The roundtable pulled together by Kevin Poulsen is generating a lot of great opinions on the direction and challenges facing security. Kevin pulled the following assertion from the initial round of discussion, “Security needs to be more broadly compelling and achievable for developers, companies and users”. What follows is my response to that assertion.
A reasonable level of security is within reach of all organizations today. The problem is justifying the effort.
When viewed with an outsiders lens, cybersecurity is a steady stream of hooded hackers stealing data and personal information with little to no accountability. The community response is no better. Hands are waved, the cyber-boogieman blamed, every attack is an advanced nation state action.
Unfortunately that doesn’t line up with the evidence.
We know that most attacks exploit well known issues or vulnerabilities. We know how to securely build software. We understand how to effectively manage passwords and other credentials.
The reality is that cyber security is requires an ongoing effort that focuses on people, processes, and products.
The challenge is making that commitment and sticking with it.
Layers of Complexity
The technologies we use everyday hide a significant amount of complexity. The very act of reading this story online leverages a mix of technologies from this year, the past decade, and beyond.
This mix of technologies working together represents a number of different efforts, constraints, and perspectives that combine to create a complex whole.
The core layers of the Internet were designed in the 1960’s and 1970’s. When they were first drafted, security wasn’t a priority. Why would it be? Scarcity alone made the systems secure.
Over the years, we’ve revised these existing protocols and added new technologies in an attempt to secure the foundations of these technologies.
Each time the stack is changed, we try to build security and privacy in as key components. Even then, there are compromises, constraints, and competing interests that can reduce the effectiveness of these efforts.
So while the call for security to be built into the foundations of everything we create makes sense on the surface. It isn’t reasonable.
We are always bolting security on to our technology on some level. We need to accept that fact that we build in layers and with each layer we build, the complexity increase. That increased complexity creates more risk.
Deciding On Risk
Making an informed decision about the specifics of those risks is extremely difficult.
Accepting a risk isn’t necessarily a bad thing. But that risk must be quantified and evaluated versus the cost of mitigation.
This evaluation is an imperfect process.
We’ve tried for years to quantify risk evaluation in cybersecurity but we ironically lack the critical component; mountains of data about hacks, breaches, and the effectiveness of defensive measures.
The only other industry making risk decisions on the same scale as cybersecurity is the insurance industry. It’s taken insurers decades and decades to compile robust data sets that provide enough information to make informed decisions about risk.
We’re in the infancy of this process when it comes to cybersecurity. Until we mature to that point, the cybersecurity risk management process is slightly better then throwing darts at a board.
To move forward, we need to resolve this issue.
We need to set aside our differences and worries about competitive advantage and start to share our threat and defence data. Alex Stamos has more on this in his post, “The Key To Security Is Being Open”.
When we have solid data that helps to quantify the risks that organizations face, we can make better decisions about cybersecurity. Until then, we need to bias our answers towards the worst case scenarios.
Business Drivers
Unfortunately, pushing the worst case scenarios has never worked out well. Just ask the boy who cried wolf.
We are seeing some organizations take cybersecurity seriously at the executive and board level but most still consider is an impediment to doing business.
And why shouldn’t they?
When you look at the financial performance of companies that have suffered major breaches in the past 5 years, it’s difficult to spot any lasting impacts from those breaches. Sony Pictures Entertainment,Target, Home Depot, Adobe, and CVS have all been victims of major breaches but haven’t seen a lasting impact on their market values.
This is why efforts like the EU’s General Data Protection Regulation, various other legislative efforts, and Michael Coates’ bold proposal, “We Need a Basic Set of User Rights” are gaining traction.
We need external motivation that forces organizations to put a focus on privacy and security because market forces are not working.
Quality Engineering
On the positive side, we have made strides in the past few years in how well we understand the causes of cyber-insecurity.
We know that quality assurance plays a major role in the security of any technology. Low quality software/hardware leads to insecure software/hardware.
Modern, agile techniques with a focus on code quality, software assurance maturity models, and the security threads in the software development lifecycle (SDLC) are all evidence of a maturing understanding of what it takes to deliver quality, secure code.
The challenge here is to counter the business drivers that demand technology be delivered yesterday. The culture of “ship and patch later” is one of the biggest impediments to more secure Internet.
Quality is the strongest step we can take towards more secure technology.
Only Human
Even with quality a core focus for technology companies, there will always be security issues. That is why we have additional security controls outside of the core technology.
These controls act as a safety net to help catch mistakes in other layers and unforeseen issues.
Think of a simple anti-malware/anti-virus control. No one will argue that this is a core defence anymore but there is still value.
Developers know to be wary of any input and to properly sanitize it. Even with that approach built-in there is still the potential for a virus to be delivered via an upload, that’s where anti-malware controls come into play.
This is how external controls compliment quality technology.
The technology mitigates most of the security issues with a solid, quality build. A security control helps as a safety net for the few remaining issues.
And these controls are improving constantly. Yes, there is a huge amount of hype in the cybersecurity industry but when you scrape away the bullshit, there are a lot of great teams building high quality controls both commercial and as community projects.
Higher Demand
While security may take a backseat for some organizations, there is enough focus from government, industry bodies, and individuals that we are making progress.
The brightest spot for security outside of the technical world is the simple act of users asking about security is forcing change.
The more demand by users secure and privacy-by-design services, the better.
We cannot allow companies to simply wash their hands of their security responsibilities. They must be held to account.
The Future
To the core question of the future of security; a reasonable level of security is achievable today.
Working against achieving this level of security is the layers of complexity, the lack of information to make informed decisions about risk, and the absence of any real business drivers.
I believe these factors are outweighed by the advances in quality engineering techniques, the availability of additional controls, and the increase demand from users for secure and privacy-by-design enabled services.
The future of security is messy because our the technology stack of our world is messy. That doesn’t mean it’s hopeless.
To improve security we need to;
- simplify when possible to avoid layers of complexity
- share threat & defence information to better manage risks
- motivate organizations to focus on security & privacy
- make quality priority #1 for engineering technology
- use external controls as safety nets to complement, not replace quality designs
- demand better from our technology
It will not be easy but it will be worth the effort.
Join the discussion by visiting me.dm/roundtable or message me on Twitter where I’m @marknca.
