The start of a New Year sees us all armed with fresh resolve and the best of good intentions. Following a year in which security teams have been under more scrutiny and pressure than ever before, it may feel like the list of resolutions is becoming ever longer and more difficult to accomplish.
What’s on your list this year? With GDPR on the horizon, perhaps it includes only consuming ‘healthy’ data and getting rid of that out-of-fashion data. Perhaps the priority is measuring performance to match goals – and staying within budget. But making wholesale changes is difficult, particularly in security – which can never be ‘perfect’ and where ‘cheeseburger risk management’ is rife. By this, we mean an approach to security whereby you keep on eating cheeseburgers until you have a heart attack – and only then stop to seek help.
A shift is developing in which there’s more recognition that the disconnect between governments, vendors and users – the ‘us’ and ‘them’ mentality – and the focus on selling products with fear, uncertainty and doubt ultimately hurts our industry as a whole. We’ll see a push back from organisations that the responsibility for security can’t rest solely on their shoulders.
>See also: Five cyber security trends for 2018
This was evident after the WannaCry breach: cries of “why didn’t organisations simply patch?” didn’t address the inherent challenges which make this kind of quick fix neither practical nor affordable.
Perhaps they don’t run their own software; many don’t have the manpower and resources necessary to carry out updates to their software every week. Or they may not have the expertise to troubleshoot problems which might arise from applying patches. Instead, there needs to be a focus on how security vendors can support organisations, which, in many cases simply can’t afford the level of security they think they need.
Threats today are numerous and complex and it’s not realistic that the onus should be solely on the CISO to make changes: in a wider sense we need more collective efforts in order to make real change.
The good news is that we’re already starting to see more progress in this area in the wake of WannaCry. One area that is getting more attention is vulnerability disclosure and, to this end, an initiative in the US, from the NTIA (The National Telecommunications and Information Administration) that aims to bring the industry together.
>See also: Cyber security predictions for 2018
So, in the interest of fairness, rather than throw out the resolutions entirely, here’s a round-up of some resolutions not only for the CISO, but for others in the wider industry:
For the CISO: Take an inclusive approach to security: create a new initiative where any employee who reports a security issue, is rewarded – that is, of course, unless they created the issue themselves. When handling a data incident, insist that no spokesperson will be allowed to use the phrase “we take security seriously”. Antivirus is getting harder to justify in the era of zero-day threats and APTs, but this year resolve either to stop complaining about AV or to get rid of it completely.
For governments: Politicians are continuing to weigh in on the war on encryption but it’s time to call this off. Focus instead on how we can reduce the risks from vulnerabilities in software implementation and apps; there are still plenty of these and we know attackers will exploit vulnerabilities in out-of-date systems. This can ultimately lead to better application security overall.
Consider treating legislation like software updates. Not only would this make Patch Tuesday a lot more exciting, it would be fun to see different branches of government try to implement DevOps. Finally, please use the word ‘cyber’ sparingly.
For security researchers: For every live exploit demonstration for the Internet of Things, you will include safety helmets for the audience in the front row. It’s also time to start saving up for a fund for graphic logo-design which you’ll need for every bug from now on.
For industry analysts: Please stop coming up with new acronyms – not only does this encourage start-up marketers, but it confuses potential buyers.
A new year means new beginnings, but it also means correcting the mistakes of the previous year. Because if they are not addressed, businesses are more likely than not to end up with an Infosec Groundhog Year. And nobody wants that… again.
Sourced by Wendy Nather, principal security strategist, Duo Security