In my youth, each year myself and my best mate would bunk off school for the day and travel by train to the motor show at Earls Court. We’d wander aimlessly around, wide-eyed at the gleaming cars and gawping at the scantily-clad models draped over them in various suggestive poses – (quite rightly, you wouldn’t get away with that these days!) We’d collect carrier bags full of glossy brochures about cars we didn’t need, didn’t want, could never afford, and in any case weren’t old enough to drive. In doing so we’d interrupt bored salesmen from talking with other bored salesmen on the surrounding stands about football or Harold Wilson and irritate them further by covering their pristine paintworks in grubby fingerprints and asking silly questions they must have fielded a thousand times from the masses of other circulating oiks. Finally, exhausted, we’d dump the brochures in the first rubbish bin we came across in the street, eat fish and chips on the train home, and vow never to waste our time like that again. Until next year, of course…
Nowadays I have cybersecurity conferences instead. The similarities in the two experiences become more pronounced and obvious each time I drop my guard and go to one. But why do we do it to ourselves? During the few hours that I manage to endure the oppressive atmosphere that is a typical event I do bump into a few old friends and acquaintances – without exception they all clearly feel the same as me. Only the vendors – rank upon serried rank, all selling variations on no more than a dozen proven technologies – appear to be enjoying the experience. But I suspect their rictus smiles, manic enthusiasm, and desperate eagerness to shift their sacks of stress balls/biros/lollipops mask a maelstrom of negative emotions and frustrations. Nowadays I am especially struck by the many unwavering claims that whatever is on sale (from access control to zero-day attacks) now provide everyman’s answer to GDPR. Really?
I wouldn’t mind if these events hit the mark. But even the most ardent technologists are finally cottoning on to the fact that the current technical strategy is not on its own solving our problems. Despite the King’s ransom that organisations are spending on information, systems and network security technology, an increasing body of research indicates that many of these security measures are not effective because they are either ignored, bypassed or incorrectly implemented. Certainly, the procession of examples, seemingly now daily in the Press, of serious security data breaches and high-profile cyber crimes indicate that whatever we are doing is not entirely working. It’s no wonder that our business masters wonder where their money is going. Why, therefore, should we in turn be at all surprised when our budgets are questioned or even cut? Why should we be offended when we lose credibility in the Boardroom, or be excluded from management decisions? Our Boards and our colleagues from other business functions are turning to us for guidance on how we can reduce data breaches or even (ultimately) save them their jobs, but often all we offer them is more of the same.
Let me be clear, this is no criticism of the organisers of these various events. They are as superbly and slickly organised as it is possible to be. The fault lies in the concept, not the execution. They are a snapshot of the past, of the old ways our industry is still run. The solutions remain product-driven, standard answers to a myriad of different questions, a few packaged products to serve a myriad of unique challenges. Users are treated as sheep and fed what the suppliers have in the barn. This has to change. Vendors and their customers should be equals, working together as all professionals should, to reach their common goal.
There’s no question that security technology is essential, or our systems would be unusable. But despite the vast sums of money spent, IT systems at all levels and within most organisations remain inherently vulnerable to even the most basic of security weaknesses and vulnerabilities. This is because for so long now we have focused almost entirely on the technology. We may have paid some lip service to the processes that surround the technology, but rarely have we attended in any way to the third and most fragile element of this defensive regime – our people. We insist on developing increasingly complex technical solutions for increasingly obscure and irrelevant problems. We focus on brain surgery whilst the patient dies of the common cold. The typical cybersecurity conference personifies and reinforces the narrowness of view that still afflicts our industry.
But I believe this to be a story of great hope. As the high-profile security breaches draw attention to our trade and to our profession, we are poised in every way to capitalise on the fine work we have completed over the past decades. We already have the tools, knowledge and experience to make our systems and networks safe and secure. With greater support from senior management, and with increased interest in our potential contribution to business success, then I believe it is fair to say that our time has come. But we will squander this opportunity if we fail to modify our modus operandi.
And as for the conferences? There has to be a better way for us to improve our knowledge, address our problems and effect industry change. I know what that way is, I’ve seen it, it’s called “Les Assises de la Securitie” and it happens every year in Monaco for the French cybersecurity community. Everyone there on both sides of the vendor/user divide loves it. SASIG is working hard to develop a UK version, this will happen 7-9 November 2018, again in Monaco. More of this in my next blog.
Meanwhile last year I passed the demolition site of Earl’s Court with just a small tear in my eye for my lost youth and for the enduring grace of the Mk2 Ford Zodiac.
Read more of Martin's Log
Thank you for reading my blogs. I’m getting quite old now, and hopefully I’m a little wiser than I once was. I have enjoyed a fascinating career full of fascinating people, and made many great friendships. I’ve made huge errors in my lifetime, and enjoyed great success too – it’s been the ultimate game of snakes and ladders - up and down, round and round. It is my privilege to share some of my stories with you, and describe some of the lessons I’ve learned in the hope that it may both save you from falling into the same holes, and help you in your careers and lives. Good luck and good fortune.