The security community brings together a diverse range of people: entrepreneurs, technologists, policy-makers, educators, marketeers and more. Each has their role to play in delivering security’s core ambitions: creating and distributing ever-more secure technology, whilst increasing the security awareness and savviness of users. This, ultimately, will help create a safer environment in which to conduct business and personal affairs using technology.
One meeting I had at RSA Conference this year highlighted in particular that security is a collaborative effort. Rapid7’s Tod Beardsley, engineering manager (also the lead for open-source Metasploit Project), and Jen Ellis, senior director of public affairs, are both advocates for a more secure future. The chance to meet them both at the same time gave me the opportunity to hear how different areas of the industry – the public-facing and technological, respectively – co-operate, and bring together different perspectives.
“There are still a lot of organizations for which security is a terrifying thing,” Ellis believes. Many companies, she says, are still falling into the trap of being primarily reactive, rather than proactive, when it comes to security: “In those organizations that have had a security incident in the past, the level of security maturity is much greater.”
Businesses that are not developing their security readiness are at a distinct disadvantage when that first incident does arrive, Ellis argues. “It takes organizations a really long time to identify breaches; when they do, they often get told by a third party and we see consistently that the single biggest entry point has been compromised credentials.”
Beardsley adds: “You could hire a CISO or even SecOps people who have personally dealt with it and have the scars, but until that organization takes the hit, it’s really hard to go from no known incident to your first incident and actually handle it.”
Investment in security is clearly an important consideration in the age of the mega breach, which means that top-level decision-makers must be engaged by the security discussion, Ellis explains. “The only reason the people at the top of a company pay attention is if they are specifically continuity focused, and they understand the role of security in a big-picture continuity sense. Either that or it’s fear driven, because something terrible happened to them or somebody very immediate to them.”
The pair agree that what happened last year in terms of breaches and vulnerabilities created a general level of concern and awareness at board level. On top of that, governments also started to talk about security more. That brought general counsels and CFOs into the conversation, which is significant given CFOs’ involvement with risk.
A Booming Industry
The consequence of the escalation of security breaches and incidents across all sectors and types of business is that the security industry is “booming”, according to Ellis. But far from being complacent, she argues that now is a crucial time for the industry, in that it needs to evolve to meet the challenges it faces.
“The industry has to make a decision to become something different, something more embracing, and something less echo chamber-oriented”Jen Ellis, Rapid7
“The challenge is that, while we’re really good at talking about security to each other, we’re really bad at talking about security outside of this echo chamber. That’s the next step for us. I think we’re at an inflection point for the community where the industry has to make a decision to become something different, something more embracing, and something less echo chamber-oriented.”
The cultivation of this echo-chamber culture is down to two main industry failings, Ellis believes: “First I think we’ve failed to communicate simply, but I also think we’ve failed to make the technology simple. An industry can survive and thrive on being terribly complex for a while, but it will naturally tap itself out of growing beyond a certain point.”
She gives the example of encryption as something that should be much more widespread. Beardsley, the technologist, clearly concurs.
“Using PGP in email is a massive effort; I can barely do it and I’ve been at it for a little while! The whole point of the internet is that everything is open and free – and that’s great – but maybe don’t start with the plain text and then realize that plain text is not the way to go. This whole arc of going from just HTTP to HTTPs has taken so long, and you see new things coming up all the time. Take the whole IoT thing; every widget you buy that has a stack is going to be plain text.”
To address weak default security, while tackling the communication issues Ellis identifies within the industry, she argues that “we have to stop just focusing on selling products to technical people who, say, need widget X. We have to focus on education on a higher level around what the issues are. And we have to build bridges.”
This latter issue is made complicated by the level of distrust that exists between government, private sector and the security community, Ellis adds. Given security’s tendency toward being highly technical and “not super open,” channels of communication that need to exist are not really there.
“You see that a lot in research,” she adds. “We see a high degree of defensiveness. We disclose a lot of vulnerabilities and we see that a lot of vendors are either horrendously defensive to the process or horrendously clueless about the process. We have a responsibility to address that. We have a responsibility to accept that it’s actually completely normal for bugs to be built into things.”
Beardsley counters that, “I think we have made significant process on secure software development. You have to be at a really sophisticated organization to even think about that and you have to have really talented programmers and time. There are lots of reasons not to do it.”
He adds that, “There shouldn’t really be a security industry – it should be niche. The fact that we need too many add-ons to do security is kind of a failure. It should be built in. There should be secure development and secure patching.”
Beardsley also cites “identity warehouse companies” that make oversharing-as-standard their business model as an example of insecure defaults.
“You have lots of insecure defaults for both software and for people. I don’t know how you change psychology,” he adds.
Changing mind-sets and taking the security debate to wider audience, it seems, will be two defining challenges that the security industry must grapple with in order to reach its critical objectives on the global stage.