Wendy Nather’s keynote at the FIRST conference (video) considered the security poverty line, and why it should concern those above it at least as much as those below. To secure our systems and data requires resources (tools and people); expertise to apply those effectively; and capability, including sufficient influence to overcome blocking situations or logistics.
But most current guidance, tools and practice are designed for those above the poverty line, not below. That’s a problem, because insecurity now affects everyone in the digital environment. Pollution is a better metaphor than escaping hungry bears: “there’s more than enough bear for everyone”. Even organisations whose own security is excellent can be hit by breaches in software or services they didn’t know they were dependent on, or devices with which they have no relationship at all. In a digital world where global retailers can be taken offline by insecure webcams, helping improve others’ security may be as important as improving your own.
To do that we need to move beyond talking about “awareness” and do what we can to increase “capability”. Small organisations, or those in sectors with low profit margins, can’t afford state-of-the-art security software or people. Dashboards that give security experts visibility of everything that is going on may be less useful to a part-time system administrator who just needs to identify and fix a problem. Open-source software is great, but it’s not free when you include the costs of the skilled people to install, configure and run it. A survey of security experts asked “what is the minimum set of tools?” came up with lists from four to thirty-one. The baseline looked a lot like PCI-DSS, but even that may be beyond the capability of a small business using off-the-shelf security tools.
Legacy systems are a major risk factor: organisations that proactively refresh their technology experience much better security outcomes. It may even have wider benefits: recruitment is likely to be easier for organisations that offer a modern infrastructure experience. So what can we do to help others move at least non-core business systems (for example email and payroll) to cloud-based services where many of the security issues are looked after by the provider? When we work with our own providers, can we encourage them to make essential security functions, such as multi-factor authentication, part of the basic product rather than an add-on? Instead of bare lists of tools, could industry sectors develop their own reference architectures, fitting business and cultural constraints, to help those with less capability implement systems that are easier to operate securely, improve interoperability, and reduce vendor lock-in? And can they work together to discover services that represent a common dependency, and to help them reduce the shared risk?
The pollution metaphor suggests a shared reputational risk as well as a security one. If individuals lose confidence in digital systems and services then we all suffer, not just those directly causing the problem. Over the past decade, Governments have started to help with “ordinary” internet security threats not just advanced, state-level, ones. If you are fortunate enough to be above the security poverty line then consider how you can contribute: help others reduce incidents, respond to those that happen, and learn from them, to improve security and confidence for all of us.
