Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Malcolm Harkins
Malcolm Harkins
Connect Directly
E-Mail vvv

Help Wanted: Security Heroes & Heroines Only Need Apply

If we want to do more than simply defend ourselves, we need security champions and equally heroic security solutions.

Boards and corporate executives are committed to bolstering cyber defenses. Yet these desires – and even increased budgets – won’t help them fend off attackers unless they move beyond the doom-and-gloom mentality that is rampant across the security industry. While showing companies how simple cyberattacks can be is a powerful “ah-ha” moment for many, some vendors take it too far, extending that fear broadly as a marketing tool. Unfortunately, scaring people into buying products has done little to make the world more secure.

We as an industry need to do more to position CISOs, CSOs, CPOs and their senior staff to win the cyber battles by empowering them to rethink budgets, eliminate bureaucracy and work to change corporate cultures and behaviors. They need acumen in business and a deep understanding of technology along with more specialized expertise in risk, security, and controls. Those that excel in these practice areas will be seen as heroes and heroines in their organization.

We need to openly discuss what it takes to be a heroic security professional, exploring how to succeed in navigating these challenges. We need leaders to demonstrate character and integrity in taking a stand on tough issues with no air cover. They will often be required to make difficult, independent decisions and take responsibility for outcomes. As General George Marshall once said, “It is not enough to fight. It is the spirit which we bring to the fight that decides the issue.” 

Heroes and heroines can’t win battles alone, so they must learn how to communicate, coordinate and convince others to take action. They also need to try new approaches, driving teams to approach risk much like firefighters would assess a blaze – looking to protect their organization’s people and property by running towards the risk, not away.

By ABC Television (eBay item photo front photo back) [Public domain] via Wikimedia Commons.
By ABC Television (eBay item photo front photo back) [Public domain] via Wikimedia Commons.

Over the years I have witnessed many in the security community demonstrate heroic qualities. Peers have shared sensitive details about intrusions at their organizations so that others could protect themselves. Others have chosen to embrace cloud, mobility and social computing, accepting accountability for dealing with new risks to avoid constraining innovation and productivity at their businesses. And there are those who take the often lonely path of challenging the business to do better to protect customer privacy. I admire those people because they are courageous and do not act out of fear. They act out of purpose to protect in order to enable people, data, and business.

My journey
I’ve been seeking to better understand information and technology risks for some 14 years, approaching the task with a sense of curiosity and hope. Two critical events in 2001 propelled me to study these risks: The September 11 attacks and industry’s response to the Code Red and Nimda worms.

The 9/11 attacks affected the lives of every American and had a major impact on the economy, foreign policy, and even today’s global discussion on terrorism and civil liberties.

Code Red was a computer worm observed on the Internet on July 15, 2001, attacking computers running Microsoft's IIS web server. It was discovered and first researched by Marc Maiffret and Ryan Permeh working for eEye Digital Security at the time. Ryan Permeh went on to McAfee, where he served as chief scientist following its acquisition by Intel. In 2012 Ryan co-founded Cylance with Stuart McClure, where I started this week. Nimda was another worm that spread so quickly it surpassed the economic damage caused by all previous malware at that time.

Over the past 13 years I learned that we need more heroes and heroines among security professionals if we want to do more than simply defend ourselves. I also learned that we need security solutions that are equally heroic. Such products must meet three criteria:

  1. They need to create a demonstrable and sustainable bend in the risk curve. Few products meet this criteria (particularly products that are hyped with doom and gloom). In some cases they simply don’t work as promised; in other cases customers have trouble implementing them to deliver the full efficacy of control. To create this bend in the risk curve, we will need to first and foremost focus on prevention.
  2. Heroic solutions must lower total cost of controls. Security professionals always say they need to spend more and more on new security controls. Some of this is appropriate due to costs of managing and mitigating risk across the growing proliferation of technology. Yet some of these purchases are a waste, pushing up costs due to the need to add compensating controls to mitigate the poor performance of other existing security solutions. 
  3. And finally, heroic security solutions improve user experience. How many security solutions exist today that improve the user experience? Very few. Most degrade performance or get in your way while you are trying to execute a business process or simple get online. These elements most often drive users to go around the controls meant to protect them, the data and the business.

As professionals, we must strive to be heroes and heroines, accept responsibility to implement change and be accountable for results. As vendors we need to produce heroic products that lower risk, cut costs and improve user experience. 

Malcolm Harkins is the chief security and trust officer for Cymatic. He is responsible for enabling business growth through trusted infrastructure, systems, and business processes, including all aspects of information risk and security, as well as security and privacy policy. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/4/2015 | 12:06:36 PM
Malcolm Moves
Great post Malcolm and it shows why you are a leader in our community.
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.