Put me in coach, I'm ready to play today; Put me in coach, I'm ready to play today Look at me, I can be Centerfield... - John Fogerty
Living in the Boston area, I find this to be one of the greatest times of the year. The Red Sox are back, fresh off another championship, and we are getting poised to enjoy a great New England spring that we really earned this year, after suffering through a brutal winter. As the saying goes, hope really does spring eternal. And while hope is everyone’s best friend come baseball season, or as they prepare to hit the links for the first time, I am painfully aware that in business and in security, hope is not a plan.
However, that doesn’t mean we can’t dream a bit about the best case scenario. In the spirit of the season, here are five things I’m hoping for in the security industry this year:
1. A more prominent seat at the table. Seems like we’ve been talking about this one for a while, but until the CISO and other top security officials start getting a more receptive audience within the C-suite, security is never going to become a priority . It seems like very few leadership teams want to engage in a security discussion prior to an event taking place, choosing instead to save the tough questions until after the fact. Management should start listening and posing questions as a regular part of running the business.
2. A fundamental shift in the way we approach security. Not sure how or when it was decided that we should take a strictly defensive posture and approach to our security programs. Yet for years that has been the approach, with all of us working to build up our defenses and hope we plugged all the potential holes before a hacker finds them. A better approach centers on being more aggressive and taking a proactive stance when it comes to security. Working to proactively uncover vulnerabilities in your organization rather than sitting back “waiting to be hacked” can eliminate a lot of pain and suffering down the road.
3. Users create stronger passwords. This probably seems like a lightweight point to make in a security publication, but the fact remains weak passwords continue to wreak havoc in organizations. Hackers will always look for the easiest point of entry and will move on when they meet resistance. This is a similar approach to how a car thief will look for an open door or keys in the car rather than trying to gain entry to a locked vehicle. By simply using a stronger password, a significant number of intrusions could be avoided.
4. A greater focus on the homeland. Potential cyber-attacks on our nation’s infrastructure represent one of the largest threats to our country’s security. Yet, very few people seem to want to talk about it. When a retailer is attacked and customer data is compromised it is front page news for weeks. Hearings are held, and CEOs are put out in front to answer some really tough questions about how this could have happened. Yet the possibility of the electrical grid or transportation system going down due to a large scale attack goes largely ignored. Perhaps this seems a bit too science fiction for the media to take seriously, but trust me on this one, the threat is very real.
5. Break the hype cycle. This is another one of my favorite topics and it will continue to be until we, as an industry, break the cycle. Security vigilance is always a good idea, however fear, uncertainty and doubt (FUD) is not, and distracts from the larger messages at hand. You can only “cry wolf” so many times before users and media begin to tune you out. By overhyping our products and technology, the important messages are lost in the static. As I’ve said previously, hype is the worst four-letter word in the security industry.
While I’m also hoping for a repeat for the Sox and to someday play Augusta National, the above are my current wishes for the security industry. Every year we make tremendous strides in technology and in the analysis of attacks, but we aren’t alone. Attacks, and attackers, are becoming much more sophisticated, and better funded by nation- states and criminal enterprises than ever before. If only a couple of the issues I outline above come to fruition, we’ll be that much closer to stronger security. It’s spring, so anything is possible right?