You can't solve every security problem with technology. You have to create trust on a human level -- but how do you go about doing that?
Trust picture from Shutterstock
A panel discussion at Cisco Live in Melbourne this week addressed itself to the question of how it's possible to create trust in a world where threats evolve rapidly, workplace cohesion is reducing and no-one is likely to score a large budget to tackle the problem. Here are some of the key lessons that emerged.
It isn't just an IT problem
Building that trust begins by recognising that IT-related security issues can't be addressed effectively if they're viewed purely as an IT problem. "You can't just ignore it and say it's a CIO problem -- it's the entire business model of the business itself," said John Stewart, chief security and trust officer for Cisco.
That also requires the realisation that IT security presents the same challenges as other security issues, albeit on a different scale. Cyber crime is just crime. Cyber espionage is just espionage," said Mike Burgess, chief security office for Telstra. "It's not new, it's been going on since Noah was a boy. But the adoption of technology and the proliferation of the Internet makes this a global problem because crime and espionage can occur at a pace, scale and reach that is unprecedented."
Burgess also noted that even outside the realm of deliberate attacks, mistakes in one IT implementation could often have a much broader effect than previously, because so many systems are integrated. You can't stop that trend, but you can at least recognise it.
Focus on transparency, not consent
Trust becomes a particularly crucial issue when you're dealing with customer data. "Trust has two key elements: a security element -- do I trust an organisation to keep my data secure? -- and a policy element -- do I trust that organisation to be transparent in the way they use my data?" said Gary Blair, CEO of the Australian Cyber Security Research Institute.
While many organisations will ask customers to consent to privacy policies (and most customers will click their agreement without ever reading them), Blair argues that being transparent about how a business is going to use the data is much more important than consent itself. If a customer has signed a consent form but feels their trust has been abused, the legal status isn't going to stop them taking their business elsewhere.
Don't rely excessively on frameworks
There are numerous security frameworks, ISO-approved and otherwise. They can provide useful guidance, but there's a major risk they'll become a checklist that's implemented once and ignored, rather than a source of ongoing guidance.
"The biggest problem with all the frameworks is that they are way too complicated," Telstra's Burgess said. "I've seen organisations implement those frameworks well and still get hacked. You have to focus on what's really important to you, rather than a 'tick and flick' exercise."
"The consequence of having so many frameworks is that it's hard to have consistency across businesses," Cisco's Stewart noted. "The world moves on by the time it's fully ratified. The question you need to address is this: is it actually meaningfully reducing the risk in the way you expected?"
It's a never-ending battle
Systems require patching. Technology that claims to be secure on the day of purchase almost certainly isn't 12 months later. Any notion of static assurance that a system is worthy of trust just doesn't work," said Cisco security business group CTO Bret Harman. "You have to keep proving that you're worthy of that trust.
"My top of mind challenge is how to make security an issue that isn't an issue," Telstra's Burgess said. It's a laudable goal, but an unlikely reality. Software can't be perfect and humans make mistakes, so issues are always going to arise.
Even with a dedicated security budget, problems may arise -- you have to learn to live with that. As Stewart pointed out: "If a truly dedicated team is coming after you for a very long period of time, then the probability of them succeeding at least once does go up."
Disclosure: Angus Kidman travelled to Melbourne as a guest of Cisco.