I was fascinated to see that the latest issue of Forbes
magazine has a feature on cyber security. It sets out what must be fixed
according to ten top experts. Have they got it right?
The answer sadly is a
resounding "no". But just how bad can that be? Unfortunately it's pretty dire. On this evidence the problem lies with the
experts, not the practitioners. It's unfortunate because many executive boards don't listen to their security managers, but they do pay attention to media pundits.
So what did the top ten experts suggest?
a lot that makes sense to real practitioners. Every one of them "muttered
something about there being no silver bullets". In my view that's a negative attitude because we
would all like to find a silver bullet and there's absolutely no reason why they should not
exist. Such reasoning reflects a lack of imagination and a disdain for smart
I expected more from Brian
Krebs, an investigative journalist, who could only say that "it requires a
mindset shift. I'd like to see more users place far less reliance on automated
tools". Not good advice in my view. In a fast moving, dynamic environment, we
need more technology and automation.
Scott Charney,a Microsoft VP,
suggested that the answer was for "companies to be transparent about how they
handle data" and "to have robust corporate programs to protect privacy". Such statements
are likely to be regarded as meaningless waffle by most streetwise CISOs and auditors. And few businesses will genuinely embrace privacy because it restricts business exploitation of data.
Cisco's Chris Young suggests that
the problem is increased by the so-called "Internet of Things" which demands a "threat-centric
approach to security". Personally I thought we'd already been doing that for thirty
years or more.
Chad Sweet, a CEO of a security
and risk advisory firm, suggested that we need "cyber audits" to give stakeholders confidence. To the experienced CISO, inundated with audits, this will be bad news.
Edith Ramirez, a chairwoman
at the FTC thinks the answer is encryption. Perhaps she has yet to experience the
down side of this magic bullet, which many of us have found to create as many problems
as it solves.
Heather Adkins, a Google
security manager, sees the problem as a technical one associated with 60s and
70s vintage systems. (Gosh. What was wrong with them?) She thinks the answer is to reduce the attack
surface, which is a great idea if you are actually in a position to do that.
Unfortunately many business trends are going in the opposite direction.
Daniel Suarez, a sci-fi writer (Whoa!) suggests
the answer is to scrap the Internet and build an Apollo-like, secure network for
critical infrastructure. He's right but it's an impossible dream.
Peter Singer, an author,
thinks it's all about human incentives. The answer is to adopt a mantra of "keep
calm and carry on". This is very pragmatic of course, but ultimately rather too
Christopher Soghoian, a technologist,
suggests that the problem is politics and the need to have a forceful agency that
makes everyone patch vulnerabilities. Dream on.
Joe Sullivan, CSO at Facebook,
suggests the answer is to have a security infrastructure that keeps up with the
billions of people coming online. That seems like good advice, so let's look to
Facebook for a secure environment.
Is this the best we can do? Of course not. Business and citizens deserve much better from vendors, institutions,
and journalists. If our pundits cannot see the solutions we are doomed to wait
many years before the real issues are recognised and the real solutions developed.