[BreachExchange] What happened to trust and transparency in cybersecurity?

[Destry Winant]

https://www.helpnetsecurity.com/2019/03/12/what-happened-to-trust-and-transparency-in-cybersecurity/

Today, we need proactive security measures that protect the
organization responsibly, mitigate risk, and adapt to an ever-changing
world. This can only be truly achieved with transparency across the
organization.

I’ve given presentations before where I’ve asked a room full of people
to raise their hand if they are in charge of cybersecurity. I’ll get a
few raised hands from IT and Ops. Then I make the point that
everyone’s hand should be raised because today everyone plays a role
in keeping their organization secure. Employees need to understand
risk so they can make more informed decisions every time they go
online, and the consequences that being careless can carry.

IT and the business side need to work towards open lines of
communication and shared responsibility across the organization to
make cybersecurity not only a priority but a standardized part of
daily operational procedures.

The marketing team has access to intellectual property. HR has access
to sensitive personal data. Finance has access to the company’s
monetary health and funding longevity.

The security team needs to move beyond the mindset of they protect
everyone and incorporate ways to empower people to protect themselves.

How did we get to be so closed off anyway?

It’s often said that the internet was built on trust. When the basis
of the internet, ARPANET, was being developed, the basic idea was that
the person on the other end would be a verified party, as it was
designed to connect academic institutions over a single network. There
wasn’t much thought given to building in security.

Fast forward 30 years and everyone (and everything; smart toaster
anyone?) are using the internet for a myriad of services across the
globe. Internet users globally are estimated to be over 4.2 billion
people, a bit over half of the world’s population. And unfortunately,
not all of those people can be trusted. So if the internet was built
on trust, it is definitely not maintained on trust today.

People are increasingly distrustful of the internet, which is no
surprise given the daily announcements of new data breaches, and
especially high-profile mega breaches from household names such as
Uber, Equifax, Marriott, and Yahoo. And those are just the one we hear
about. The lack of transparency and attempted coverups many companies
choose to pursue after a breach or leak further fuels doubt that this
issue of cybersecurity is being taken seriously.

The loss of consumer trust, plus increasingly aggressive regulators
setting record fines for data breaches is starting to get the
boardroom to take data security and data incident response seriously.
There still remains the traditional organizational structure that
focuses on checking off the compliance list of industry-regulated
marks but this falls short to combat the ever-evolving nature of
cybersecurity.

To restore trust and transparency, organizations must first operate
from a place of trust and transparency within themselves.

Living in the shadows

As recently as ten years ago, cybersecurity wasn’t an often-used term.
Corporations focused on information security – the preservation of
confidentiality, integrity, and availability of information – as an
operation under the IT department. You had a group of people with
technical knowledge that only communicated with others outside of
their tribe when they had to. There was no interaction or
collaboration with the business side unless there was a problem that
needed fixing. Remaining compliant was the main objective.

On the government side, three-letter intelligence agencies were well
on the way to developing secretive tools, security concepts, risk
management approaches and technologies for cybersecurity to deal with
cyber-warfare, information warfare, critical infrastructure protection
and other threats and vulnerabilities from cyberspace.

The gatekeepers of technical knowledge from information security and
the clandestine nature of cybersecurity eventually came together to
form the current culture we have today in the security industry. For
many years they embraced the secretive nature of their work and this
is shown in how security has become a stand-alone part of the
corporate IT organization, and even more so removed from the business
side of the operation.

An increasingly complex world

In the early to mid-2000s software really started to envelop the
world, or in the words of Marc Andreessen, software began eating the
world. There was an explosion of data as online companies emerged
faster and faster and traditional companies started building out their
new digital identities. With the move that everyone was becoming an IT
company in some way came a big uptick in cybercrime.

The barrier to entry to become a cybercriminal had become lower and
lower as hacking toolkits and exploits were being sold on the dark
web, giving people with limited technical prowess the ability to pull
of cybercrime activities. The rules of engagement between
nation-states running cyberwarfare ops on each other blended into the
private sector as evidenced by the North Korean hack against Sony
Pictures in 2014. Suddenly, everyone and everything was fair game.

Then, in 2016 corporate and government mandates started pushing the
move towards the cloud. The day to day of securing an organization
became increasingly complex as organizations move to hybrid clouds and
multi-cloud platforms, distributing information broadly beyond the
network perimeter by non-technical employees that neither have the
time nor understanding to consider the security outcomes.This is the
world we are in today.

Now, ticking off regulatory checkboxes and settling for the status quo
of achieving compliance no longer solves the issue of non-stop,
ever-evolving threats from every attack angle imaginable. A siloed
approach to security is no longer tenable.

Opportunities for trust and transparency

Security and DevOps need to work closely together to develop processes
where security is involved from the start so products and applications
aren’t being shipped with glaring vulnerabilities.

The first step is implementing a cybersecurity strategy that includes
all stakeholders across the organization. From IT, security, and
DevOps to all business units including financing to marketing to HR is
necessary for creating the type of transparency needed to protect
organizations going forward as attacks continue to evolve.

Then IT needs to work hand-in-hand with business unit owners to run
regular workshops to educate the the importnace of security across the
organization.

Third, the board needs to be able to ask business risk related
questions that get answers quickly from the security organization.
They need to share a common language to have discussions of risk that
affect the wellbeing of the enterprise.

Fourth, security needs to start focusing on a hybrid world that isn’t
just about protecting the perimeter. We need to have open discussions
about identity, endpoint and application security. The perimeter can
no longer be the focus, and the responsibility for that should be
secured by the cloud vendors.

And the fifth point is that the thought of security needs be removed
from the realm of secrecy. Security is now a standard part of
operating an organization and needs to be discussed openly as it is a
critical success factor of ever operation.

In this new world of ever-evolving threats, the only way to get ahead
is to get transparent. Openness, not secrecy, is the only way to move
forward.