This post appeared first on Naked Security Blog by Sophos
Author: John E Dunn
This post appeared first on Naked Security Blog by Sophos
Author: Lisa Vaas
Cybersecurity experts are no longer the only ones involved in the dialogue around data privacy. At RSA Conference 2019, it’s clear how far security and privacy have evolved since RSAC was founded in 1991. The 28th annual RSAC has a theme of “better,” a concept that speaks to the influence of technology on culture and people.
“Today, technology makes de facto policy that’s far more influential than any law,” said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School, in his RSAC 2019 session titled “How Public Interest Technologists are Changing the World.”
“Law is forever trying to catch up with technology. And it’s no longer sustainable for technology and policy to be in different worlds,” Schneier said. “Policymakers and civil society need the expertise of technologists badly, especially cybersecurity experts.”
Public policy and personal privacy don’t always coexist peacefully. This tension is clear among experts from cryptography, government and private industry backgrounds at RSAC 2019. In the past year, consumer awareness and privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), has created an intensely public dialogue about data security for perhaps the first time in history.
The Cryptographer’s Panel, which opened the conference on Tuesday, delved into issues of policy, spurred in part by the fact that Adi Shamir — the “S” in RSA — was denied a visa to attend the conference. Bailey Whitfield Diffie, who founded public-key cryptography, directly addressed the tension between the legislature, personal privacy and autonomy. Other keynote speakers called for collaboration.
“We are not seeking to destroy encryption, but we are duty-bound to protect the people,” stated FBI Director Christopher Wray. “We need to come together to figure out a way to do this.”
Moving forward to create effective policy will require technical expertise and the advent of a new type of cybersecurity expert: the public interest technologist.
“The problem is that almost no policymakers are discussing [policy] from a technologically informed perspective, and very few technologists truly understand the policy contours of the debate,” wrote Schneier in a blog post this week. “The result is … policy proposals — that occasionally become law — that are technological disasters.”
“We also need cybersecurity technologists who understand — and are involved in — policy. We need public-interest technologists,” Schneier wrote. This profession can be defined as a skilled individual who collaborates on tech policy or projects with a public benefit, or who works in a traditional technology career at an organization with a public focus.
The idea of the public interest technologist isn’t new. It has been formally defined by the Ford Foundation, and it’s the focus of a class taught by Schneier at the Harvard Kennedy School. However, it’s clear from the discussions at RSAC and the tension that exists between privacy, policy and technology in cybersecurity dialogue that public interest technologists are more critically needed than ever before.
Today, Schneier said, “approximately zero percent” of computer science graduates directly enter the field of public interest work. What can cybersecurity leaders and educators do to increase this number and the impact of their talent on the public interest?
Schneier wants public interest technology to become a viable career path for computer science students and individuals currently working in the field of cybersecurity. To that end, he worked with the Ford Foundation and RSAC 2019 to set up an all-day mini-track at the conference on Thursday. Throughout the event, there was a focus on dedicated individuals who are already working to change the world.
Schneier isn’t the only expert pushing for more collaboration and public interest work. A Tuesday panel discussion focused on how female leaders in government are breaking down barriers, creating groundbreaking policy and helping the next generation of talent flourish. Public interest track speaker and former data journalist Matt Mitchell was inspired by the 2013 George Zimmerman trial to create the nonprofit organization CryptoHarlem and start a new career as a public interest cybersecurity expert, according to Dark Reading.
On Thursday, IBM Security General Manager Mary O’Brien issued a clear call for organizations to change their approach to cybersecurity, including focusing on diversity of thought in her keynote speech. “Cross-disciplinary teams provide the ideas and insights that help us get better,” O’Brien said. “We face complex challenges and diverse attackers. Security simply will not be better or best if we rely on technologists alone.”
When it comes to creating an incentive for talented individuals to enter public interest work, a significant piece of responsibility falls on private industry. Schneier challenged organizations to work to establish public interest technology as a viable career path and become more involved in creating informed policy. He pointed to the legal sector’s offering of pro bono work as a possible financial model for organizations in private industry.
“In a major law firm, you are expected to do some percentage of pro bono work,” said Schneier. “I’d love to have the same thing happen in technology. We are really trying to jump start this movement … [however, many] security vendors have not taken this seriously yet.”
There are already some examples of private organizations that are creating new models of collaboration to create public change, including the Columbia-IBM Center for Blockchain and Data Transparency, a recent initiative to create teams of academics, scientists, business leaders and government officials to work through issues of “policy, trust, sharing and consumption” by using blockchain technology.
It’s possible to achieve the idea of “better” for everyone when organizations become actively involved in public interest work. There is an opportunity to become a better company, strengthen public policy and attract more diverse talent at the same time.
“We need a cultural change,” said Schneier.
In a world where technology and culture are one and the same, public interest technologists are critical to a better future.
