I participated on a live panel this week at RSA with Jeremiah Grossman, CSO of Sentinel One; Ian Glazer, Chairman, ID Professionals Working Group, Kantara Initiative; and Uma Karmarkar, a Decision Neuroscientist and Assistant Professor at Harvard Business School. The panel was moderated by Sean Martin, CISSP, Editor in Chief, ITSPmagazine.
The panel featured a broad array of topics mostly focused on how people and trust figure into cybersecurity. One idea that came up very early in the conversation was the notion that users cannot be 100% responsible for cybersecurity because their hacker adversaries are becoming more and more adept at fooling them. The industry must become smarter at detecting threats at a faster rate than attackers can create and market them.
For a long time, the industry has had a “shared responsibility” model, but it might be time for EULAs to no longer broadly claim absolutely no liability. This idea becomes even more important when we look at how consumers take perceived trust in one low-risk system (say, Gmail), and transfer that trust to a critical system, such as healthcare IT or autonomous driving. The balance between risk and trust is much different between these two scenarios, but we’re not seeing consumers being that discerning. And they should.
There are a couple of solutions here. One is to think differently about how security pervades (and more typically, does not but should pervade our lives). For example, one of the panel participants asked, “Why not make the entire web SSL-encrypted? Sure it would break a lot of it, but not doing so protects the vendors, not the consumers.” Another idea is to build security into every new cloud service before it ever gets switched on (rather than to bolt security onto it later, usually after a breach has occurred. Of course).
In this way, security can become a distinct product differentiator and participants in the market can better choose which level of risk is right for them. Unfortunately for consumers, security is simply not a binary thing – systems are never 100% secure or 100% insecure, but more solutions are coming onto the marketplace to give the right user the right info at the right time (which is at the point of risk), in order to mitigate choosing incorrectly.
Some other good news is that as cloud services that started as consumer companies become more enterprise-driven, they are taking security much more seriously. This, in turn filters back to the consumer cloud company. Overall, I believe strongly that the IT industry has the responsibility for helping users not click that link, not open that email attachment, not ignore security warnings. Education about risk tolerance and having pre-set defaults as industry benchmarks (much like the maximum temperature to which you’d set your hot water heater), make a lot of sense in cybersecurity.
There may be a role for government to educate and convene the industry to talk about agreed-to best practices and minimum standards. But beyond that, a more intrusive government role will introduce friction with no sense of immediate benefit. In the end, it is up to us, the cybersecurity industry to be better social engineers of consumer behavior to keep them safe. Fear has not been effective thus far, and the time has come to illustrate the benefits of security rather than the awful things that will happen when you are not secure. This in turn is less about educating the user about individual decisions and more about empowering consumers about the services they use. And we all have a shared responsibility to do that.
If you’d like to learn more about how Avanan can help secure your organization’s SaaS apps, please be sure to visit us during RSA this week in the North Hall at booth #5009. We’d love to talk with you!
