Cybersecurity professionals must start taking a more active role in shaping the industry’s future, said Jen Ellis, cybersecurity advocate and community convenor, speaking during the keynote session on day two of Black Hat Europe 2022.
Ellis estimated that cybersecurity is around 40 years old, meaning “we are the second generation of the security industry.”
This means it is a good time to evaluate what the industry can do differently and adapt to the changing context. “What we’re doing isn’t working, we’re not winning,” she said.
Ellis set out three ways in which the cybersecurity environment has changed in recent years:
- Behavior of tech manufacturers: referring to the development of new technologies that have exacerbated the cyber-threat landscapes. This includes IoT, the shift to cloud and a new era of AI and machine learning. “The level of complexity we’re dealing with as vendors has increased,” said Ellis.
- Behavior of tech operators: these are organizations such as mobile and cloud providers. The biggest change in this environment has been the adoption of remote working during the pandemic, again increasing the cyber-attack surface and complexity. “Every individual working on their sofa is a point on your perimeter,” she noted.
- Behavior of adversaries: Ellis said that cyber-threat actors “no longer look how they used to” and now operate essentially as professional businesses. Another major change is their relationships with governments, with many groups able to operate in ‘safe havens’ like Russia and North Korea and often act on behalf of states.
Ellis noted the huge economic and political impacts of these changes, pointing out that the estimated cost of cybercrime to the global economy in 2022 will be $7tn, while the issue of cyber-attacks has become “part of international diplomacy.”
As a result, “policymakers are going to pay a lot of attention to security.” For example, in the UK, in 2022 alone, there has been three cybersecurity laws drafted or amended as well as six government consultations and two parliamentary enquiries on this issue.
This is the reality, and something security professionals “will have to live with.”
This includes creating a more professionalized industry, giving customers “a baseline of what to expect when they hire a security professional.” Therefore, the industry must help align and agree on standards and certifications with relevant authorities before they are mandated by governments.
“These are conversations security professionals need to be part of, because they will shape your career,” commented Ellis.
She also noted that most governments undertake open calls for reviews for new proposals and laws they are planning in cybersecurity. “They really want to hear from you – the people who have the knowledge to ensure they are doing the right thing,” she outlined, urging: “you can take the steps to find out about these and get involved.”
“The bus is moving and do you want to be on the bus, deciding where it stops and when?” Ellis asked.
Ellis highlighted the great work the industry is taking to share information and help educate each other. However, “a lot of this is within the industry.” Therefore, cyber professionals need to do more to speak to audiences that aren’t engaged in the topic, “breaking out of these echo chambers that we live in.”
A huge role for the industry going forward is addressing consumer apathy around cybersecurity, and she said, “much of this will be done through engagement.”
Ellis advised avoiding the use of technical jargon and hyperbolic language when engaging with these audiences, as these can both be off putting to those outside of the industry. Instead, “speak their language” and offer a message of hope and empathy, she added.
Concluding, Ellis told the audience: “We’re at a point of change, and we have an opportunity to decide what we want to do with that change.”