I had the privilege of delivering the opening keynote address at BSides Belfast 2019. My main goal was to ensure the audience understood the importance of best practice cybersecurity. And the stars all seemed to line up in my favour. The conference was on the last day of October – or cybersecurity awareness month, as we know it in the industry. What’s more, 29 October 2019 happened to mark the 50th anniversary of when the internet as we know it was born.
This gave me the opportunity to consider how the internet has grown. It has grown from being a small network to becoming a core part of the infrastructure we now rely on. It’s part of the fabric of society and our daily lives, from the cars we drive to the lights that illuminate our streets. The internet has enabled the human race to develop and create new technologies, to collaborate, and to explore new ways of doing business.
Then, I brought best practice cybersecurity into the presentation. With all the wonderful things we can create, there are also significant risks that we have to deal with. We have reached the point that the World Economic Forum ranks cyber-attacks as a top five risk in terms of likelihood, and seventh in terms of impact.
Repeating old mistakes
Why is this? We’re rolling out all these new technologies like IoT and connected devices but we’re making the same mistakes that we made in the past. We’re putting insecure systems and applications on the internet. Then, they’re getting hacked. This is because we haven’t followed basic best practice cybersecurity principles like keeping systems patched and using strong passwords.
I said that as an industry, cybersecurity doesn’t learn very well from incidents. There’s a tendency to blame victims or mock those who have been attacked, rather than the criminal or criminals who carried out the hack. I spoke about the need to move away from that approach because it doesn’t enable people to share or learn from the experiences – and, let’s be honest, the mistakes – of others.
Infosecurity tends to make people learn through best practice and industry standards. But that’s like trying to teach people to ride a bike by giving them a book. Sometimes you have to hand someone a bicycle and allow them to crash and fall off.
Lessons from the aviation industry: understanding the importance of best practice cybersecurity
Expanding on this theme, I drew an analogy between security and the aviation industry’s process for learning from incidents. (October 2019 also happened to be the 100th anniversary of KLM, one of the world’s first commercial airliners.) The air travel industry has evolved over a century, and the number of accidents and deaths caused by crashes and incidents has dropped dramatically – particularly in the last 50 years.
I went into the reasons for this: commercial airliners have to be built to certain specifications, and manufacturers have to buy specific parts that are verified. The analogy here is supply chain security. This applies not only to software but also to hardware. For example, various manufacturers’ routers are known to have flaws – some deliberate, some due to poor practice. Similarly, many Intel servers have vulnerabilities at the chip level. We need more rigour to ensure that every level of a system is secure, not just the operating system that sits on top.
Airlines also have a very strict maintenance programme to follow. Every time a plane lands, it’s checked to ensure it’s still safe to fly. There’s a pre-flight checklist to ensure everything’s working as it should. After a certain amount of air miles, airlines must take planes out of service to check all their systems are up to date. Or patching, as the security industry calls it. The next point in my analogy was that pilots must be properly trained. Not everyone can fly a plane, and those who do, need to maintain proficiency throughout their careers.
Sharing information so that everyone learns about best practice cybersecurity
If a crash happens, it’s thoroughly investigated. The results are then shared with every air authority to prevent something similar from happening again elsewhere. By contrast, in security, we often don’t know what goes on during and after an incident. I used the example of the Equifax breach, which was due to a vulnerability in Apache Struts software. Two years on, we still don’t know what happened. Whether Equifax’s vulnerability scanner wasn’t working, was misconfigured, or the person operating it wasn’t trained enough. I said that we need to put the onus on vendors to ensure products are secure. They need to take liability and responsibility when their products are insecure.
A lot of the industry coverage about compliance and standards treats them as a burden or an annoyance, but I took the opposite view. As an industry we need to embrace them, not fight them – since they’re going to happen anyway. The NIS Directive and GDPR were just the start. There will be lots more regulations and laws put in place so Governments and citizens can have better confidence in the safety of the internet.
A plane doesn’t fly in isolation; it’s part of a broader system that includes air traffic control, to ensure the flight is safe. Infosecurity Magazine’s report of my presentation noted the contrast with practices in the technology industry. “We launch things on the internet and hope they will work and if they don’t, we fix the problem in the next release. You cannot do that at 10,000 feet.”
The audience at BSides Belfast was young, and I spoke about how our passion for technology has got us to where we are today. The internet is middle aged; cybersecurity is still a teenager. Now it’s time to mature and grow up.
Actions for cybersecurity professionals: best practice cybersecurity
Thinking back on the presentation while I drove home from the conference, I thought of some advice. I believe there are several clear actions that technology and security professionals can take to make improvements in their own organisations and, more broadly, in business and society. This will ensure best practice cybersecurity all-round.
1. Engage with the business
Security professionals need to engage with the business, understand its risks, and consequently its needs around security. To make sure the security solutions in place are there to help the business rather than hinder how it works and provide support to help it get there.
2. Improve accountability
Greater professionalism in the industry means not just certificates – although that’s part of it. If I call a plumber or electrician, they have to be licensed, trained and qualified. When hiring an IT role, anyone can pass themselves off as a security expert. Many do, but there’s no accountability when they give the wrong advice.
3. Lead from the front
Coach and encourage others to come into the profession. I strongly believe that diversity of backgrounds, experiences and thoughts is vital to help the industry. If you’re a leader in cybersecurity, you need to lead from the front and not the back. That means engaging with colleagues, stakeholders, senior management or, in some cases, policy makers. If public speaking or report writing is not your core skill, then you acquire them. That can be through coaching to apply those skills in your role. Alternatively, recognising the diversity of abilities in your team and promoting someone who can do those jobs.
4. Encourage diversity
We should look in other disciplines for the skills we need in security. Good-quality design and UX development skills are available across the industry. Good communicators might come from HR or customer facing roles in the hospitality sector, PR or marketing. All could be people we bring in to the industry who could help.
5. Understand your audience
When it comes to communications and security awareness training, our audience will vary. This will be by age profile, technical capabilities and business responsibility. All will be busy individuals who are having to sit on compliance training. That means we need to make the most of whatever precious time we get with those individuals. That requires people who can craft messages that will resonate with that audience.
6. Improve usability
When I look at many tech startups, and even traditional businesses, many of the people in charge are men. They may be very technical but there are other areas that we need, like usability. Take PGP, for example; it’s great for providing secure email but it’s hard to use. As a result, few ordinary office workers have taken time from their roles to understand how it works. The lesson here is, we need to ensure the solutions we put in place are applicable and understandable to those who will be using it.
As an industry and a profession, we need to think about how we show things on screens. We need to make technology more usable so that security becomes something invisible, in the background, that the user doesn’t need to worry about. When I board a plane, I don’t need to worry about the last time it was patched; let’s try not to put the onus of securing our systems on the users.