We are still getting security wrong

The misunderstanding and frustration that surrounds security in today’s world shows no signs of abating. 

Whether we look at cyber security or at industrial systems security, the misconceptions continue to dominate and, hence, we continue to make the wrong decisions, invest in the wrong areas and we are losing the battle.

Most security companies and professionals continue to insist that security issues should be tackled with the latest and shiniest technology, be it appliances, software or in the cloud provisions. Security professionals continue to insist that the business “doesn’t understand” and that we should start at the root of the problem, with user awareness. So, we continue to pray for more regulation and industry standards and best practices (a la PCI-DSS). The auditors and consultants have their angle and it involves nurturing their cherished board-level connections and insisting that security and technology risk issues continue to be discussed by the Audit Committee and that findings are dished out for Corporate IT to ‘fix’.

While these efforts are valid and can, in aggregate, help improve an organisation’s visibility of its security risks and its willingness to do something about them, I think that we, businesses, government and the security industry, are missing an important angle: economics and incentives.

What if we made security everyone’s responsibility, not just that of the ICT folks, of Compliance and of the CISO / CIO?

What if all organisations established that information/cyber security and technology risk is everyone’s responsibility? 

First, risks can be classified according to a simple methodology. As financial impact is not always easy to quantify, a simple scale should be used, e.g. “minor, moderate, major, critical, systemic”, and tracked accordingly. Each department and business owner can be made accountable for identifying and addressing such risks. For example, if the security risks are on the company’s Risk Register quarter after quarter, pertaining to their business line and no action is taken, the individual’s performance appraisal can be impacted. 

A starting point for employees may be to attend security awareness training programs, to read and understand the company’s security policy and sign up to it. Employees can then be given a “security credit” of 100 points each year, with points deducted for transgressions and added for being vigilant, for doing the right thing (like not clicking on email attachments from unknown sources) and for actively caring about their company’s and their customers’ data. Ignorance should not be an excuse and employees should be encouraged to check with their internal security advisor when they wish to take an action and they are not sure of its implications for security.

A scenario too far-fetched? A vision of a totalitarian security obsessed society?

Who knows, some rules will have to be drawn and the devil will hide in the detail and the key will be on how all of this is actually implemented in practice.

Think about it: no society can afford to have a policeman everywhere. Modern societies rely on citizens being aware, forming “neighbourhood watch” schemes (not vigilante groups) and generally realising that we all have a responsibility to ourselves, to our community and to society in general, that we cannot totally abdicate from seeing risks and issues and doing nothing about them other than waiting for the state or the police to ‘fix it’.

So, if organisations incentivise everyone to care about cyber security, would our organisations be stronger?  The attackers already have an advantage over the defenders, and the speed and complexity of technology exacerbates this asymmetry and it’s not in our (the ‘good guys’) favour.

Let’s establish a central budget for security, then an employee budget and a department budget. Let’s publish league tables and start a healthy competition for the “most security engaged business line”. Let’s deduct points and dollars from business owners that disregard security risks and from employees that ignore the company’s security policy.

Humans weigh risks and make decisions about them every minute. Why not break the security ‘silos’ and  put this tremendous power and distributed energy to work in solving today’s cyber security issues?

Ionut Ionescu is the Director of Cyber Threat Management at Wipro Limited