Last year saw some of the largest security breakdowns of all time. Half a billion Marriott Starwood customers had their personal data compromised. More than 100 U.S. university research programs had valuable intellectual property stolen. Ransomware attacks disrupted municipal services in Atlanta and Baltimore. In the midst of these spectacular failures, spending on cybersecurity exceeded $80 billion in 2018, more than 2,000 security vendors are operating in the U.S. alone, and corporate executives and boards are carving out more time than ever to consider security risks. In what other arena is widespread success so elusive, and why does this strange anomaly persist in security?
Yes, cybersecurity is hard and always will be. Attackers will continue to innovate with dynamic new techniques, and opportunities to sow mayhem will proliferate as we bring more of our everyday lives into the digital realm.
But we can do better.
The big problem in security isn’t people, process, or technology. While imperfect, the industry is filled with hardworking and talented people, security awareness and processes are improving rapidly in most organizations, and there is no shortage of good technology.
The big problem is cultural, and it is at the root of all these other shortcomings.
Security too often wraps itself in an immature, dark-arts culture that hurts the people, the process, and the tech. This culture enables a lack of diversity in its talent base and deters new entrants, furthers its weaknesses in communicating effectively with its real constituents–the corporate and government leaders on whom citizens depend for security in their daily digital lives, and encourages tolerance for arcane, overly complex, and hard-to-use tools.
That this culture exists should not surprise us. There is a mystique to the cyber world. Many security researchers and engineers take pride in having earned their skills after countless energy-drink-fueled, late-night hours, often in classified arenas or in roles otherwise subject to confidentiality. The teams, the approaches, and the tools born of this mind-set and favored across the industry today are therefore mostly self-referential, aimed at experts, and indecipherable–by design–to outsiders. But there are not enough of these hyper-skilled defenders to fill the ranks of organizations faced with increasingly sophisticated attacks, and members of the security community aren’t the people it exists to serve.
Killing this dark-arts culture is an imperative for everyone who seeks to improve the world’s digital security. Fortunately, it isn’t an impossible dream. A few concerted changes–simple, although not easy–would get us a long way.
Expand the talent pool
First, security culture needs to embrace true cognitive diversity–it needs to welcome people with a more diverse set of skills, viewpoints, and experiences. The cybersecurity industry is now more than 30 years old, and some of its most prevalent technologies have been around since the beginning. Given the drumbeat of major security incidents we’ve seen over recent years, it’s safe to say that current approaches are not working. Part of the problem is that the same people–often very smart people–who built the industry are still the ones working on those problems now, without enough new input.
Security’s culture contributes to disrupting the natural balance of supply and demand. This misalignment is especially troubling given the endemic shortage of security talent. There are likely to be 3.5 million unfilled cybersecurity jobs by 2021. Yet, only 11% of the security workforce is female. Why? Well, maybe for reasons such as the fact that it took 16 years for the security industry’s largest trade show, RSA, to forbid vendors from employing “booth babes” on the show floor. Tolerating this hostility, however, is but one example of the industry’s failures.
Diversity in every sense–education, life experience, perspective, skill set–is the wellspring of innovation. We need new points of view on cybersecurity problems to have a realistic chance at developing truly new approaches. Search for talent in a broader range of places. Recruit with more structured processes promoting diversity. Put real effort into what the work environment feels like for every member of your team. It is incumbent on leaders in the security industry to promote corporate, organizational, and conference cultures that bring diverse perspectives to bear in developing the new approaches to security problems that are necessary to win.
Don’t baffle with BS
The second way that security’s culture hinders its effectiveness is in how security leaders tend to interact with the business decision-makers they support. In general, the industry needs to evolve beyond a love affair with whiz-bang tech, mature beyond fear-mongering, and learn to speak in ways that boards and management teams can understand. For example, most boards and executives are more fluent in the language of accounting than they are in Ruby or Java. This is partly a function of their education (my MBA program included lots of mandatory accounting, but nothing on security), and partly because the generations “born digital” have in many places not yet ascended to the top of the corporate ladder. But lack of fluency need not compromise good governance.
It is incumbent upon security professionals themselves to translate the arcana of their work into the language of business risk, and incumbent upon good management teams and boards to meet them halfway. Cybersecurity isn’t some weird, exogenous risk that requires a completely new vocabulary and worldview; it’s a core enterprise risk to be managed within existing frameworks. That may make it less elite in the eyes of some security practitioners, less exclusive, less cool. But it will make security more effective, which is the whole point.
Make the tools easier to use
Third, security culture needs to stop tolerating tools and standards designed to protect the experts instead of making security more accessible to a wider range of people. We must learn to expect openness and ease of use in enterprise security products, in the same way consumer products cater to their users.
Ease of use isn’t only about convenience; it’s about security. Take the breach at Target as an example. It happened not because security tools and teams weren’t present, and not because they didn’t work. The breach was detected. The product worked, and alerted the team to the problem. But those relevant red flags were swamped in a sea of other flags, drowning the operators with minutiae. Instead of parsing signal from noise, the signals became noise, because the security products were too hard to use, overwhelming their human operators instead of empowering them.
This is not an impossible problem to solve. Consider, as an example, the simple topic of query syntax. A routine task of cybersecurity is “asking” across your infrastructure whether and where you might be vulnerable to some particular new attack. Usually, this requires the knowledge to craft a highly complex question, such as, “event_simpleName=ProcessRollup1 FileName=powershell.exe (CommandLine=*-enc* OR CommandLine=*encoded*) | table ComputerName UserName FileName CommandLine.” Ugh. Instead, why not pull together advances in data science and user experience to translate that complex syntax into a simple, plain-English command: “Search for malicious powershell.”
The people, the process, and the products are all related. As one industry analyst said to me, “The Venn diagram of organizations with ‘capable products’ and ‘people capable of using those products effectively’ looks like the Mastercard logo.” Two mostly non-overlapping circles. Organizations of all sizes need to look at UX and ease of use as the way to realign themselves in that Venn diagram–a capable product, used effectively, that protects my business from damage and loss.
Changing the culture of security can encourage promising new entrants to seize the chance to learn and to become productive quickly, even if they initially lack deep experience. It can help bridge the gap between security teams and the management teams they work for. And to give those teams a shot at success, it can change the norms so that everyone is focused on building tools that are easy to learn and use. Only then, with a broader talent base, communicating well and equipped with more usable products, will we have a fighting chance at reversing security’s systemic failure.
Nate Fick is the CEO of the cybersecurity firm Endgame and the bestselling author of One Bullet Away: The Making of a Marine Officer.