Art Coviello, the recently retired Chairman of RSA said in his keynote address to the annual conference in 2014, “The security industry state of the union is precarious. We have not been able to keep up with attacks that are escalating in intensity and sophistication and we are not turning out enough skilled personnel to fight the fight.”
At Black Hat 2017, more than three years later, Alex Stamos now the Chief Security Officer at Facebook reiterated that sentiment in his keynote address saying “The unfortunate truth is that our community overall, we’re not yet living up to our potential. We have perfected the art of finding problems over and over without addressing the root issues.”
These messages are simple and require no parsing. The information security white hats have long been windy on snark yet very short on solutions. While historically avoided, consistently isolated and normally relegated to the dark corners of a distant server room, these 10,000 or so hackers who attended the festival in the desert two weeks ago no longer have anyone to blame for their holier-than-thou-ness. It’s time to grow up and get in the fight.
I am the first to lead the rant about the perils of avoiding and then ignoring the advice from the good hackers among us (see https://www.netswitch.net/arent-listening-smartest-guys-room/) but at the same time, we are now at the place where bloviating on Twitter about how impossible it is to secure anything, or victim-shaming those organizations hit by EternalBlue, is doing way more harm than good. It is easy to stand on the sidelines and critique the play. Being on the field of battle is another thing entirely.
Two years ago Cybersecurity news was only interesting to those in the fight but today we see hackers, researchers, opinion-makers, main-stream media reporters and editorial opinion from major consumer publications featured on the front page every day. Cybersecurity news has moved from a reported hack of Target Stores’ POS system on the Business & Technology pages to become the central story with significant overtones into geopolitics, national security, human rights and physical safety threats.
No longer is your company’s board not listening or paying attention. Suddenly, everyone from senior management to law enforcement to the military to political leaders are focusing on Cybersecurity as a clear and present danger. Good or bad, we have never seen strict Cybersecurity regulations like New York State recently enacted and will soon spread to all of the rest of the States so quickly developed and implemented. Even Congress, who normally moves at a snail’s pace got in gear and pushed a bill implementing email security within all Federal government messaging systems.
The biggest problem right now is not the fact that the threats have outpaced the defenders. That’s old news. The biggest problem is a lack of leadership. Technology vendors are not leaders. They are suppliers. No pick and shovel dealer ever found any gold. Weapons dealers don’t win wars. Government as can be witnessed clearly by the only Cybersecurity bill Congress managed to muster, is only concerned with its own well-being. Critics don’t write great novels, cook great meals or make great films. Blaming ordinary people who use the same password for more than one service, continue to use IE8 or have failed to disable Flash will not lead us to victory.
Leadership means grabbing ahold of things that matter. There is way too much fanfare around the discovery of a zero-day, just as one-handed catches in the end-zone bring crowds to their feet. Both feats require difficult and extensive preparation and hard work but neither win the long game. In order to prevail over the course of a whole season, we need to devote far more energy and rigor to simple hacks that affect businesses and people in their everyday lives. It is always cooler to be the quarterback or wide-out who can throw and catch the big game winner, but executing the blocking and tackling makes those big moments possible.
A simple example of leadership failure is our incessant push over the last ten years to make every user an administrator as well. There are auto mechanics because most people would prefer that others maintained their vehicles. Expecting all systems to be patched in all the right places and running the latest versions of everything all the time is great for Microsoft but lousy for the state of Cybersecurity.
But who can step in and fix this? Vendors? Please. Government? If you want the Windows admin version of the New York State Title 23 NYCRR 500 imposed on all businesses, sure. But I don’t think we need a nuclear weapon to ring our doorbell.
The 10,000 people who showed up at Black Hat this year are some of the very brightest and best practitioners of the Cybersecurity trade in the world. They know where the next threats are coming from just as assuredly as they know how to prevent the entire range of current threats.
If we promise to start listening to them, maybe they will promise to stop snarking and start focusing their energy on simple prevention, detection and remediation plans and processes that can re-balance this playing field and start us on our way toward parity and then victory.
If we promise to let them lead, maybe they will assume the mantle.
God knows we need it.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management