Ahead of her keynote at the RSA Conference, Cisco’s head of advisory CISOs outlines to Dark Reading a unique paradigm that asks security teams to stop fighting their users — and start sharing control with them.
RSA CONFERENCE 2020 — San Francisco — End users choosing their own security measures. Kindergarteners using phones without parental controls. Dogs and cats, living together; mass hysteria. Is it anarchy? Or is it simply a better paradigm for enterprise information security that is easier for everyone, less expensive, and actually results in more effective security?
This concept of “democratizing” cybersecurity will be the subject of a keynote session here today by Wendy Nather, head of advisory CISOs at Cisco (formerly Duo).
In an interview with Dark Reading, Nather said she was pondering the questions that the security industry relentlessly asks itself, like, “Why do people keep clicking things that I tell them not to click on?” And also the questions the industry should be asking itself but isn’t, like “Should we just stop telling them not to click on things?”
In rethinking some of these sacred cows, she revisited the idea of democratization — a term she first become familiar with when working with Duo co-founder Dug Song — and again had a question.
“What would democratizing security really look like?” Nather says. “We talk about this, but what could we do concretely?”
Nather breaks it down into three main categories: a move from a control-model to a collaborative-model; simpler, more usable design; and a more open security culture.
From Control to Collaboration
“We’ve always been thinking very authoritatively, from the very beginning, about security,” Nather says. “You know: ‘We’re the experts. We make the policy. You follow the policy. We control everything. Control the means and computing.’ But, as we know over the last decade-and-a-half or so, users have been taking away that control. They’ve been taking it over.”
The idea then is for security departments to collaborate with the people who need to be secured — and also more closely with the creators of the products that need to be secured.
“What if security were not a control organization but a service organization?” Nather says. “And how would that change how we interact with the people that we serve? And also, what would that look like concretely in architecture?”
If organizations can answer that question, they might also find cost savings because, Nather says, control equals cost.
“Everything that you still need to control is gonna cost you because you have to set policies for it. You have to monitor for compliance. You have to manage exceptions. You have to enforce compliance. All of this costs time and people and money,” she says. “So if you think about it in terms of control equals cost, what would we decide together with a business that it’s not so important for us to control?”
Design for Usability
“What if they could design security to be as easy as a spoon?” Nather says. “We don’t need annual spoon awareness training.”
Simpler design could create less friction for users and make security less frustrating, easier to achieve, and even desirable.
“Really beautiful design encourages security adoption,” Nather says. “As Dug [Song] says, as part of democratizing security, we should be designing for adoption, not engineering to enforce security.”
The infosec field tries to force its culture onto everyone else, Nather says, whether or not the rules and norms of the infosec community make sense in other populations. She gives the example of making kindergartners use passwords before they even know their numbers and letters.
However, Nather says, if the infosec community makes security less mysterious and less controlling, it might prevent sad security history from repeating itself again and again.
“Web came along, and we made a lot of mistakes. And then mobile came along, and we saw the same mistakes we made over and over again that we made with Web. Now, with IoT, we’re seeing them again and the question is, well, why?” Nather says. “And the answer is because it’s a different population developing [these technologies] every time, and they haven’t learned from our mistakes — because these are new people.
“So we have to spread out the security knowledge so that no matter what comes along in the future, anybody can secure it. Not this elite group of people — wizards in the security industry that have all the knowledge but are not sharing it or not adapting it to how everybody else wants to use it. You know, we have to upend that entire model.”
From Helicopter to Free Range
Put all of this together, and a helpful analogy may be this: If the current state of cybersecurity management is akin to “helicopter parenting,” then democratized security is more like “free-range” parenting.
And that analogy can actually be taken quite literally.
(“Helicopter to Free Range” continued on next page)
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio