National Cybersecurity Awareness Month is in its 17th year. For nearly 20 years, the Cybersecurity and Infrastructure Security Agency (CISA) has devoted every October to telling Americans how to be safer and more secure online. In all that time, has anything changed?
Well, yes and no. Information security risk hasn’t fundamentally changed: organizations face the same threats today that they’ve always faced. What has changed are their risk management strategies, and opinions about what constitutes acceptable risk. When it comes to cybersecurity, the data shows that we aren’t reaching users or professionals with the messages that National Cybersecurity Awareness Month is dedicated to spreading. As I said in my recent Securityweek CISO Forum keynote, we have a public relations problem: we need to make security cool.
Security technologists have spent years focusing more on controls than on the problem. The result is what a recent USENIX paper called “a crisis of advice prioritization.” In A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web, the authors shared that experts identify 118 of cybersecurity practices as being among the “top 5” things users should do—leaving end-users pretty much on their own to prioritize those behaviors, and take action to protect themselves.
The outcome of this crisis is ineffective security. We’ve asked users for literal decades to never use the same password for both company and non-business access, but research shows that 94% of reused passwords are exact matches. We’ve conducted security awareness training sessions telling them not to click links in email from unverified sources to unverified sources, but phishing attacks maintain a 33-11% success rate.
It’s not just end users who suffer from this approach. The tech industry is innovating at an incredible rate today, but organizations aren’t evolving how to implement that tech from a security standpoint. The biggest tech innovations of the last decade—IoT, Cloud, APIs—have revolutionized how businesses operate, and are largely deployed without basic security controls. IoT devices can be secured. APIs can be secured. The cloud can be secured. Yet the list of organizations that fail to do so includes Fortune 50 companies, three-letter agencies, and sophisticated tech companies with the best security teams money can buy.
Right now, “cool” consists of moving fast and breaking things. Security isn’t cool. It gets in the way. It’s not easy. It doesn’t match how we innovate.
You know what is “cool”? Hacking. A lot of us in the industry are old enough to remember when hacking was our word, something you did to both innovate and evolve. Now cybercriminals and attackers have taken that word, and the ethos behind it, for their own. They communicate. They share. They open source their bots. They adapt and react to new market opportunities with agility and speed. These malicious hackers are out there training 13-year-olds to build bots, while my neighbor’s high school kid has no idea that Information Security is even a career path—much less something they could get a full ride scholarship for.
So, if the bad guys can weaponize and share quickly, why can’t we? Why is the cybersecurity field devoting so much of its time, money, and effort into inventing new ways to NOT grow?
As security professionals, we need to face up to some facts. First is that we have a control design issue. Fundamental controls haven’t evolved in decades despite continual failure. We literally keep doing the same things the same way expecting a different result. And when security controls are too hard, get in the way, or take too long, people find ways around them.
Also, we need to do better at building awareness of what this job entails and the value of security outside our field. Sure, security vendors are great at marketing security products to security people; but we’ve done little to educate other IT specialties, or other employees, about the necessity and value of security. (And can we talk about the quality of most security awareness training? It’s hard to blame employees for clicking through it as quickly as possible, even though they’ll still sit riveted through their hundredth viewing of The Matrix.)
Then there’s the fact that our barriers to entry are too high. Every day I see online threads from talented security folks who can’t land a job because they don’t have a specific cert, aren’t an expert at a specific firewall, or don’t have the required 15 years’ experience with a product that might not have even been out that long. We all talk about challenges finding talent, but too often we don’t let the talent in the door. The lack of awareness of our field, coupled with high barriers to entry and a lack of cybersecurity curriculum and graduates, ensures challenges with scaling to meet the needs of the business.
We have all the ingredients to make security cool in 2020. So how do we do it? I’m going to take my own advice here, and boil it down to a Top 3:
1. Share more. Attackers love to share, and so should we. Share your hilarious and awesome stories with people outside of your circle of fellow security pros, to get others interested in what we do and its impact. Share your data on attacks with anyone who can benefit. Share organizational resources by investing in STEM programs. Share your expertise by volunteering to educate and train people in cybersecurity.
2. Embrace change. Adopt new tech that shifts left, automates, and works at the speed of attackers. Advocate for and evangelize DevSecOps.
3. Communicate better. Security awareness training is a golden opportunity to interact with everyone at your company about cybersecurity in a positive way. Don’t let it go to waste! Ensure that training is relevant to their lives and what they care most about, using language and imagery that resonates with them. Focus on helping them win, not locking them down.
The reality is, security is cool. If we modernize our approach, the whole world will know it, too.
By Mary Gardner, Chief Information Security Officer (CISO) at F5