The security industry seems to be perpetually in some extreme state. The now almost weekly, or even daily, reports of a big breach of a household name in banking, or retail, or government leads to calls that something has to be done. Whatever that something is.
One current trope is that anti-virus is finished and budgets now have to spend on analysis and incident response. Or maybe the opposite. And yet in these moments of extremes there is the measured gaze of those in the venture capital and financial communities who, when presumably not dealing with aforementioned breaches, are sizing up which security companies to fund. The security industry is delivering pretty good returns and it’s fair to say that it is an investment magnet right now.
And as 2015 peters out, an equally measured look at where we are as an industry is rather necessary if not critical. Such a perspective was offered, and taken, at the recent AT&T Cybersecurity Conference in New York.
As the Big Apple bathed in the sunshine of an Indian summer, delegates were not just treated to a demonstration of the latest and greatest in security technologies, they were actually invited to ask questions of themselves. Where were they as security professionals? How were they as individuals looking at not just security architectures but also how they were implementing them? How was the way in which they worked affecting efficacy of these systems?
Setting the scene, AT&T’s John Donovan, Senior Executive Vice President, AT&T Technology and Operations, wondered where the security landscape was headed and warned that despite a move to the cloud and other software-defined security systems, what was essential was that a new approach to security had to be taken. He cautioned that tomorrow’s security professionals needed a framework to ask questions to address systemic risk and decode the increasingly varied and innovative threats of adversaries.
And such a theory was expanded upon by Melanie Ensign, Manager-Security Communications at Facebook who reflected less on how hackers could potentially damage the reputation of companies but more on how the industry needed to hack into the reputation of Infosecurity itself. And as she began, she issued a blunt rejoinder to those sitting right in front of her, representatives of an industry in need of change. “Hey Infosecurity: your fly is down.”
In making her case why this was so, and what should be done, Ensign flew the concept of something rarely heard in the discourse of security: literacy. “What we need right now is literacy among regulators and consumers,” she argued. “Security is probably more concerned right now about publicity from security breaches than from actual security itself. That is insane. A lot of people have this perception that there is an absolute value in security and by not reaching it, everything is insecure.”
Offering solutions to this, Ensign proposed that reputation management was actually an example of reverse engineering, asking the question of what do we want people to know. Instead, she proposed, what the security industry needed to do was to acquire more emotional intelligence and articulate things with more of an emotional connection.
To gain this, Ensign suggested that there were five key steps: self-awareness; self-discipline; motivation; empathy; and people skills.
Notice that here there is absolutely no mention of either fear, uncertainly, nor indeed doubt, the staples, if not pillars, of rationale for investment in security solutions by the vendor community.
Indeed institutional fear was another element called out by Ensign who believed that it was actually irresponsible to focus on motivating people by scaring them. In fact she argued that frightening people about their own security set ups was basically just self-defeating.
The correct approach, Ensign insisted, was that firms had to be more sophisticated in how to communicate about security and not in what she called lazy and unimaginative scaremongering which would lead only to people believing that they had no answers to security. “We need to change the way how we think about ourselves. It’s not just about cost and about what people think about us.”
Ensign argued that security professionals could and should shift the conversation for the better good and that they, her included, have to do better as a community, disseminating information that was useful to all. Was this a nod to the growing trend of sharing details about breaches?
Concluding, she professed her faith that the assembled and the industry in general could solve security problems in a more effective manner, talking in a language understood by all across organizations. “Security is a journey that is not going to end, and things are constantly going to change. If not we will run into the same issues time and time again.” So zip up and lose the fear.