Extended Q&A

I was asked to participate in a Q&A session late last year, focusing on what the new year holds for us. It was the season for this type of activity, along with goal settings and establishing new year resolutions at a personal level. I consider the last one especially with a sort of amused disdain. I believe I am not mistaken in saying – and please prove me wrong, if you wish and can – that most new year resolutions are abandoned by the end of the first two months of the year. The reason for that is, I was told once, that new year resolutions are contracts with ourselves about ourselves. As the two parties are essentially one, the contract is doomed to fail.

Nevertheless, contemplating the future – which of course is an illusion as nothing happened there yet – can be useful. Better outcomes can be achieved when we consciously make meaning of our experiences – called remembrance and then history. This remembrance and meaning finding provide the substantive guidance we need for the future.

Having a number of people answering the same questions individually, empowered with this historical perspective, can be a useful idea. The rapid erosion of collective intelligence into group think can be avoided. Multiple point of views presented can bring out the essence of even the same perspective. Implications and consequences can be made clear. Consequently, a perceived problem can be better understood. Conflicting responses can help each participant to consider whether they really believe the answer they have given.

Considering all of these I agreed to participate. The questions and my answers to them are making up the rest of this paper. They are extended compared to the original as I have no word limit here. The original Q&A with my more compact answers and with the other participants’ responses can be found here

     1. What do you foresee being the Cyber Security Industry’s biggest challenges for 2018?

Information security is a mindset. Unfortunately, very few in the industry practice thinking securely or thinking security. Aside from this, the traditional concept of attacker versus defender is outdated. Defenders on one side, defending a list of assets against attackers, separated by clearly visible lines is just not sustainable. Especially not with the flawed concept of “security is as strong as its weakest link”.

Another flawed concept based on the traditional mindset is the purpose of defense itself. It is often forgotten, that the purpose of defense is preservation (passive purpose), not conquest (active purpose). An analogy here might clarify what I mean.
In military doctrine, warfare (especially 4^th generation warfare) “is to convince an opponent that its strategic goals are either unachievable or too costly”. This fourth-generation warfare refers to “insurgency that employs all available venues”, which is reasonably fitting to the situation the cyber security industry finds itself in. What I am driving at is the guerrilla type irregular warfare with tactics of sabotage, quick raids, harassment and so on against a larger but less mobile foe.

Along the lines of fourth generation warfare, the cyber security industry should not engage in hostilities with adversaries with the purpose of annihilating them. The focus should be on discouraging the attacker to carry on with the attack. This means different activities, different focus and most importantly, different thinking on behalf of the defenders.

As attackers in general are looking for opportunities instead of deliberate direct attack, their thinking needs to be understood. This thinking can be described as thinking-in-graphs. What this means is twofold. First, attackers map out their goals in general, like “I want to travel around the world flying on first class”. Then they lay out what they need, to achieve such goals. “I will use frequent flyer points to achieve this goal, and this is the way to get them”. Second, they like mapping out where valuable targets might be found in a given environment. The path, and this is usually an indirect path through existing vulnerabilities – and that includes people! – that might be  exploited to reach the target, completes the graph.

The traditional thinking brought us most of today’s problems, so it is not reasonable attempting to fix them by the same thinking that created them. Especially not, when the Tyranny of Urgent is in action. Once this is understood, thinking in graphs is one way to be effective against adversaries – both insiders and outsiders. Applying the adversaries’ own thinking against them and limiting their visibility to follow an exploitation path one step ahead a time is a reasonable way to discourage an attacker. Mastering it is the biggest challenge.

     2. How do you think Notifiable Data Breach and GDPR legislation will impact our industry?

These legislations are not well understood; consequently, uncertainty and fear surround them. For example, the European Union’s General Data Protection Regulations (GDPR) is not about protecting privacy. It is about the processing and protecting of personal data. Privacy is part of it, but the concept of personal data is significantly wider than just privacy. In Australia, the Notifiable Data Breaches (NDB) scheme aims to make an entity’s response to a data breach transparent to those whose personal information is involved in the breach.

