Balancing Complexity and Simplicity in Cybersecurity
12 November 2013
The Human Element in Cybersecurity
Rohit Ghai’s opening keynote at RSA 2020 last February was much better than I anticipated. I’d been sceptical of RSA’s choice of tagline (‘The Human Element’) for this year’s conference; I thought it seemed cliched and disingenuous. Yet Ghai did a commendable job of framing cybersecurity as a human story – one that we can, and absolutely must, retell.
In fact, Ghai’s speech resonated with me so much, that wanted to share his – and my own –thoughts on the question of the ‘Human Element’ in cyber.
It’s my view that the human element is exactly where we’re failing most significantly as cybersecurity professionals. The usual narrative here (which makes my hair stand on end) is that of the computer user as a problem to solved, to be scared, punished, regulated, trained and conscripted into a cyber conflict they will never truly be equipped for. This, however, is not the human element Ghai discussed, nor is what I want to discuss today. The human element is key to our ongoing cybersecurity battle, however, and I want to discuss four ways in which I believe this should be the
-
Empathy
As I lurked the floor at RSAC, trying my best not to be robbed of my email address, I overheard a number of passionate conversations about risk reduction, losses due to breach, ROI, market growth and profit maximisation. We talked about trends, waves, models, funding and start-ups. We talked about compliance and penalties. We talked about the C-suite and the CISO and burn-out rates amongst security professionals. What I didn’t hear anyone talking about is the victims. It’s reported that between 60% and 80% of US Social Security Numbers have already been compromised. For a key item of personal identification to be so thoroughly undermined is a devastating setback for the autonomy, safety and privacy of the individuals involved.
When businesses are breached and data is lost and used in identify theft, when accountants in Baltimore can’t file tax returns and when faith is lost in election results because of hacking, email dumps and misinformation campaigns, the real victims are the people who depend on those systems to live their lives. Everybody is talking about the Equifax share price and how their CISO was fired, but almost nobody talks about Aunty May, whose private information was stolen and will never be returned to her.
Several people at RSA have started talking about trust, and this is a crucial concept. Trust is the infrastructure that makes society, democracy and commerce work. Trust is about creating a positive environment in which people can thrive. According to DC, security is one of four key elements in a hierarchy of trust, so when security fails trust is lost… and real people are the victims.
If the cybersecurity industry wants to have any kind of impact on addressing the impending crisis of trust, rather than just padding investor pockets, we need to stop thinking of ourselves and start thinking about the victims who’s lives are impacted when we fail. We need to develop some empathy.
-
Leadership
Perhaps one of the reasons why our industry lacks empathy is because we also lack leadership. We’re saying it all when we describe ourselves as the ‘security industry’. The function of an industry is to sell products and generate profits. As a result, the leaders in our space, the people who write the papers and deliver the presentations that set the tone, focus our attention and concentrate our efforts, are concerned with profits, not people. What we desperately need is a shift of power away from security businesses, to the real stakeholders in society – the victims themselves, the businesses fighting to protect their assets and the governments and structures mandated to create safe and prosperous societies.
The role of leadership is to set a vision and define a purpose behind which a group’s efforts will rally. Behaviours are driven by incentives. We do what we measure. And let’s be honest, thepurpose of the security industry is not to ultimately ‘solve’ the security problem. Our industry wants more business, not less, and that creates a fundamental conflict of interest. Of course, there’s nothing wrong with businesses making a profit. But an industry incentivised by profit is the not where the centre of power should be when you’re addressing an existential threat. We need different leadership.
-
Role models
We lack the right leadership because of a lack of good role models. We all use analogies or metaphors to make sense of a complex world. Such metaphors are essentially models we use to organise and predict the behaviour of complex domains. As George Box taught us: All such models are ultimately wrong, but some turn out to be useful. We use metaphoric models in security also.
One such metaphor is that security is like running from a predator. It comes from this quote by Thomas L Friedman: “Every morning in Africa, a gazelle wakes up. It knows it must run faster than the fastest lion, or it will be killed. Every morning a lion wakes up. It knows it must outrun the slowest gazelle, or it will starve to death. It doesn’t matter whether you are a lion or a gazelle. When the sun comes up, you better start running”.
The running-from-lions analogy is then morphed to its natural corollary –that we don’t have to outrun the lion, we only have to outrun the other gazelles, our competitors. This in turn leads to an intense focus on benchmarking and ‘best practice’ as a metric for good security.
The industry has understood itself through the lens of various metaphors over the years. We’ve been auditors, risk managers, policemen, business enablers, infrastructure, warriors … even ninjas! These metaphors may seem trivial, but as I argued before they actually play a significant role in shaping our understanding of what our purpose is, how our environment operates, what our metrics are and, therefore what our behaviours should be. There is probably no ‘correct’ model to capture what we are, but I’d assert that we need to apply ourselves to examining these metaphors and carefully choosing which role models we want to use to best describe what it is that we do.
Healthcare, public safety, epidemiology, disease control, sustainability, permaculture, law & order and national security all present us with models that may take our understanding of our purpose and therefore our thinking and our behaviours in a different direction.
We are still a young industry and we haven’t figured ourselves out yet. As we move into adulthood, it’s essential that we choose the correct role models.
-
Diversity
The lack of ethnic and gender diversity in cybersecurity is clear for all to see. My interest however, is not in diversity for its own sake, but diversity as a means of injecting fundamentally fresh thinking and perspectives into the problem we’re trying to solve. This kind of diversity needs to encompass more than just gender and ethnicity; it must include different kinds of training and experience, different nationalities, ages and life experiences.
Our industry desperately needs to break the hegemony of middle-aged white male technocrats who not only fill all the chairs, but also continue to persist with the single-tracked and dated thinking that has failed us so spectacularly over the last two decades.
Creating such diversity is no simple endeavour, but it starts with a human element I discussed earlier in this piece – a clear statement of benign purpose that originates from outside the ‘industry’ and seeks to capture the ‘why’ and the ‘what’ of our function, rather than the ‘who’ and the ‘how’. As long as job descriptions continue to be written by those already in those jobs, they’ll always describe the work from the same perspective – a perspective that we’ve already seen is dated and one dimensional, and which by its nature therefore excludes fresh and diverse points of view.
If we describe what we need in terms of our benign purpose; if we capture the fundamental problems we’re trying to solve and describe a world in which people can talk, shop, play, work and vote safely and privately on a free and open internet, then perhaps we may find our job applications responded to from the fresh and diverse domains of skills and expertise we so clearly lack.
Empathy, leadership, role models and diversity are four essential human elements our industry desperately needs more of today. In developing these, it’s my hope that we can grow as an industry from being a selfish and arrogant teen, to a wise and well-rounded adult who understands herself as the essential co-constructor of a universally free and wealthy world that, with the right foundation of trust, is very much within our reach.