Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/3/2015
10:30 AM
Malcolm Harkins
Malcolm Harkins
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Help Wanted: Security Heroes & Heroines Only Need Apply

If we want to do more than simply defend ourselves, we need security champions and equally heroic security solutions.

Boards and corporate executives are committed to bolstering cyber defenses. Yet these desires – and even increased budgets – won’t help them fend off attackers unless they move beyond the doom-and-gloom mentality that is rampant across the security industry. While showing companies how simple cyberattacks can be is a powerful “ah-ha” moment for many, some vendors take it too far, extending that fear broadly as a marketing tool. Unfortunately, scaring people into buying products has done little to make the world more secure.

We as an industry need to do more to position CISOs, CSOs, CPOs and their senior staff to win the cyber battles by empowering them to rethink budgets, eliminate bureaucracy and work to change corporate cultures and behaviors. They need acumen in business and a deep understanding of technology along with more specialized expertise in risk, security, and controls. Those that excel in these practice areas will be seen as heroes and heroines in their organization.

We need to openly discuss what it takes to be a heroic security professional, exploring how to succeed in navigating these challenges. We need leaders to demonstrate character and integrity in taking a stand on tough issues with no air cover. They will often be required to make difficult, independent decisions and take responsibility for outcomes. As General George Marshall once said, “It is not enough to fight. It is the spirit which we bring to the fight that decides the issue.” 

Heroes and heroines can’t win battles alone, so they must learn how to communicate, coordinate and convince others to take action. They also need to try new approaches, driving teams to approach risk much like firefighters would assess a blaze – looking to protect their organization’s people and property by running towards the risk, not away.

Over the years I have witnessed many in the security community demonstrate heroic qualities. Peers have shared sensitive details about intrusions at their organizations so that others could protect themselves. Others have chosen to embrace cloud, mobility and social computing, accepting accountability for dealing with new risks to avoid constraining innovation and productivity at their businesses. And there are those who take the often lonely path of challenging the business to do better to protect customer privacy. I admire those people because they are courageous and do not act out of fear. They act out of purpose to protect in order to enable people, data, and business.

My journey
I’ve been seeking to better understand information and technology risks for some 14 years, approaching the task with a sense of curiosity and hope. Two critical events in 2001 propelled me to study these risks: The September 11 attacks and industry’s response to the
Code Red and Nimda worms.

The 9/11 attacks affected the lives of every American and had a major impact on the economy, foreign policy, and even today’s global discussion on terrorism and civil liberties.

Code Red was a computer worm observed on the Internet on July 15, 2001, attacking computers running Microsoft's IIS web server. It was discovered and first researched by Marc Maiffret and Ryan Permeh working for eEye Digital Security at the time. Ryan Permeh went on to McAfee, where he served as chief scientist following its acquisition by Intel. In 2012 Ryan co-founded Cylance with Stuart McClure, where I started this week. Nimda was another worm that spread so quickly it surpassed the economic damage caused by all previous malware at that time.

Over the past 13 years I learned that we need more heroes and heroines among security professionals if we want to do more than simply defend ourselves. I also learned that we need security solutions that are equally heroic. Such products must meet three criteria:

  1. They need to create a demonstrable and sustainable bend in the risk curve. Few products meet this criteria (particularly products that are hyped with doom and gloom). In some cases they simply don’t work as promised; in other cases customers have trouble implementing them to deliver the full efficacy of control. To create this bend in the risk curve, we will need to first and foremost focus on prevention.
  2. Heroic solutions must lower total cost of controls. Security professionals always say they need to spend more and more on new security controls. Some of this is appropriate due to costs of managing and mitigating risk across the growing proliferation of technology. Yet some of these purchases are a waste, pushing up costs due to the need to add compensating controls to mitigate the poor performance of other existing security solutions. 
  3. And finally, heroic security solutions improve user experience. How many security solutions exist today that improve the user experience? Very few. Most degrade performance or get in your way while you are trying to execute a business process or simple get online. These elements most often drive users to go around the controls meant to protect them, the data and the business.

As professionals, we must strive to be heroes and heroines, accept responsibility to implement change and be accountable for results. As vendors we need to produce heroic products that lower risk, cut costs and improve user experience. 

Malcolm Harkins is the chief security and trust officer for Cymatic. He is responsible for enabling business growth through trusted infrastructure, systems, and business processes, including all aspects of information risk and security, as well as security and privacy policy. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mwxfrd958
50%
50%
mwxfrd958,
User Rank: Apprentice
6/4/2015 | 12:06:36 PM
Malcolm Moves
Great post Malcolm and it shows why you are a leader in our community.
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...
CVE-2020-14260
PUBLISHED: 2020-12-02
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
CVE-2020-14305
PUBLISHED: 2020-12-02
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat ...