RSA CONFERENCE 2020 — San Francisco — End users choosing their own security measures. Kindergarteners using phones without parental controls. Dogs and cats, living together; mass hysteria. Is it anarchy? Or is it simply a better paradigm for enterprise information security that is easier for everyone, less expensive, and actually results in more effective security?
This concept of "democratizing" cybersecurity will be the subject of a keynote session here today by Wendy Nather, head of advisory CISOs at Cisco (formerly Duo).
In an interview with Dark Reading, Nather said she was pondering the questions that the security industry relentlessly asks itself, like, "Why do people keep clicking things that I tell them not to click on?" And also the questions the industry should be asking itself but isn't, like "Should we just stop telling them not to click on things?"
In rethinking some of these sacred cows, she revisited the idea of democratization -- a term she first become familiar with when working with Duo co-founder Dug Song -- and again had a question.
"What would democratizing security really look like?" Nather says. "We talk about this, but what could we do concretely?"
Nather breaks it down into three main categories: a move from a control-model to a collaborative-model; simpler, more usable design; and a more open security culture.
From Control to Collaboration
"We've always been thinking very authoritatively, from the very beginning, about security," Nather says. "You know: 'We're the experts. We make the policy. You follow the policy. We control everything. Control the means and computing.' But, as we know over the last decade-and-a-half or so, users have been taking away that control. They've been taking it over."
The idea then is for security departments to collaborate with the people who need to be secured -- and also more closely with the creators of the products that need to be secured.
"What if security were not a control organization but a service organization?" Nather says. "And how would that change how we interact with the people that we serve? And also, what would that look like concretely in architecture?"
If organizations can answer that question, they might also find cost savings because, Nather says, control equals cost.
"Everything that you still need to control is gonna cost you because you have to set policies for it. You have to monitor for compliance. You have to manage exceptions. You have to enforce compliance. All of this costs time and people and money," she says. "So if you think about it in terms of control equals cost, what would we decide together with a business that it's not so important for us to control?"
Design for Usability
"What if they could design security to be as easy as a spoon?" Nather says. "We don't need annual spoon awareness training."
Simpler design could create less friction for users and make security less frustrating, easier to achieve, and even desirable.
"Really beautiful design encourages security adoption," Nather says. "As Dug [Song] says, as part of democratizing security, we should be designing for adoption, not engineering to enforce security."
The infosec field tries to force its culture onto everyone else, Nather says, whether or not the rules and norms of the infosec community make sense in other populations. She gives the example of making kindergartners use passwords before they even know their numbers and letters.
However, Nather says, if the infosec community makes security less mysterious and less controlling, it might prevent sad security history from repeating itself again and again.
"Web came along, and we made a lot of mistakes. And then mobile came along, and we saw the same mistakes we made over and over again that we made with Web. Now, with IoT, we're seeing them again and the question is, well, why?" Nather says. "And the answer is because it's a different population developing [these technologies] every time, and they haven't learned from our mistakes -- because these are new people.
"So we have to spread out the security knowledge so that no matter what comes along in the future, anybody can secure it. Not this elite group of people -- wizards in the security industry that have all the knowledge but are not sharing it or not adapting it to how everybody else wants to use it. You know, we have to upend that entire model."
From Helicopter to Free Range
Put all of this together, and a helpful analogy may be this: If the current state of cybersecurity management is akin to "helicopter parenting," then democratized security is more like "free-range" parenting.
And that analogy can actually be taken quite literally.
("Helicopter to Free Range" continued on next page)
"Here's one of the ideas that I think is gonna make everybody clutch their pearls a little bit [during the keynote session]," Nather says. "I'm going to argue that we should be teaching kids not to comply with somebody else's security system, but to make good security decisions on their own from an early age — which means we have to get rid of parental controls. We should be teaching kids to make the right decisions with the devices that they are using."
Nather herself has a parental control-free home. And yet when her teenage daughter decided she needed some help managing her phone usage and security, she made the decision to ask Nather for help activating certain controls.
The more empowered users are to make security decisions, the better decisions they will make, one hopes. This does not, however, mean security pros should throw users alone into shark-infested waters slathered in fish guts, per se. Some standard security guardrails would continue to be necessary, and likely welcomed, in a democratized security environment, Nather says.
"People aren't going to want to care of everything having to do with security, especially the plumbing," Nather says. "They'll say, 'I don't want to care about which level of TLS I'm using. You take care of that part.' What they want to do is they want to make the usage decisions."
Some CISOs might read all of this with eyebrows raised. Collaborating on security may have its benefits, but will anyone want to collaborate on taking blame for a data breach? If something goes wrong, won't the CISO always be the sacrificial lamb?
Nather points out that this is a problem we're already facing, and a collaborative approach might actually help solve it.
"We are already having to negotiate those boundaries of security, responsibility, and accountability," she says. "We just have to make [those boundaries] more explicit." More collaboration might "make it clear that the business is making those [security] decisions with our help," she adds. "But if something goes south, it's on both of us. So I think it's kind of a chicken-and-egg thing. First, the security department needs to be willing to surrender some control."
Monday, Cisco released Cisco SecureX, what the company is calling "the broadest, most integrated cloud-native security platform in the industry." Scheduled for general availability in June, SecureX will be included in every Cisco security product.
Although SecureX is not directly related to democratization, it is part of the 35-year-old company's new endeavor to improve security visibility and tackle security stack complexity -- a more usable design not for the end user necessarily, but for a security manager.
Cisco SecureX unifies visibility across an organization's entire security product portfolio so that all policy violations and detected threats can be shown in one place. It automates common security workflows and also delivers a new "managed threat hunting" capability that draws on the research and intelligence of Cisco Talos.
Companies can sign up to the waitlist for SecureX beta testing now.