Both legislations address issues that are not technological, therefore should not be approached by technology. They rather aim to change the way we think about personal data. Currently there is far more personal data collected by organisation than necessary. Such data is then viewed by collectors as their own assets (both commodity and currency) from which to make profit. Limiting such behaviour is both a systemic and cultural challenge.

These legislations shift the responsibility for data protection from the individual to the data collector. Yes, there will be some unforeseen consequences of course. Yes, there will be areas or aspects that would lose strengths. Yes, a number of current practices need to be re-thought. However, once the historical and legal background of GDPR is understood, economic advantages, improved risk management and innovation will be just a few of the benefits.

     3. Which security gaps should organisations be looking to address in 2018?

Most security breaches are the result of known vulnerabilities exploited by known methods. There will always be zero-day attacks, but many of the security gaps they exploit could be reduced by diligently doing the basics. This is quite different from “industry best practice”. I would expect very little resistance to the claim that such practice does not exist. Best for whom? In what context?

I suggest instead what I call “hygiene practice”. We all have personal hygiene habits, such as washing hands, brushing teeth, combing hair, etc. (some do it better than others). Along this line, we need to do the basics – habitually. Doing the ASD Essential 8 is a good start in this sense.

It remains for me to say here that these “hygiene practices” are not attractive to most. Therefore, they are not done completely or regularly. The pervasiveness of information security threats demands that they be done habitually, though. Reasonably significant improvements can be achieved in the security posture of an entity by doing these basics. This is where security as a mindset is a necessity. Technology – irrespective of how shiny it might be –helps only little without the security mindset.

     4. Which emerging technologies or start-ups should we look out for in 2018?

The need for threat intelligence is one of the most important aspects of information security, I have observed. This is different from acquisition and analysis of information to assess capabilities, intent and opportunities. Having a data lake is a splendid idea, but unfortunately more often than not, organisations end up having a data swamp instead.
Our principal difficulty in solving information security problems is not stemming from having insufficient data. It is quite the opposite. We have far too much data to the point that we are sinking in information glut, rendering us paralytic to act. Or, using another metaphor, we readily build a haystack around a needle instead of picking it up immediately.

Threat intelligence technologies and services enable responses to be proactive, instead of reactive. That indicates timeliness of both information acquisition and action based on such information. Threat intelligence therefore goes beyond data hording, using the acquired information to provide guidance and direction for action. Without action, information is not intelligence, irrespective of how much of it we have. Technology integrated with activity to get such actionable information from external areas of interest, such as the Dark Web in real time is what I see as an emerging field.

As per start-ups, it would be easy to name a few companies. Chances are though that by the end of the year we would not even remember most of the names. A promising company is as good as the promise they fulfilled. A promising company is a “could be”. Fulfilling the potential is what makes them not only the “it” company, but also – with the years to come – the “has been” – and I say it with reverence, thinking of the Nokias, the Kodaks and likes – that would be remembered long into the future.
Instead of naming such companies, I would reflect on what traits I am looking for and when I see them, I sit up and pay attention. The list of favourable traits below is not exhaustive, but, alas, it is representative.

One must begin, I think, by describing them negatively.

There are the “seemings”. Many seem to read, but they can’t. Many seem to comprehend, but they don’t understand. Many call themselves agile, yet it only means that they are unable – or unwilling – to stay with one problem long enough to work out the intricacies of a solution. Many seem to have style, but it is used only to cover the absence of substance.

Many seem to think, but facts confuse them.  Many call themselves disruptors, but they only disrupt themselves. Every industry has them, but information security seems to have more than its fair share of them. When I see any of these traits manifested, irrespective of how flashy the presentation is, I decide not to pay much attention.

