What happened to trust and transparency in cybersecurity?
Today, we need proactive security measures that protect the organization responsibly, mitigate risk, and adapt to an ever-changing world. This can only be truly achieved with transparency across the organization.
I’ve given presentations before where I’ve asked a room full of people to raise their hand if they are in charge of cybersecurity. I’ll get a few raised hands from IT and Ops. Then I make the point that everyone’s hand should be raised because today everyone plays a role in keeping their organization secure. Employees need to understand risk so they can make more informed decisions every time they go online, and the consequences that being careless can carry.
IT and the business side need to work towards open lines of communication and shared responsibility across the organization to make cybersecurity not only a priority but a standardized part of daily operational procedures.
The marketing team has access to intellectual property. HR has access to sensitive personal data. Finance has access to the company’s monetary health and funding longevity.
The security team needs to move beyond the mindset of they protect everyone and incorporate ways to empower people to protect themselves.
How did we get to be so closed off anyway?
It’s often said that the internet was built on trust. When the basis of the internet, ARPANET, was being developed, the basic idea was that the person on the other end would be a verified party, as it was designed to connect academic institutions over a single network. There wasn’t much thought given to building in security.
Fast forward 30 years and everyone (and everything; smart toaster anyone?) are using the internet for a myriad of services across the globe. Internet users globally are estimated to be over 4.2 billion people, a bit over half of the world’s population. And unfortunately, not all of those people can be trusted. So if the internet was built on trust, it is definitely not maintained on trust today.
People are increasingly distrustful of the internet, which is no surprise given the daily announcements of new data breaches, and especially high-profile mega breaches from household names such as Uber, Equifax, Marriott, and Yahoo. And those are just the one we hear about. The lack of transparency and attempted coverups many companies choose to pursue after a breach or leak further fuels doubt that this issue of cybersecurity is being taken seriously.
The loss of consumer trust, plus increasingly aggressive regulators setting record fines for data breaches is starting to get the boardroom to take data security and data incident response seriously. There still remains the traditional organizational structure that focuses on checking off the compliance list of industry-regulated marks but this falls short to combat the ever-evolving nature of cybersecurity.
To restore trust and transparency, organizations must first operate from a place of trust and transparency within themselves.
Living in the shadows
As recently as ten years ago, cybersecurity wasn’t an often-used term. Corporations focused on information security – the preservation of confidentiality, integrity, and availability of information – as an operation under the IT department. You had a group of people with technical knowledge that only communicated with others outside of their tribe when they had to. There was no interaction or collaboration with the business side unless there was a problem that needed fixing. Remaining compliant was the main objective.
On the government side, three-letter intelligence agencies were well on the way to developing secretive tools, security concepts, risk management approaches and technologies for cybersecurity to deal with cyber-warfare, information warfare, critical infrastructure protection and other threats and vulnerabilities from cyberspace.
The gatekeepers of technical knowledge from information security and the clandestine nature of cybersecurity eventually came together to form the current culture we have today in the security industry. For many years they embraced the secretive nature of their work and this is shown in how security has become a stand-alone part of the corporate IT organization, and even more so removed from the business side of the operation.
An increasingly complex world
In the early to mid-2000s software really started to envelop the world, or in the words of Marc Andreessen, software began eating the world. There was an explosion of data as online companies emerged faster and faster and traditional companies started building out their new digital identities. With the move that everyone was becoming an IT company in some way came a big uptick in cybercrime.
The barrier to entry to become a cybercriminal had become lower and lower as hacking toolkits and exploits were being sold on the dark web, giving people with limited technical prowess the ability to pull of cybercrime activities. The rules of engagement between nation-states running cyberwarfare ops on each other blended into the private sector as evidenced by the North Korean hack against Sony Pictures in 2014. Suddenly, everyone and everything was fair game.
Then, in 2016 corporate and government mandates started pushing the move towards the cloud. The day to day of securing an organization became increasingly complex as organizations move to hybrid clouds and multi-cloud platforms, distributing information broadly beyond the network perimeter by non-technical employees that neither have the time nor understanding to consider the security outcomes.This is the world we are in today.
Now, ticking off regulatory checkboxes and settling for the status quo of achieving compliance no longer solves the issue of non-stop, ever-evolving threats from every attack angle imaginable. A siloed approach to security is no longer tenable.
Opportunities for trust and transparency
Security and DevOps need to work closely together to develop processes where security is involved from the start so products and applications aren’t being shipped with glaring vulnerabilities.
The first step is implementing a cybersecurity strategy that includes all stakeholders across the organization. From IT, security, and DevOps to all business units including financing to marketing to HR is necessary for creating the type of transparency needed to protect organizations going forward as attacks continue to evolve.
Then IT needs to work hand-in-hand with business unit owners to run regular workshops to educate the the importnace of security across the organization.
Third, the board needs to be able to ask business risk related questions that get answers quickly from the security organization. They need to share a common language to have discussions of risk that affect the wellbeing of the enterprise.
Fourth, security needs to start focusing on a hybrid world that isn’t just about protecting the perimeter. We need to have open discussions about identity, endpoint and application security. The perimeter can no longer be the focus, and the responsibility for that should be secured by the cloud vendors.
And the fifth point is that the thought of security needs be removed from the realm of secrecy. Security is now a standard part of operating an organization and needs to be discussed openly as it is a critical success factor of ever operation.
In this new world of ever-evolving threats, the only way to get ahead is to get transparent. Openness, not secrecy, is the only way to move forward.