A panel debate at (ISC)2’s EMEA Security Congress in London called on the infosec industry to redouble its efforts to emphasize the importance of security matters to the public and enterprises.
Debating under the header ‘Key Challenges Today’, the panel was chaired by (ISC)2 EMEA head John Colley and featured MP David Blunkett, CERN head of computer security Dr Stefan Lüders, and Ray Stanton, executive VP of professional services at BT.
“The most important thing is a change of culture,” argued Dr Lüders, suggesting that the biggest challenge facing the industry is helping the wider public to develop an ingrained security awareness. Getting people to think automatically about security whenever they receive an email containing links or attachments, Dr Lüders suggested, is the first step: “Once people start asking questions you get the ball rolling.”
In his opening keynote prior to the debate, Blunkett also highlighted the importance of security education, commenting that “Unless we’re in schools and colleges and getting the point across about the risk for pupils we’re failing badly.”
Reflecting on his time as Secretary of State for Education, he lamented not investing more in training for teachers, many of whom were being asked to teach information technology classes without prior grounding in the subject.
“You’re only as good as the person passing on the knowledge,” he remarked. Broadening this point out to apply to businesses, too, he suggested that, “We as an industry need to find ways to attract people who have recently been on the frontline,” and that there needs to be more ability for knowledgeable people “to move from academia to business more readily.” Sharing skills, Blunkett summarized, is going to be a key development in strengthening businesses’ natural resilience to cyber threats.
Ray Stanton also discussed the “need to get the basics right”, and raised the issue of the ‘power of four’ – which refers to each of the human generations from wartime babies to Millennials – each of which has a different approach to the way in which tech is increasingly integrated into daily life. Despite these differences, Stanton argued, the industry must strive to “make [security] relevant to anybody,” adding that “all we can do is educate.”
The Government Issue
Any change of culture, the panel suggested, is not just limited to how the industry educates people on security issues. Government came in for criticism, too – not least from the panel’s one resident politician.
“When government has suffered a hit [in the past] they’ve always put the shutters up,” Blunkett commented, adding that there is a need for much greater transparency from both government and business: “We’ve got to get people to be open about the fact that these vulnerabilities exist.”
He suggested in his earlier keynote that companies and governments could make a “reputational feature” out of their honesty, transparency and effective responses to security breaches.
“We should be more critical of government about why they don’t reveal more zero-day vulnerabilities”Dr Stefan Lüders, head of computer security, CERN
Dr Lüders was less equivocal in his stance, arguing with conviction that “We should be more critical of government about why they don’t reveal more zero-day vulnerabilities,” suggesting that they do it just to have an “offense advantage.” Governments, he criticized, may have been sitting on vulnerabilities for years, to the detriment of the security industry and consumers.
It did not take long for the name Edward Snowden to crop up, a man who Blunkett grudgingly praised for opening up a debate on privacy and surveillance, despite branding him “a traitor to his country and a thief.”
This echoed a point made earlier, in his speech, where he said: “If we don’t have that debate, we don’t have democracy.”