Goodbye Cybersecurity Hello Verifiable Trust

October 13, 2013

By DALE MEYERROSE | On the Frontlines Magazine
April 2013

Let’s admit it — the state of today’s cybersecurity is inadequate — everyone seems to be saying it. So, why is that? And more to the point, what should we do about it?

If current public discourse is reflective of our thinking, then most of us in the cybersecurity business are stuck with a mind-set and language of the 1990s. By contrast, those who depend on us rapidly moved the “technology cheese” without us; and the bad guys changed the threat with even greater speed in spite of our best efforts.

For years, many of us spent most of our “security cycles” worrying about not becoming the next “poster child” for a network intrusion. We built layers of detection aimed at penetration alerts so that we could oust the culprit and repair the vulnerability that permitted the breach. This reactive approach spawned much of our current computer security industry and network-centric thinking — and it persists today under the rubric of cybersecurity. In fact, by all appearances we took most of these previous concepts, did a universal word search of “network” and “computer,” and merely replaced what are now considered passé terms with the more modern word “cyber.” We did so without adjusting our thinking to take into account a vastly changed, dynamic environment.

While we weren’t looking, mobile technology, the expectation of universal access and social networking moved much of commerce, business and many processes outside the boundaries of organizational networks. Yet, our cybersecurity discussions remain mired in the language of network boundaries, intrusion detection, firewalls, “locked down” configurations and detecting “known bads” — then dealing with their effects. In fact, we still predominantly use the obsolete label of “hacking” even though most of the advanced persistent threats of today are more about infiltrating data sources and stealing information — not about attacking and disabling networks. And if we continue to talk in such terms, we would be better served to bid goodbye to the “baggageladen” concepts that don’t move us forward in our ability meet the challenges of the 21st Century — and the quicker the better.

Aggressively Change Our Perspective

Today’s “buzz” about cyber has two main, even opposing themes.

First, the art-of-the-possible is exploding as information on-demand and mobility technology creates a new information consumer/worker with heightened expectations of availability, access, and capabilities. Thus, much of the today’s workforce and significant organizational productivity now occurs outside the “protective womb” of an organization’s network.

Second, the fear-of-the-possible hangs over our heads with things such as stolen identity, Stuxnet, WikiLeaks, Anonymous, lost files, malware, and “hacktivists” (who are really more about adversely affecting architectural design and system performance than actually challenging security). Not surprisingly, the workforce is preoccupied with the former theme, while many of us spend much of our professional energy on this latter one.

Again, let’s be frank, “cybersecurity” will remain the label most associated with our endeavors of protecting all things related to information and technology. But what we do with it is another matter. So, let’s aggressively change our perspective and the context in which we approach our responsibilities in order to become more relevant.

Many of us approach risk management like we did in our “network days” by actually thinking in terms of risk avoidance — which means that we negate the value of everything by treating all risks equally. In contrast, we need to take into account the relative organizational (or individual) contributions and liabilities of every aspect of our organization’s “cyber eco-system.”

This is a construct that not only takes into account a network (over which there is presumably providence) but the entire extended enterprise of business processes that contribute to the creation, capture, processing, storage, sharing, diagnostics and manipulation of information. Correspondingly, the mind-set should become one of figuring out a way to say “yes” rather finding reasons to say “no.” After all, the “yes” will eventually become reality — even when we say otherwise.

Think Trust

Lastly, let’s recognize the need to expand our “security thinking” into one of “trust” — of which more traditional IT security (along with personnel reliability, hardware and software supply chain integrity, identity management and data rights management) becomes a sub-element of a more encompassing approach. By doing so it’s easier to recognize that we must start with the human a spect o f t he e quation n ot t he technology o ne. T his means understanding the perspective of our users and external partners as well as ourselves — not only with regard to talent and skills, but also in terms of trustworthiness. Only then will we move cybersecurity as an “add-on” or inconvenient afterthought to an integral part of all of what we do. As a result, we need to learn new principles, procedures, and techniques in how to prove and preserve those elements of trust in every part of the business.

So, join in by saying goodbye to cybersecurity — at least in its current form — and say hello to cybersecurity as a concept of verifiable trust — our future success depends on it.

Original On the Frontlines Magazine Article

Contact Us

Address : 1905 Twinflower Pt, Suite 200
               Colorado Springs, CO 80904
Phone : (719) 434-7025
Email :