The post At RSAC 2019, It’s Clear the World Needs More Public Interest Technologists appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: Jasmine Henry
This post appeared first on Naked Security Blog by Sophos
Author: Lisa Vaas
This post appeared first on Naked Security Blog by Sophos
Author: Lisa Vaas
This post appeared first on Naked Security Blog by Sophos
Author: Lisa Vaas
This post appeared first on Naked Security Blog by Sophos
Author: Lisa Vaas
This post appeared first on Naked Security Blog by Sophos
Author: Paul Ducklin
This post appeared first on Naked Security Blog by Sophos
Author: Paul Ducklin
Global risks are intensifying but the collective will to tackle them appears to be lacking. — The World Economic Forum’s “Global Risks Report 2019”
With the start of a new calendar year, chief information security officers (CISOs) are looking for ways to set the tone for the year and have more engaged conversations with top leadership regarding cybersecurity risks. The good news is January provided such an opportunity, but it’s not what you might expect.
Every year, the world’s elite descends on Davos, Switzerland, as part of the global gathering known as the World Economic Forum (WEF). A few weeks before they hold this event, the WEF releases its “Global Risks Report,” and this year, once again, cyber risks figured prominently. The report was based on survey responses from nearly 1,000 decision-makers from the business and government sectors, academia, nongovernmental organizations (NGOs), and other international organizations.
The report opens with its distinctive global risks landscape diagram, and cyber-related risks fall in the top-right quadrant of global risks, both in terms of likelihood and impact. When it comes to likelihood, data fraud or theft came in fourth place after three environmental risks, with cyberattacks rounding out the top five.
When ranked by impact, cyberattacks still made it into the top 10, in seventh place, followed immediately by critical information infrastructure breakdown. The fact that data fraud or theft wasn’t in the top 10 risks by impact might indicate that markets and business leaders are more confident about the global economy’s ability to detect and respond to such an event.
This is by no means the first time that technology-related risks made it to the top of the list: Cyberattacks have appeared four times in the top five risks by likelihood since 2010 (in 2012, 2014, 2018 and 2019). However, in terms of impact, the only technology-related risk to make the top five was critical information infrastructure breakdown in 2014.
Is it symptomatic of a larger disconnect that, in the last decade, global leaders only once perceived a technology-related risk as a top-five risk in terms of impact? Do top leadership and board directors at your organization share this attitude?
Of course, the WEF report is aimed at a global audience of business and government executives, so it might not be immediately apparent how CISOs could benefit from grabbing a copy and leafing through it. However, because technology-based risks — and more specifically, cyber-related risks — feature so prominently in the report, there is a unique opportunity to engage or re-engage top leadership and boards to discuss these issues and re-evaluate the organization’s current risk appetite. Among the topics covered in the report are many areas that CISOs should be ready to engage on, including:
Machine learning and artificial intelligence (AI) — How, if at all, is your organization leveraging these technologies? Is the security function engaged at the earliest part of the process to implement them?
Regulatory changes, such as the General Data Protection Regulation (GDPR) — Is your organization now fully compliant with the GDPR? Are there other GDPR-like regulations on the horizon that need to be on your radar?
Interconnectedness of cybersecurity risks — Is your organization on its way to becoming cyber resilient? How often is your organization’s resilience put to the test?
Quantum computing and cryptography — Who, if anyone, is keeping track of developments in quantum computing? How often is this disruptive technology being discussed, both in terms of the opportunities it presents, but also the risks to traditional cryptographic methods of protecting company secrets?
If there’s one section of the report that CISOs should share with top leadership, it is the portion titled “Managing in the Age of Meltdowns” (just three pages long). As the interconnectedness of technology increases the potential for cascading failures, this section reminds us of the stakes: “When something goes wrong in a complex system, problems start popping up everywhere, and it is hard to figure out what’s happening. And tight coupling means that the emerging problems quickly spiral out of control and even small errors can cascade into massive meltdowns.”
The section covers different strategies to help deal with complex, dynamic systems and provides guidance for CISOs to review and improve the effectiveness of existing processes. Strategies include encouraging healthy skepticism and recognizing the value of clear and honest lines of reporting. CISOs should also try to “imagine failure” or, better yet, simulate a breach to practice their response. The report also reminds security leaders to perform thorough root-cause analysis, as “too often, we base decisions on predictions that are overly simplistic, missing important possible outcomes.”
Most CISOs know they’re more likely to be heard when aligning their messages and efforts with the concerns of top leadership. In a world of increasing global risks, security leaders must engage with all levels of the organization to truly understand what cybersecurity risks are top of mind, from the board and C-suite all the way down to entry-level analysts. Organizing around mutual concerns will help maximize security at the enterprise.
The post Manage Emerging Cybersecurity Risks by Rallying Around Mutual Concerns appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: Christophe Veltsos