Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/8/2019
10:30 AM
Grant Wernick
Grant Wernick
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

We Need More Transparency in Cybersecurity

Security has become a stand-alone part of the corporate IT organization. That must stop, and transparency is the way forward.

In college, I was assigned to write a paper for a political science class to argue what would be the greatest national threat our upcoming generation would face. I wrote what I believed to be a solidly reasoned and articulate essay positing that cyber terrorism would be the major issue with which the United States would need to grapple.

It was the only time I received a D grade during my college tenure.

The professor, a renowned political science teacher, told me that although the logical structure of the essay was sound and it was overall well written, cyberterrorism was not a threat. Nor would it be in the near future, therefore making the position I took to be based upon a flawed premise and not worthy of serious inquiry. He wanted assessments on weapons of mass destruction, chemical or biological warfare, political instability, and such.

It was an unintended lesson that those of us who had not grown up riding the early waves of the Internet did not fully understand about the looming danger of a world that would become increasingly enveloped by software.

Though this was many years ago, the essential problem still exists today. From the boardroom to the Senate chamber, there is a fundamental and widespread underappreciation of the real-world, global-scale consequences of the technology-powered Pandora's box we've opened in becoming a digital society.

The beginning stages of the Internet were based on the idealism of trust among the digital pioneers that were both mapping and creating the new frontiers of a world where information would be shared openly and freely. This gave rise to a societal revolution where everyone could have equal access to the totality of human knowledge.

Yet, as with nearly every new exploratory venture throughout history, there came those who look to take advantage and exploit vulnerabilities in newly charted territories and societal structures. Then came those who must defend against it.

In the Shadows
Cybersecurity was born in the shadows by three-letter acronym agencies — NSA, CIA, DoD, etc. —  as an effort to combat a new type of villain who could produce massive damage with minimal risk. A new era of battles were fought on the digital theater with an enemy into whose eyes you could not see; instead, you would catch a glimpse of the enemy through the zeros and ones of the virtual world.

For many years, cybersecurity professionals embraced the clandestine nature of their work, living in tribal communities that shunned outsiders. The IT security groups existed in a separation of church and state framework, removed from the business side of the companies they protected. This environment of being "in the know" and harboring threat intel, remaining secretive, following spy-craft methodologies, and keeping the techniques of information security in the shadows influenced the culture of the cybersecurity professional from the early era. 

As a result, security has become a stand-alone part of the corporate IT organization. Teams became self-siloed and disassociated from the larger organizational objectives they are tasked with protecting, keeping the business side of organizations at arm’s length. Without an understanding between the various departments that create a business, and a holistic security strategy, many companies defaulted to rely solely on regulatory checkboxes for the sake of maintaining the compliance status quo versus placing focus on proactive security measures that protect the organization responsibly, mitigate risk, and adapt to an ever-changing world.

Operating a business becomes more complex daily, as organizations move to hybrid clouds and multicloud platforms, distributing information broadly beyond the network perimeter by nontechnical employees that neither have the time nor understanding to consider the security outcomes. At the same time, threats are becoming increasingly sophisticated and organized. While this ought to be a call to action to elevate the role of security to have a seat at the executive table, there still exists a mentality that security is a compliance requirement rather than a need-to-have. And from the security side, there is often the notion that "no one could possibly understand what I do, so why bother telling them about it?"

Nearly every business today is now a technology business. The problem is that we've developed a culture that doesn't recognize the necessity to have open lines of communication and shared responsibility across the organization to make cybersecurity not only a priority but a standardized part of daily operational procedures.

In a world where the click of an email link can jeopardize an entire network, everyone is responsible for maintaining a secure environment.

Transparency and open lines of communication between all sides of the house — security, DevOps, and business units from financing to marketing to HR — will be the only way to successfully move forward to protect against the never-ending evolution of the threat landscape.

The way forward starts with breaking down the communication barriers between data and people. Anyone in an organization should be able to speak directly with their data and ask questions of it without needing the technical expertise to write data queries. And the data should be able to respond in real time, providing live answers. 

Data transparency is the first step. Once this is achieved, it becomes far easier to create cultural transparency among the separate lines of business because there is a shared language across the organization.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Grant Wernick is the co-founder & CEO of Insight Engines. Insight Engines is a leader in natural language search technologies. The company builds products to augment human intelligence with machine intelligence via their patented NLP and ML technology. Insight Engine's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.