Speaking at RSA Conference in San Francisco, Wendy Nather, head of advisory CISOs, Duo Security at Cisco, said it is time to consider how users are affected by security controls, why mistakes are being made and if product design really benefits users and security.
Nather said that if we thought that IT professionals were the only ones using technology, and knew how to program, we were wrong. “It used to be that we were the masters of the universe,” she said. “We had the knowledge and made the rules, and wrote the software and managed the servers and pulled the cable: but it is not working as it used to.”
Cisco's Nather made the point that “every one of us is a consumer of technology” and we do what we want with our devices, but we have tried to be secure with an unsustainable model. This can be resolved in three steps. The first is about moving from Control to Collaboration. "We are using the same technologies at work and home, she said, “and the only difference is the username we put in.”
Nather said that there is a change from an authorization model to a collaboration model, and suggested that we need to recognize that users can make better decisions, as we all want resources, but have different requirements.
“What will it look like in architecture? We assume what we control – servers, databases; but there is stuff we use like IaaS, SaaS, and third party APIs, and we don’t control the internet and user,” she said. She pointed out that we need to look below the traditional layers of security and see what controls we have, as we may only control the top layer of the hypervisor and network, and in SaaS “we may only control a wedge of the account with the provider, and only control the use of it.”
If this doesn’t allow the user to work, they may push back against controls and “think that control equals cost, time, money and people.” Nather added that if we optimize what we control, manage and give away, and work together “we can zoom into the future at the speed of business - that is what collaboration can bring us.”
The second trend, she continued, is around simplifying design, as she said that we ask the same questions year after year on why users “keep clicking things” and we “yell at them for doing wrong things.” Nather said that this is natural to the user's actions to do their job, and “we need to stop fighting this.”
Nather argued that it would be better to just secure things so it doesn’t matter if users click on the wrong thing. “Users want to do the job and get in and out, so simplify operations, data and functions to make it easier no matter who uses it.”
The final trend is to have an open culture, where people can make their own decisions rather than IT trying to change their morals.
“This is a lot to ask, and I believe can do it and go from control to collaboration and simplify and reducing controls and give people an open culture. I believe we can do this," she concluded.