“We are trying to secure democratized technology with an unsustainable security model; it’s time to break it and put it back together,” said Wendy Nather, Head of Advisory CISOs for Cisco, in her keynote address at this year’s RSA Conference.
It’s evident that the old ways of building security no longer work, she says. Consider:
- Training and security exercises tell individuals not to click malicious links, yet the individuals still do. Maybe that’s because, Nather proposes, it’s unreasonable to expect users to refrain from using the Internet the way it’s designed — where it’s all about clicking. It would make more sense to build in security so that they could safely click anything.
- We’re seeing the same security vulnerabilities and mistakes that were designed into web servers years ago now being designed into mobile systems and the Internet of Things (IoT), because different populations are doing the development and haven’t had a chance to learn from past experience.
- Security is often “us versus them” or security professionals against users, perpetuating a culture of exclusivity rather than collaborative security.
For security to become more effective, security leaders must flip the script. Nather offers three steps toward doing so.
1. Move from control to collaboration
“We need to move away from an authoritarian control model to a collaboration model,” she says, where users and the business are empowered to make decisions about access, weighing the opportunity against the risk.
She offers the example of a zero-trust model, where individuals can request access to the applications or services they want and are advised of the security requirements they’ll need to meet.
“Those requirements may be different according to what is being protected,” Nather says, but it’s a collaborative model where users are involved in security decision making and in making their own devices compliant with security requirements.
2. Simplify design
It’s commonly acknowledged that the more difficult or complex security is, the more likely that users will deploy a workaround. That complexity is also causing fatigue among security professionals.
Nather draws the correlation of the simple design of a spoon: “Even a toddler easily understands how to use it, and we don’t have annual spoon awareness training. How can we think similarly about security?”
Users have a job to do and they want to get on with it. Think about building a consumer-grade, slick experience by incorporating technologies like multifactor authentication (MFA) and single sign-on, which make it easier for users to securely access what they need. Doing so also reduces the risks that CISOs and their teams must continually manage.
3. Open the culture
“We can’t keep shoehorning people into our narrow security culture,” Nather says. Using a Harry Potter reference, she adds: “We have to stop thinking of ourselves as Wizards and users as Muggles.”
This means security can no longer be solely the province of professionals, analysts, vendors, or even governments. Any technology user in our society should be able to make good security decisions for themselves in their own best interests, Nather says.
“It has got to be security of, by, and for the people. We need to bring in all stakeholders, of all ages, so we can do this together.”
For more information about how to democratize security, visit: https://duo.com/security-123