Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/3/2015
10:30 AM
Malcolm Harkins
Malcolm Harkins
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Help Wanted: Security Heroes & Heroines Only Need Apply

If we want to do more than simply defend ourselves, we need security champions and equally heroic security solutions.

Boards and corporate executives are committed to bolstering cyber defenses. Yet these desires – and even increased budgets – won’t help them fend off attackers unless they move beyond the doom-and-gloom mentality that is rampant across the security industry. While showing companies how simple cyberattacks can be is a powerful “ah-ha” moment for many, some vendors take it too far, extending that fear broadly as a marketing tool. Unfortunately, scaring people into buying products has done little to make the world more secure.

We as an industry need to do more to position CISOs, CSOs, CPOs and their senior staff to win the cyber battles by empowering them to rethink budgets, eliminate bureaucracy and work to change corporate cultures and behaviors. They need acumen in business and a deep understanding of technology along with more specialized expertise in risk, security, and controls. Those that excel in these practice areas will be seen as heroes and heroines in their organization.

We need to openly discuss what it takes to be a heroic security professional, exploring how to succeed in navigating these challenges. We need leaders to demonstrate character and integrity in taking a stand on tough issues with no air cover. They will often be required to make difficult, independent decisions and take responsibility for outcomes. As General George Marshall once said, “It is not enough to fight. It is the spirit which we bring to the fight that decides the issue.” 

Heroes and heroines can’t win battles alone, so they must learn how to communicate, coordinate and convince others to take action. They also need to try new approaches, driving teams to approach risk much like firefighters would assess a blaze – looking to protect their organization’s people and property by running towards the risk, not away.

By ABC Television (eBay item photo front photo back) [Public domain] via Wikimedia Commons.
By ABC Television (eBay item photo front photo back) [Public domain] via Wikimedia Commons.

Over the years I have witnessed many in the security community demonstrate heroic qualities. Peers have shared sensitive details about intrusions at their organizations so that others could protect themselves. Others have chosen to embrace cloud, mobility and social computing, accepting accountability for dealing with new risks to avoid constraining innovation and productivity at their businesses. And there are those who take the often lonely path of challenging the business to do better to protect customer privacy. I admire those people because they are courageous and do not act out of fear. They act out of purpose to protect in order to enable people, data, and business.

My journey
I’ve been seeking to better understand information and technology risks for some 14 years, approaching the task with a sense of curiosity and hope. Two critical events in 2001 propelled me to study these risks: The September 11 attacks and industry’s response to the Code Red and Nimda worms.

The 9/11 attacks affected the lives of every American and had a major impact on the economy, foreign policy, and even today’s global discussion on terrorism and civil liberties.

Code Red was a computer worm observed on the Internet on July 15, 2001, attacking computers running Microsoft's IIS web server. It was discovered and first researched by Marc Maiffret and Ryan Permeh working for eEye Digital Security at the time. Ryan Permeh went on to McAfee, where he served as chief scientist following its acquisition by Intel. In 2012 Ryan co-founded Cylance with Stuart McClure, where I started this week. Nimda was another worm that spread so quickly it surpassed the economic damage caused by all previous malware at that time.

Over the past 13 years I learned that we need more heroes and heroines among security professionals if we want to do more than simply defend ourselves. I also learned that we need security solutions that are equally heroic. Such products must meet three criteria:

  1. They need to create a demonstrable and sustainable bend in the risk curve. Few products meet this criteria (particularly products that are hyped with doom and gloom). In some cases they simply don’t work as promised; in other cases customers have trouble implementing them to deliver the full efficacy of control. To create this bend in the risk curve, we will need to first and foremost focus on prevention.
  2. Heroic solutions must lower total cost of controls. Security professionals always say they need to spend more and more on new security controls. Some of this is appropriate due to costs of managing and mitigating risk across the growing proliferation of technology. Yet some of these purchases are a waste, pushing up costs due to the need to add compensating controls to mitigate the poor performance of other existing security solutions. 
  3. And finally, heroic security solutions improve user experience. How many security solutions exist today that improve the user experience? Very few. Most degrade performance or get in your way while you are trying to execute a business process or simple get online. These elements most often drive users to go around the controls meant to protect them, the data and the business.

As professionals, we must strive to be heroes and heroines, accept responsibility to implement change and be accountable for results. As vendors we need to produce heroic products that lower risk, cut costs and improve user experience. 

Malcolm Harkins is the chief security and trust officer for Cymatic. He is responsible for enabling business growth through trusted infrastructure, systems, and business processes, including all aspects of information risk and security, as well as security and privacy policy. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mwxfrd958
50%
50%
mwxfrd958,
User Rank: Apprentice
6/4/2015 | 12:06:36 PM
Malcolm Moves
Great post Malcolm and it shows why you are a leader in our community.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.