To put it positively, I wish to make four observations. Firstly, and probably central to all the others, good start-ups have a grievance and do something about it. Grievance is not inevitably a bad thing. It is a necessary condition for good problem identification. Sadly, most people stop at this point, including some senior executives in the information security industry.
However, stopping at grievance without doing something about it then becomes a choleric complaint. Those who go the distance as start-ups are not satisfied with describing the problem in colourful variations. They move on to identify and offer a solution. This solution offering to a real problem then becomes their mission.

Second, good start-ups have clearly defined mission, vision and strategy. As a side note, mission is why an entity exists, vision is where they want to be in a given time frame and strategy is how to get there. Having these properly identified not only helps them to avoid starting on a journey for which there is no destination, but also to have the substance instead of being “seeming”.

All of which brings me to the third observation. Good start-ups know their own strengths and weaknesses. They also know their market segment, their key differentiators and their competitive advantages. They understand strategic paradoxes and have their strategic ideas as well as their critical success factors defined.

Lastly, good start-ups make effort to understand their customers’ thinking.  They pay attention to it. They shape their message accordingly. I should like to illustrate what I have in mind by offering the hypothetical case of a start-up wanting to offer a reliable information security solution to large organisations. They are young, energetic and have confidence in the superiority of their solution offering. Thinking of themselves as superheroes is very tempting. As it resonates with them internally, they create a public image of themselves accordingly.

Yet, the decision makers of those organisations to whom they want to sell their solution are of an older generation. They look for stability, reliability, simplicity and sustainability. Excitement doesn’t excite them. They follow process as it gives them safety. A superhero for them represents exactly the opposite. So, they readily overlook the young, energetic start-up, who are left wondering, why those dinosaurs do not want them.

Now, you may have the impression from what I have just said, as well as from all that preceded it, that I do not like start-ups. Far from it. I appreciate goodness, wherever I can find it. However, it is not possible to overstate the fact that newness doesn’t translate to goodness automatically. A new idea with venture capital is not necessarily enough. Note that the point here is not that start-ups are not good enough, but rather that ability to execute, experience, stability and scalability are the important elements I look for.

     5. What one thing do you wish you had done in 2017, that you are going to do in 2018?

There was a survey quite a while ago, asking citizens above the age of 95 this question:
– “If you could start all over again, what would you do differently?” –
Among many others, three comments dominated the responses:
If I could start all over again I would

• risk more;
• contemplate more;
• do things that live longer than I do.

I suggest the collected wisdom of these senior folks’ insights should be applicable to information security as well. Let me unpack these three comments a little bit then.

Taking risk is part of life. It actually makes us feel alive. In a sense it is part to be alive. It can take one out of his comfort zone to where magic can happen. Many want that magic in a rush though, without weighting up the cost of getting it. Consequently, they take unnecessary risks and end up losing more than what that magic offers.
Taking calculated risk is not making rushed decisions. It is to carefully estimate the possible outcomes and determining if the benefits match or exceed the cost of getting them. If they do, the risk possibly should be taken. Risk aversion itself can be a serious risk.

Contemplating more on what we are doing and why we do it is most helpful. I guess, creating point solutions is tempting because the immediacy of the problem. The natural tendency to fix the symptoms of a problem not the underlying cause emanates from this. The result is having the wrong focus and the waste of resources. Contemplation can help to avoid fighting fires that shouldn’t have needed to be lit in the first place. A wider view is usually needed to identify context and cause-and-effect better. Solutions that solve more than one problem can then be chosen.

Creating things that live longer than we do gives meaning for life. It is not what we take from the organisation we worked for that matters, but what we leave behind. What is our contribution? What is our impact? Is the organisation stronger because we are there or it is stronger because we left?

I request you, my reader to ask these two questions from yourself:

– “When it comes time to die, what difference will it make that I lived?” –

– “Am I living a life that lasts beyond the days of my breathing?” –

Sounds like a plan for 2018 – and beyond?