What key challenges will the cybersecurity industry be dealing with in the next five years?
Pete Herzog, Managing Director at ISECOM, is so sure that artificial intelligence could be the biggest security problem to solve and the biggest answer to the privacy problem that he cofounded a company, Urvin.ai, with an eclectic group of coders and scientists to explore this.
AI (and machine learning with it) is like a naive child that trusts what you tell it, and is therefore susceptible to fraud, abuse, and tricks, he says. However, it is also like that stubborn, no-bullshit friend who is always going to tell it to you straight.
“From a privacy perspective, AI that controls your personal identity data and medical records will be sure to only give that information to who you tell it to. It has no interest in gossiping with its neighbors about you, and has no greed, vanity, or confirmation bias. We should harness that for protecting our identities and improve how we share it,” he told Help Net Security.
“From a security perspective it has a lot to learn about trust. Or rather, we have a lot to learn on how to program it to trust. It’s the newest, shiniest version of garbage in / garbage out if we don’t learn from our mistakes. At ISECOM we are spending a lot of effort on how we can make security tests for AI and learning how it fits into the OSSTMM framework as a new channel alongside Data Networks, Wireless, Physical, Human, Telecommunications, and Applications.”
Setting up ISECOM
Herzog and his wife Marta Barceló founded the Institute for Security and Open Methodologies in 2001.
ISECOM is a non-profit, open source research organization that maintains the Open Source Security Testing Methodology Manual (OSSTMM), Hacker Highschool (a cybersecurity curriculum for teens in high school) and a security certification authority, all the while operating as a specialty security boutique for securing iconic places that can’t be secured with traditional security products.
Before that they were cybersecurity consultants, so the switch to business owners was a drastic one.
“We jumped full in, no money, and had to find customers from day one. And let me tell you, keeping the connoisseurs of FOSS as happy as the veterans of military-grade security is a balancing act that nobody will get right all of the time,” he explained the challenges they faced.
“With age I learned perspective and humility. And between that and carefully picking my fights I probably protected both the brand and my sanity in the long run.”
In the last decade or so, Herzog also worked in parallel as a security analyst, writer, advisor or CISO with some well and lesser known security companies.
Cybersecurity industry problems
With all these experiences to draw on, we wondered what’s his opinion on the cybersecurity industry as a whole.
He believes one of the problems is the extreme fragmentation of what makes security.
“This fragmentation of specific skills and specific technology creates a differentiation and demand for niche products that focus on one, specific thing. Yet you’re supposed to implement it all, which entails hiring all the people and buying all the products to do it all. Consultants, trainers, universities, and government organizations then follow the crowd on the ‘more is better’ security and this fractures the market more and more until it seems you can’t be secure unless you have the blue spiral thing to stop the blue spiral packets,” he explained.
“Basic security analysis has you making decisions on at least 16 different things for each connection allowed, and a typical organization has thousands of connections to the outside and hundreds of thousands inside. Add web and mobile apps to the mix and you push the number up exponentially. Therefore, even the basic stuff is complicated and to do it thoroughly is exhausting – which is why we buy products to help. But if they fracture the products into thousands of little pieces of technology and operations all with special names we need to continuously re-learn then we’re back to it being as bad as not having the products at all. And that’s what’s wrong with the cybersecurity industry at the moment: we really are confusing the hell out of people as to what they actually need to have and do to be secure. It’s so bad that you can’t buy a penetration test today and know what you’ll get. Imagine buying an oil change like that! It’s ridiculous, confusing, and hurts everyone.”
He doesn’t assign any blame on cybersecurity salespeople, though.
“They see the pain their customers go through and how badly they need security. From their perspective it’s like they see the breach already happening, just really slowly – and they don’t want to have to see another breach. Additionally, everyone working in cybersecurity knows that each breach gives more resources to an enemy and eventually it’s overwhelming for everyone, even the salespeople,” he noted.
He says that the cybersecurity industry has room for more innovation, but that the real problem is not a general lack of it, but the fact that attackers have at their disposal such a huge number of attack combinations that a product-based defense today is not enough. And cyber hygiene can only can somewhat reduce the number of available attack types but not enough to help the overburdened security staff secure everything.
Finally, he believes that people should not be a link in the security chain.
“People are our assets, not our security. The truth is that there is nothing that can’t be made more secure by removing the person from the process, so plan for them not being a link in your security chain and you’ll be more secure,” he concluded.