Communication is security industry’s greatest failure
11 October 2017 | 0
The ever-changing nature of security threats, threat actors and their motivations has led to a more complex security landscape than ever before, making staying secure a challenge for any organisation. To help organisations address those challenges, the Secure Computing Forum assembled a diverse panel of experts to deliver insights, helping to understand and cope, said David Keating, sales manager, DataSolutions, in the opening address.
“We have this hairball of connections,” said Nick Lowe, regional director, UKI, Check Point Software, “everything is connected to everything.”
Organisations have lots of security tools, but they are often fragmented and poorly integrated, he argued. Infrastructure is distributed and data comes from multiple disparate sources, all of which results in increased exposure and attack surface.
“We need to go back,” said Lowe, “the very services and data people need, we are burying under layers of security.”
Lowe said that security vendors need to make tools easier to deploy, integrate and use, with a unifying architecture that allows for better orchestration.
As security costs are rising far faster than general business growth, he said, a rethink in how security is delivered is needed.
Lowe said that in many cases organisations were not taking the necessary steps to protect themselves in key areas such as advanced threat protection, mobile and cloud security. When asked why not, he said, customers responded with it is too complicated, there are too many products, there are not enough trained people and, chillingly, “I didn’t think it could hurt us”.
Added to this, Lowe said, “criminals are using superpower technology”, in reference to the tools behind recent malware attacks.
“It’s time for us to step up,” said Lowe, meaning the security industry.
Security is people, not tech
A slightly different view was put forward by author Misha Glenny, who has written such works as “Dark market: cyberthieves, cybercops and you”.
Glenny stated: “At the heart of cybersecurity is not technology, but people.”
He argued that technology only become a boon or a threat as people figured out how to use it. This has led to the two major conflicts over the Internet, he said, what people can and cannot with people’s data and competitions between states.
The outcomes of these, he said, will determine if the Internet will free or enslave humanity.
“The issue of communication is the greatest failure of the cybersecurity industry,” said Glenny. “No one has explained to people how cybersecurity matters to them.”
Hackers, he said, understand how people behave very well and work to exploit it.
“We need to find narratives to counter the criminals’ narratives,” he said.
Glenny gave the example of the UK TV series “Spooks”, and how applications to join MI5 soared with its airing. He said the cybersecurity industry needs something similar to bolster its numbers to combat the ever-growing sophistication of cybercriminals.
He showed survey results which found that more than half (53%) of organisations felt their CEO did not make decisions with cybersecurity in mind. Added to this, more than a third (36%) said their CEO was not regularly briefed on cybersecurity. Nearly two thirds (61%) said their CEO did not know enough about cybersecurity, and when asked why, the majority (69%) said because it is too complicated.
Glenny said the CISO needs to make the CEO understand that a failure in cybersecurity can cascade throughout an entire organisation, as recent events have shown.