In college, I was assigned to write a paper for a political science class to argue what would be the greatest national threat our upcoming generation would face. I wrote what I believed to be a solidly reasoned and articulate essay positing that cyber terrorism would be the major issue with which the United States would need to grapple.
It was the only time I received a D grade during my college tenure.
The professor, a renowned political science teacher, told me that although the logical structure of the essay was sound and it was overall well written, cyberterrorism was not a threat. Nor would it be in the near future, therefore making the position I took to be based upon a flawed premise and not worthy of serious inquiry. He wanted assessments on weapons of mass destruction, chemical or biological warfare, political instability, and such.
It was an unintended lesson that those of us who had not grown up riding the early waves of the Internet did not fully understand about the looming danger of a world that would become increasingly enveloped by software.
Though this was many years ago, the essential problem still exists today. From the boardroom to the Senate chamber, there is a fundamental and widespread underappreciation of the real-world, global-scale consequences of the technology-powered Pandora's box we've opened in becoming a digital society.
The beginning stages of the Internet were based on the idealism of trust among the digital pioneers that were both mapping and creating the new frontiers of a world where information would be shared openly and freely. This gave rise to a societal revolution where everyone could have equal access to the totality of human knowledge.
Yet, as with nearly every new exploratory venture throughout history, there came those who look to take advantage and exploit vulnerabilities in newly charted territories and societal structures. Then came those who must defend against it.
In the Shadows
Cybersecurity was born in the shadows by three-letter acronym agencies — NSA, CIA, DoD, etc. — as an effort to combat a new type of villain who could produce massive damage with minimal risk. A new era of battles were fought on the digital theater with an enemy into whose eyes you could not see; instead, you would catch a glimpse of the enemy through the zeros and ones of the virtual world.
For many years, cybersecurity professionals embraced the clandestine nature of their work, living in tribal communities that shunned outsiders. The IT security groups existed in a separation of church and state framework, removed from the business side of the companies they protected. This environment of being "in the know" and harboring threat intel, remaining secretive, following spy-craft methodologies, and keeping the techniques of information security in the shadows influenced the culture of the cybersecurity professional from the early era.
As a result, security has become a stand-alone part of the corporate IT organization. Teams became self-siloed and disassociated from the larger organizational objectives they are tasked with protecting, keeping the business side of organizations at arm’s length. Without an understanding between the various departments that create a business, and a holistic security strategy, many companies defaulted to rely solely on regulatory checkboxes for the sake of maintaining the compliance status quo versus placing focus on proactive security measures that protect the organization responsibly, mitigate risk, and adapt to an ever-changing world.
Operating a business becomes more complex daily, as organizations move to hybrid clouds and multicloud platforms, distributing information broadly beyond the network perimeter by nontechnical employees that neither have the time nor understanding to consider the security outcomes. At the same time, threats are becoming increasingly sophisticated and organized. While this ought to be a call to action to elevate the role of security to have a seat at the executive table, there still exists a mentality that security is a compliance requirement rather than a need-to-have. And from the security side, there is often the notion that "no one could possibly understand what I do, so why bother telling them about it?"
Nearly every business today is now a technology business. The problem is that we've developed a culture that doesn't recognize the necessity to have open lines of communication and shared responsibility across the organization to make cybersecurity not only a priority but a standardized part of daily operational procedures.
In a world where the click of an email link can jeopardize an entire network, everyone is responsible for maintaining a secure environment.
Transparency and open lines of communication between all sides of the house — security, DevOps, and business units from financing to marketing to HR — will be the only way to successfully move forward to protect against the never-ending evolution of the threat landscape.
The way forward starts with breaking down the communication barriers between data and people. Anyone in an organization should be able to speak directly with their data and ask questions of it without needing the technical expertise to write data queries. And the data should be able to respond in real time, providing live answers.
Data transparency is the first step. Once this is achieved, it becomes far easier to create cultural transparency among the separate lines of business because there is a shared language across the organization.
- 7 Privacy Mistakes That Keep Security Pros on Their Toes
- A New Model for 'Mathematically Provable Security' (video)
- How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.