Sian John, Symantec’s Chief Strategist for the EMEA (Europe, Middle East, and Africa) region published a post on LinkedIn on 12 April 2017.
The core focus of the post is the discussion of attitudes towards cyber and the limitations of current strategies in further improving our current situation. Our societal awareness might have stagnated, but the skills of our adversaries haven’t. With cyber mature nations like the United Kingdom experiencing ‘188 high-level cyber-attacks in [the first] three months’ of 2017, we need fresh and more effective solutions.
Before deliberating the question of change, we need to deconstruct (almost bluntly) relevant attitudes limiting the effectiveness of contemporary policy solutions as identified in Sian’s post. Current approaches can currently be classified under the two typologies of hard and soft.
Soft Awareness Versus Societal Complacency
Softer strategies are solutions focusing on protection through ‘awareness’. These refer to national service-guarantee schemes for enterprises, or educational courses for executives and mid-level professionals. Even at the national level, the focus on educating the incoming generation can be subsumed under this paradigm. Whilst soft awareness building adopts a proactive stance, it is limited by society’s objectionable complacency towards digital threats and thus, ignorance of security practices.
However, as society grows more accustomed to navigating digital environments, the majority loses their cautiousness, which leads to complacency with regard to their online safety, and breeds wilful ignorance. Wilful ignorance refers to the voluntary disregard of security practices despite prior education or awareness training. This could be caused by 1) the limited personal experience with being attacked, or 2) a degree of hubris (a degree of over-confidence) towards their digital security posture. This is why social-engineering intrusions (i.e. W-2 Phishing Scam) remain highly effective against ‘over confident’ but cyber mature nations such as Singapore, as indicated by BAE Applied Intelligence in November 2016.
Thus, society’s inherent complacency significantly limits the effectiveness of policy solutions. In addition, raising awareness or implementing education initiatives hold no guarantee that the knowledge gained and skills learned will be applied. For example, according to the 2015 findings of PWC, 75% of corporate digital breaches involved the exploitation of an employee’s limited awareness, despite having undergone some form of education. Thus, the culture of complacency, ignorance and hubris is what causes security professionals to feel stuck in a ‘loop of creating awareness’.
Hard Enforcement Versus Misaligned Priorities
Harder strategies are solutions focusing on protection through ‘enforcement’. This is accomplished primarily through imposing regulatory compliance standards designed to mitigate damages attributed to digital threats. Whilst designed to enforce a standard of security amongst businesses, the regulatory standards’ effectiveness is limited by misaligned objectives between corporate and security professionals.
According to a joint 2017 publication by McAfee Intel Security and the Centre for Strategic and International Studies (CSIS) titled ‘Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity’, conflicting priorities ultimately obstruct the effective threat awareness and subsequent deployment of security practices within an enterprise. The report categorises three core misalignments under the headings infrastructural (affixed corporate hierarchy versus adaptive criminal networks), implementation (strategy versus practice), and priorities (corporate executive versus operational staff). The most detrimental of these is the misalignment of priorities between corporate leaders and security practitioners that undermines the effectiveness of existing solutions. Due to different occupational priorities a degree of disagreements and subsequent distrust can exist between professionals.
Compliances are only a guide for enterprises, and is not an effective measure against consistently evolving threats. Thus, we can identify three limitations. First, compliance primacy can cause operational redundancy subsequently limiting to an enterprise’s security reactiveness and adaptability. Second, compliance standards are permanently playing a game of catch-up due to its inherent reactionary nature. Third, compliances govern internal security practices (i.e. PCI), but not necessarily the technology used (or produced). These limitations are only further exacerbated by the institutional misalignment causing the ineffectiveness of the ‘approaches and changes’ mentioned in Sian’s post.
Solution: Securing the Future
If we want change, we need to focus more than just on how we use technology, but also on how we create it.
It must be pointed out that cyber security will always be in a paradoxical state akin to Schrödinger’s Cat, and that total security is a theoretical fallacy. Unless true malicious activity is directed at a network, there is no way to know if a ‘protected’ network is truly secure. Whilst we have penetration-testing to simulate such conditions, it is not without its limitations. Security practitioners are already encumbered by misaligned priorities, which will undoubtedly affect technological innovation guided under exploiting the expanding Internet-of-Things for market dominance. Therefore, the one thing we could do to induce the greatest effect is to get in-front of the game, and that is through regulating technological innovation.
Taking a page from the history, executives should review the 2008 IDC White Paper sponsored by RSA titled: ‘Innovation and Security: Collaborative or Combative’. A key finding of the paper is that the 2008 verdict that ‘only 21% reporting that their security efforts are strategic, proactive and using security to enable innovation’ is arguably still valid after 9 years. Unless enterprises refocus on how to prioritise security alongside innovation, practitioners will forever be chasing attackers and patching vulnerabilities. Despite arguments against instigating compliances on innovation, it fails to consider society’s inherent complacency is leaking into the innovation process—especially when digital innovation is remarkably easy today. By securitising the innovation process, this allows security practitioners of user-enterprises to focus on their own environments, and not get, in addition, encumbered by outside technologies enabled through trends like Bring-Your-Own-Devices.
Patience is Key
In summary, we have identified that the reason behind the limited effectiveness of contemporary solutions are related to the complacency that is exacerbated by a misalignment of priorities and objectives amongst most businesses, which leaks into how enterprises integrate existing digital technologies. Thus, by adjusting our focus towards innovation of technology, this allows for securitisation before their application in society.
Finally, we remind all parties that there is one final limitation affecting all solutions, Time. All solutions will take time, and must be able to withstand the testament of it. Whilst leaders (both corporate and security) want to see results, the security paradox reminds us that security cannot be guaranteed unless faced with a real threat.