Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Malcolm Harkins
Malcolm Harkins
Connect Directly
E-Mail vvv

Help Wanted: Security Heroes & Heroines Only Need Apply

If we want to do more than simply defend ourselves, we need security champions and equally heroic security solutions.

Boards and corporate executives are committed to bolstering cyber defenses. Yet these desires – and even increased budgets – won’t help them fend off attackers unless they move beyond the doom-and-gloom mentality that is rampant across the security industry. While showing companies how simple cyberattacks can be is a powerful “ah-ha” moment for many, some vendors take it too far, extending that fear broadly as a marketing tool. Unfortunately, scaring people into buying products has done little to make the world more secure.

We as an industry need to do more to position CISOs, CSOs, CPOs and their senior staff to win the cyber battles by empowering them to rethink budgets, eliminate bureaucracy and work to change corporate cultures and behaviors. They need acumen in business and a deep understanding of technology along with more specialized expertise in risk, security, and controls. Those that excel in these practice areas will be seen as heroes and heroines in their organization.

We need to openly discuss what it takes to be a heroic security professional, exploring how to succeed in navigating these challenges. We need leaders to demonstrate character and integrity in taking a stand on tough issues with no air cover. They will often be required to make difficult, independent decisions and take responsibility for outcomes. As General George Marshall once said, “It is not enough to fight. It is the spirit which we bring to the fight that decides the issue.” 

Heroes and heroines can’t win battles alone, so they must learn how to communicate, coordinate and convince others to take action. They also need to try new approaches, driving teams to approach risk much like firefighters would assess a blaze – looking to protect their organization’s people and property by running towards the risk, not away.

By ABC Television (eBay item photo front photo back) [Public domain] via Wikimedia Commons.
By ABC Television (eBay item photo front photo back) [Public domain] via Wikimedia Commons.

Over the years I have witnessed many in the security community demonstrate heroic qualities. Peers have shared sensitive details about intrusions at their organizations so that others could protect themselves. Others have chosen to embrace cloud, mobility and social computing, accepting accountability for dealing with new risks to avoid constraining innovation and productivity at their businesses. And there are those who take the often lonely path of challenging the business to do better to protect customer privacy. I admire those people because they are courageous and do not act out of fear. They act out of purpose to protect in order to enable people, data, and business.

My journey
I’ve been seeking to better understand information and technology risks for some 14 years, approaching the task with a sense of curiosity and hope. Two critical events in 2001 propelled me to study these risks: The September 11 attacks and industry’s response to the Code Red and Nimda worms.

The 9/11 attacks affected the lives of every American and had a major impact on the economy, foreign policy, and even today’s global discussion on terrorism and civil liberties.

Code Red was a computer worm observed on the Internet on July 15, 2001, attacking computers running Microsoft's IIS web server. It was discovered and first researched by Marc Maiffret and Ryan Permeh working for eEye Digital Security at the time. Ryan Permeh went on to McAfee, where he served as chief scientist following its acquisition by Intel. In 2012 Ryan co-founded Cylance with Stuart McClure, where I started this week. Nimda was another worm that spread so quickly it surpassed the economic damage caused by all previous malware at that time.

Over the past 13 years I learned that we need more heroes and heroines among security professionals if we want to do more than simply defend ourselves. I also learned that we need security solutions that are equally heroic. Such products must meet three criteria:

  1. They need to create a demonstrable and sustainable bend in the risk curve. Few products meet this criteria (particularly products that are hyped with doom and gloom). In some cases they simply don’t work as promised; in other cases customers have trouble implementing them to deliver the full efficacy of control. To create this bend in the risk curve, we will need to first and foremost focus on prevention.
  2. Heroic solutions must lower total cost of controls. Security professionals always say they need to spend more and more on new security controls. Some of this is appropriate due to costs of managing and mitigating risk across the growing proliferation of technology. Yet some of these purchases are a waste, pushing up costs due to the need to add compensating controls to mitigate the poor performance of other existing security solutions. 
  3. And finally, heroic security solutions improve user experience. How many security solutions exist today that improve the user experience? Very few. Most degrade performance or get in your way while you are trying to execute a business process or simple get online. These elements most often drive users to go around the controls meant to protect them, the data and the business.

As professionals, we must strive to be heroes and heroines, accept responsibility to implement change and be accountable for results. As vendors we need to produce heroic products that lower risk, cut costs and improve user experience. 

Malcolm Harkins is the global Chief Information Security officer (CISO) at Cylance Inc. He is responsible for all aspects of the company's information risk and security, public policy and for outreach to help improvement understanding of cyber risks and best practices for ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/4/2015 | 12:06:36 PM
Malcolm Moves
Great post Malcolm and it shows why you are a leader in our community.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-19
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->l...
PUBLISHED: 2019-09-19
Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
PUBLISHED: 2019-09-19
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
PUBLISHED: 2019-09-19
In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
PUBLISHED: 2019-09-19
libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.