Years ago information security or cybersecurity was in the hands of specialists, which set the rules and the users had to follow â€“ in theory. Whether the users really followed the rules, policies and recommendations is a different story but it worked that way. I rarely remember a CIO/CFO or CEO really being interested in security â€“ until things broke.
Today, life is different. If I look at the public space, a lot of people want to talk about cybersecurity in one way or another, a lot of governments across the globe started cybersecurity initiatives etc. This is a really good development as societies will run into huge challenges if technology fails but it poses some new challenges as well:
- As security professionals, we are not used to simplify our messages and the work we do. We are not really used to explain cybersecurity to people who are already challenged with technology in general.
- This leads from my point of view to government elites, politicians and a lot of private sector organizations using military terminology. All of a sudden we get caught in talking about â€œweaponizing technologyâ€ â€“ which leads politicians thinking about applying similar rules and laws that regulate the distribution of weapons to technology. For us it is fairly clear that this does not work that way in most cases but the terminology implies this. The same thing happens, when it comes to defense. Military is used to â€œshoot backâ€. I had this discussion with a lot of people in different governments and non-IT people have a challenge understanding that it might be really, really hard to even figure out who is (technically) behind an attack â€“ worse to figure out who is politically behind an attack. Or do we really for sure know who stood behind Stuxnet? There are public speculations but thatâ€™s it.
- Trends like â€œBring your own deviceâ€ or social networks challenge our approach to security and our approach to defending our networks.
So, what needs to change? In my opinion, different things:
- I do quite some roundtables and sessions with people who do not know technology too well and security not at all. The typical approach (not mine) mainly by security product vendors is to use a lot of data to scare people, tell them what is wrong and how bad the world is â€“ just to tell them in the next steps that their products addresses all the issues. To me, it is rather about education than about scare. It is about showing the people the world on the Internet is not that different to the real world â€“ criminals mainly use the new technologies to commit â€œoldâ€ crimes with some exceptions like that the criminal does not have to show up at your store anymore. But we as a community need to change the way we talk. We need to simplify the message and help non-security people get a better feeling for the real risks.
- We need to push back heavily when people use military terminology. I do not want to get into the discussion of â€œmilitarization of the cyberspaceâ€ but I want to make it clear that the analogies of the military world do not work. I love analogies but only if they work â€“ here they fail. It is even worse, they lead to wrong conclusions. I heard politicians talking about regulating cyber weapons. How do you want to regulate lines of code?
Therefore, we mainly need to change the way we communicate outside the core set of security people. We need to leave the bubble and make our knowledge accessible to business people in a pragmatic way and understandableâ€¦