Boards and corporate executives are committed to bolstering cyber defenses. Yet these desires – and even increased budgets – won’t help them fend off attackers unless they move beyond the doom-and-gloom mentality that is rampant across the security industry. While showing companies how simple cyberattacks can be is a powerful “ah-ha” moment for many, some vendors take it too far, extending that fear broadly as a marketing tool. Unfortunately, scaring people into buying products has done little to make the world more secure.
We as an industry need to do more to position CISOs, CSOs, CPOs and their senior staff to win the cyber battles by empowering them to rethink budgets, eliminate bureaucracy and work to change corporate cultures and behaviors. They need acumen in business and a deep understanding of technology along with more specialized expertise in risk, security, and controls. Those that excel in these practice areas will be seen as heroes and heroines in their organization.
We need to openly discuss what it takes to be a heroic security professional, exploring how to succeed in navigating these challenges. We need leaders to demonstrate character and integrity in taking a stand on tough issues with no air cover. They will often be required to make difficult, independent decisions and take responsibility for outcomes. As General George Marshall once said, “It is not enough to fight. It is the spirit which we bring to the fight that decides the issue.”
Heroes and heroines can’t win battles alone, so they must learn how to communicate, coordinate and convince others to take action. They also need to try new approaches, driving teams to approach risk much like firefighters would assess a blaze – looking to protect their organization’s people and property by running towards the risk, not away.
Over the years I have witnessed many in the security community demonstrate heroic qualities. Peers have shared sensitive details about intrusions at their organizations so that others could protect themselves. Others have chosen to embrace cloud, mobility and social computing, accepting accountability for dealing with new risks to avoid constraining innovation and productivity at their businesses. And there are those who take the often lonely path of challenging the business to do better to protect customer privacy. I admire those people because they are courageous and do not act out of fear. They act out of purpose to protect in order to enable people, data, and business.
I’ve been seeking to better understand information and technology risks for some 14 years, approaching the task with a sense of curiosity and hope. Two critical events in 2001 propelled me to study these risks: The September 11 attacks and industry’s response to the Code Red and Nimda worms.
The 9/11 attacks affected the lives of every American and had a major impact on the economy, foreign policy, and even today’s global discussion on terrorism and civil liberties.
Code Red was a computer worm observed on the Internet on July 15, 2001, attacking computers running Microsoft's IIS web server. It was discovered and first researched by Marc Maiffret and Ryan Permeh working for eEye Digital Security at the time. Ryan Permeh went on to McAfee, where he served as chief scientist following its acquisition by Intel. In 2012 Ryan co-founded Cylance with Stuart McClure, where I started this week. Nimda was another worm that spread so quickly it surpassed the economic damage caused by all previous malware at that time.
Over the past 13 years I learned that we need more heroes and heroines among security professionals if we want to do more than simply defend ourselves. I also learned that we need security solutions that are equally heroic. Such products must meet three criteria:
- They need to create a demonstrable and sustainable bend in the risk curve. Few products meet this criteria (particularly products that are hyped with doom and gloom). In some cases they simply don’t work as promised; in other cases customers have trouble implementing them to deliver the full efficacy of control. To create this bend in the risk curve, we will need to first and foremost focus on prevention.
- Heroic solutions must lower total cost of controls. Security professionals always say they need to spend more and more on new security controls. Some of this is appropriate due to costs of managing and mitigating risk across the growing proliferation of technology. Yet some of these purchases are a waste, pushing up costs due to the need to add compensating controls to mitigate the poor performance of other existing security solutions.
- And finally, heroic security solutions improve user experience. How many security solutions exist today that improve the user experience? Very few. Most degrade performance or get in your way while you are trying to execute a business process or simple get online. These elements most often drive users to go around the controls meant to protect them, the data and the business.
As professionals, we must strive to be heroes and heroines, accept responsibility to implement change and be accountable for results. As vendors we need to produce heroic products that lower risk, cut costs and improve user experience.