should disrupt the criminal activity by greater information sharing, and defense planning. This is a shared problem after all. The secrecy and apprehension around sharing security information needs to be disrupted, and a common, shared and of course secure approach taken with greater information sharing, defense strategies and cooperation among appropriate peer groups.
Maybe this will happen with the IoT impact, but we have already seen the healthcare industry affected, the financial system affected, and utility industry and electricity providers affected, and more recently a whole air traffic system in Sweden. This is an industry problem so more collaboration within each industry is needed to counter it.
This may then force the communication to improve, and become less of a technical subject and focus the conversation on the business imperative that it is – and ultimately have credible and valuable conversations about cybersecurity in the boardroom.
April 20th 2016