Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Trust or Mutual Benefit?

The theme of this year’s FIRST conference is “Strength Together”. Since I first attended the conference in 1999, we’ve always said the basis for working together was “trust”. However that’s a notoriously slippery word – lawyers, computer scientists and psychologists mean very different things from common language – and I wonder whether security and incident response would benefit from a different framing.

When I joined the global incident response community I tried to observe behaviour, so I could fit in without causing offence. My conclusion was that relationships were actually established by “I will spend some time on you: if that makes my life better then I will spend more time on you”. Trust may develop as part of that collaboration, but the actual basis for it is mutual benefit. The hour I take out of my primary job of protecting my customers will be more than justified if your actions save me two hours in future.

This may seem like semantics, but I think it’s more important. As Wendy Nather’s keynote explored, my next security catastrophe may well originate in an entity I’ve never heard of: whether an obscure software library, an organisation deep in my (security!) supply chain, or a data processor engaged by an apparently peripheral organisational function. In a world where global service providers can be disabled by insecure webcams, “strength together” needs to extend far beyond those we have established trust relations with. In an emergency, “are we trusted?” may be too high a bar, “are we recognised?” (by others and by the claimed constituency) may be where we need to start.

And, in tough economic times, invoking “trust” and “social responsibility” may underplay the importance of working together. It’s often said that trust is hard to gain, easy to lose. When working together is business-critical, we simply can’t afford to lose the basis for it. A panel session suggested “socially responsible” as a motivation for information sharing, but if that’s the best we can do then we shouldn’t be surprised when its budget gets cut. Again, we need to frame working together as essential, not optional.

As the European Commission’s draft NIS2 Directive recognised, effective cyber-security collaboration is now critical for individuals, organisations, the economy and society. The converse of “strength together” is “weakness apart”: unless we recognise the necessity of working with others to improve the whole digital environment then it may not be long before that environment becomes intolerable for all of us.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *