Security experts are such a cheery lot. They’ll usually tell you you’re doing everything wrong and that we’re all doomed.
What’s especially “cheery” is that they’re usually right.
So when Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit (a non-governmental nonprofit) took the stage at Light Reading’s New IP event yesterday, I was all set for a good time.
Borg delivered. His opening salvo and overall thesis about cybersecurity was, “The whole approach that’s being taken is profoundly wrong.”
He has a definition of security that I hadn’t considered before: protecting the creation and/or distribution of value. What the bad guys are trying to do identify that factor and stick a wrench in it.
To that end, most cybersecurity groups are flawed from the start, he said. They “hardly ever know how their companies create value,” and they don’t get invited to the meetings where the creation-of-value cogs get built. “Hardly ever does a cybersecurity professional get to sit at the planning table for a new business operation,” Bog said.
That, in turn, hinders the security group’s ability to be forward-looking. They need to think about where attacks are going to come from and what new types of attackers might arise. Instead, most security operations seem to just patch whatever the latest flaw or exploit was.
The proper approach to cybersecurity involves three steps, Borg believes. Paraphrasing in my own words, they are:
- Figure out what part of the business is creating value.
- Learn who would want to upset that.
- Find out how what they could do about it.
It’s all very easy to say, and probably very difficult to do, especially when the boardroom suits are obsessing about the last security breach rather than the next one.
Security is a painstaking process, not a point product — something I learned from talking to security expert Bruce Schneier a long time ago. But if you do it right, nothing happens. In that sense, all the high-profile hacks of late are a good thing; they might help convince business leaders that security is not just a PR issue and should not be an afterthought.