“Ladies and gentlemen, we will be turning the seat belt sign on. Please remain seated as we expect turbulence.”
In other words: “Strap on your seat belts. We are in for a bumpy ride.”
As a security strategist for Carbon Black, I fly all over the country. Recently, there has been a ton of turbulence while flying.
This rash of turbulence reminds me of where we are as an industry. In security, we are hitting (and continuing to hit) bumps along the way. This won’t change anytime soon and the bumps seem to be occurring at a faster pace.
Cyber security was noted during the presidential debates. There are currently a number of proposed pieces of legislation at all levels to help address this “problem.”
As a community, we haven’t yet “fixed” the security challenge, so others are trying to mandate how to fix the problems. These politicians, judges and leaders can affect security both positively and negatively. They can add complexity or reduce it. They can create policy or overrule it. They can choose to listen and become educated or not. They seem willing, so shouldn’t we all do more to be less cynical and do the hard work to educate them? They seem aware…let’s go beyond that. They need long term strategic help. They need help understanding the right data to make the right decisions. This is a role all of us can help with.
We all know teams are already struggling to maintain a secure and compliant environment because, often times, the budgets and projects for both compete with each other. I have seen a number of shops that are both PCI and SOX compliant, but a red team team took less than an hour to achieve domain administrator on their systems.
When you get outside of the very large companies, most organizations simply can’t afford to maintain compliance and an effective security program. Businesses have down turns. Budgets get cut. Funding goes away. To stay in business, a leader may have to choose to short change security for the sake of maintaining compliance.
Compliance teams and InfoSec teams need to ensure they are partnered and working toward common goals. They need to work with the regulating bodies to ensure the controls achieve the goals , whether those goals are privacy, security or risk-related. They need to look at sharing technology decisions. If a tool can meet both needs then that’s great. Between the two, they should make wise technology investment decisions. After all, tons of compliant businesses have been breached.
All over the world we see this in action. The EU court of Justice kicked out safe harbor. Governments all over are calling for backdoors to encryption. The Cyber Security Disclosure act was introduced in December. The State and Local Cyber Protection Act was introduced in March. The Small Business Cyber Security Improvement Act of 2016 was introduced in June.
These seem reactionary and rushed, focusing on the past and not on the future, as cyber security should be. This trend of legislating security will continue to add more complexity. Think about the pure human hours spent on compliance attestation. Imagine if all of that time and effort got focused on becoming secure. Teams that should be actively defending networks and systems are often relegated to taking screenshots and filling out forms.
We’ve come a long way as an industry but we continue to repeat mistakes of the past. IoT is here and Gartner estimates that 4 billion connected things will be in use in the consumer sector in 2016. 25,000 plus CCTV cameras were recently used to deliver the largest DDoS on record. Everything is getting plugged in and we better come to the reality that the cyber criminals can achieve crushing scales.
Ransomware has become big business. IoT will continue to add to this trend. Holding “all the things” for ransom seems to be a great profit model.
The source code to pull off these massive DDoS attacks has been released. Imagine a world where Internet pipes are clogged with hacked IoT devices while using them to distract teams away from actual breaches.
Hackers and “leakers” are replacing legitimate journalists as a source of reliable information. This behavior is being ignored, encouraged and supported to varying degrees from leaders across the world. You cannot be pro-security and then encourage illegal system break ins.
I think we have massively elevated awareness of the issues. News coverage is at an all-time high but we need to move into true education. We need to use all opportunities to educate.
Awareness helps but without educating our business and political leaders on effective strategies we must expect people to operate under fear and act reactively rather than proactively.
We have two candidates running for president who seem to have either not enough knowledge or just enough knowledge to be dangerous when it comes to cyber-security discussions.
Neither candidate appears to be very educated on the topic. Let’s move beyond awareness to education and not only provide problem statements but the fundamental building blocks so those around us grow and build on the foundation. It is very clear we have plenty more bumps and turbulence to endure.
While all of the news can seem crazy at times, we have to remember that this is all part of growing pains. Now is the time to refocus our time on education, not awareness. Now is the time to do more than stand on a soapbox and make fun of people who aren’t knowledgeable. Now is the time to do what we have been trained to do. Let’s stop assuming users are too dumb. Let’s stop acting holier-than-though when another team has a breach and let’s all spend more time trying to truly educate those around us.
I’m not saying that we haven’t been doing this already. I’m certainly not saying we haven’t made progress but we aren’t at our final destination. We are still circling the airport waiting for the runway to be built safely and securely. We have a long way to go and a short time to get there.