Ten top experts and ten steps backwards

I was fascinated to see that the latest issue of Forbes magazine has a feature on cyber security. It sets out what must be fixed according to ten top experts. Have they got it right? 

The answer sadly is a resounding “no”. But just how bad can that be? Unfortunately it’s pretty dire. On this evidence the problem lies with the experts, not the practitioners. It’s unfortunate because many executive boards don’t listen to their security managers, but they do pay attention to media pundits.

So what did the top ten experts suggest? 

Not a lot that makes sense to real practitioners. Every one of them “muttered something about there being no silver bullets”. In my view that’s a negative attitude because we would all like to find a silver bullet and there’s absolutely no reason why they should not exist. Such reasoning reflects a lack of imagination and a disdain for smart solutions. 

I expected more from Brian Krebs, an investigative journalist, who could only say that “it requires a mindset shift. I’d like to see more users place far less reliance on automated tools”. Not good advice in my view. In a fast moving, dynamic environment, we need more technology and automation.

Scott Charney,a Microsoft VP, suggested that the answer was for “companies to be transparent about how they handle data” and “to have robust corporate programs to protect privacy”. Such statements are likely to be regarded as meaningless waffle by most streetwise CISOs and auditors. And few businesses will genuinely embrace privacy because it restricts business exploitation of data.     

Cisco’s Chris Young suggests that the problem is increased by the so-called “Internet of Things” which demands a “threat-centric approach to security”. Personally I thought we’d already been doing that for thirty years or more.   

Chad Sweet, a CEO of a security and risk advisory firm, suggested that we need “cyber audits” to give stakeholders confidence. To the experienced CISO, inundated with audits, this will be bad news.

Edith Ramirez, a chairwoman at the FTC thinks the answer is encryption. Perhaps she has yet to experience the down side of this magic bullet, which many of us have found to create as many problems as it solves.  

Heather Adkins, a Google security manager, sees the problem as a technical one associated with 60s and 70s vintage systems. (Gosh. What was wrong with them?)  She thinks the answer is to reduce the attack surface, which is a great idea if you are actually in a position to do that. Unfortunately many business trends are going in the opposite direction.

Daniel Suarez, a sci-fi writer (Whoa!) suggests the answer is to scrap the Internet and build an Apollo-like, secure network for critical infrastructure. He’s right but it’s an impossible dream.  

Peter Singer, an author, thinks it’s all about human incentives. The answer is to adopt a mantra of “keep calm and carry on”. This is very pragmatic of course, but ultimately rather too defeatist.  

Christopher Soghoian, a technologist, suggests that the problem is politics and the need to have a forceful agency that makes everyone patch vulnerabilities. Dream on.

Joe Sullivan, CSO at Facebook, suggests the answer is to have a security infrastructure that keeps up with the billions of people coming online. That seems like good advice, so let’s look to Facebook for a secure environment.    

Is this the best we can do? Of course not. Business and citizens deserve much better from vendors, institutions, and journalists. If our pundits cannot see the solutions we are doomed to wait many years before the real issues are recognised and the real solutions developed.