In other industries, failure is embraced as a learning opportunity. In security, not so much.
Instead, it’s too often an opportunity to victim-shame, a chance to mock a corporate giant such as Equifax which recently lost 145 million customer records and had a CISO—albeit with a lengthy IT career—who had a music degree much to the glee of the Twitter echo chamber.
In his closing keynote at Virus Bulletin 2017 on Friday, independent consultant Brian Honan said security is failing as an industry to establish trust.
“As an industry, we’re very bad at learning new stuff—and we mock victims,” said Honan, founder of Ireland’s first CERT IRISSCERT and an Infosecurity Europe Hall of Fame inductee. “Deloitte is a victim. Equifax is a victim. Yahoo is a victim. Every customer who trusted those companies with data is a victim. Yet as an industry, we laugh and we mock, and our reaction is not to learn or share, but to keep things quiet.”
Instead, he made an impassioned plea to learn from other industries such as airlines that plan for failure, expect things to fail and react accordingly. The result, as he showed on Friday, is a remarkable turnaround of its safety record since the mid 1980s.
“We need to share our dirty laundry, and stop creating an atmosphere of fear and mocking,” Honan said. “Our first reaction needs to be to help and not mock. If we don’t do that as an industry, the government is going to do it for us.”
The cascading failures of 2017, replete with mega breaches and global ransomware outbreaks, are symptomatic of issues that still linger in the air for close to two decades. As Honan points out, we still haven’t figured out passwords, we still open untrustworthy attachments, we still stink at patching, and malware still finds its way onto computers.
“In 2017, why are we still relying on people to pick ‘password1’ to protect them from criminals?” Honan asked incredulously.
Poor passwords, missing patches, out of date software, out of date antivirus, lack of continuous monitoring and an endless string of vulnerabilities are burying security pros in a sea of distrust.
“These are not super cyber ninjas in North Korea [who are hacking us],” Honan said. “We repeat the same mistakes over and over and we’re not getting different results.”
As 2017 has so far demonstrated, there are more real-world, bottom-line consequences to major attacks than ever before. WannaCry forced hospitals across the U.K. to re-route patients. NotPetya put global shipping line Maersk out of commission for some time, as well as giant pharmaceutical Merck. Maersk alone reported $300 million in losses from the June wiper attack.
And the solution enterprises and midmarket companies are given is an endless parade of appliances and products sold on the basis of fear, uncertainty and doubt without ever touching the problem.
“We need to change what we are doing. We need to change our approach based on FUD,” Honan said. “The key thing in our industry is to scare the crap out of someone and then come in with a shiny box and say ‘Here you go, this will save you.’ And when that doesn’t work, what do you do? You scare them again, and another shiny box comes in.”
Most firms aren’t in the crosshairs of advanced attackers. Most companies don’t need to necessarily concern themselves with zero days, Honan said.
“We need to stop relying on the APTs and zero days as a sales piece. What we’re trying to do is buld trust,” he said. “We need to share information and lessons learned, and not be worried about doing it in an open way that may not bring value. If we don’t, I fear we may have a bleak future ahead of us where we won’t trust anything anymore. We won’t trust our elections, our transport, anything.”