Cybersecurity In-Depth

The Edge

Wendy Nather on How to Make Security 'Democratization' a Reality

Ahead of her keynote at the RSA Conference, Cisco's head of advisory CISOs outlines to Dark Reading a unique paradigm that asks security teams to stop fighting their users -- and start sharing control with them.

"Here's one of the ideas that I think is gonna make everybody clutch their pearls a little bit [during the keynote session]," Nather says. "I'm going to argue that we should be teaching kids not to comply with somebody else's security system, but to make good security decisions on their own from an early age — which means we have to get rid of parental controls. We should be teaching kids to make the right decisions with the devices that they are using." 

Nather herself has a parental control-free home. And yet when her teenage daughter decided she needed some help managing her phone usage and security, she made the decision to ask Nather for help activating certain controls. 

The more empowered users are to make security decisions, the better decisions they will make, one hopes. This does not, however, mean security pros should throw users alone into shark-infested waters slathered in fish guts, per se. Some standard security guardrails would continue to be necessary, and likely welcomed, in a democratized security environment, Nather says. 

"People aren't going to want to care of everything having to do with security, especially the plumbing," Nather says. "They'll say, 'I don't want to care about which level of TLS I'm using. You take care of that part.' What they want to do is they want to make the usage decisions."

Some CISOs might read all of this with eyebrows raised. Collaborating on security may have its benefits, but will anyone want to collaborate on taking blame for a data breach? If something goes wrong, won't the CISO always be the sacrificial lamb? 

Nather points out that this is a problem we're already facing, and a collaborative approach might actually help solve it.

"We are already having to negotiate those boundaries of security, responsibility, and accountability," she says. "We just have to make [those boundaries] more explicit." More collaboration might "make it clear that the business is making those [security] decisions with our help," she adds. "But if something goes south, it's on both of us. So I think it's kind of a chicken-and-egg thing. First, the security department needs to be willing to surrender some control."

Cisco's Vision
Monday, Cisco released Cisco SecureX, what the company is calling "the broadest, most integrated cloud-native security platform in the industry." Scheduled for general availability in June, SecureX will be included in every Cisco security product. 

Although SecureX is not directly related to democratization, it is part of the 35-year-old company's new endeavor to improve security visibility and tackle security stack complexity -- a more usable design not for the end user necessarily, but for a security manager.  

Cisco SecureX unifies visibility across an organization's entire security product portfolio so that all policy violations and detected threats can be shown in one place. It automates common security workflows and also delivers a new "managed threat hunting" capability that draws on the research and intelligence of Cisco Talos.

Companies can sign up to the waitlist for SecureX beta testing now. 

Related Content: