“I do not want sales and marketing people that cannot be honest. We have to be better. We have to get away from the baubles and blinky rubbish that we have, and we have to think differently.”
At Black Hat MEA 2022, Chris Roberts (CISO at Boom Supersonic, Researcher and Hacker) pointed out the problems with a box-ticking cybersecurity culture that doesn’t really address the fact that everyone will be breached at some point.
A new report from Check Point Research found that weekly global cyberattacks have increased by 7% so far in 2023. And cybercrime damages are expected to reach USD $10.5 trillion by 2025.
“Meanwhile,” Roberts said, “we’ve put more and more code out there. More and more systems, more and more architecture, more and more complexities. And we’ve done it on more platforms. We have made our own problems more complicated to solve.”
And if it’s complicated for people within the industry to understand the risks that organisations are facing, and the architectures that are being put in place to protect them – then it’s near impossible for people who don’t speak ‘tech’ to understand. So, Roberts outlined a series of changes that need to happen in cybersecurity; to shift the culture towards collaboration, sharing, and mutual understanding.
Why? Because cybersecurity is a human endeavour. So we need to stop alienating people.
1. Stop lying
“Stop lying to each other,” said Roberts. “Stop lying to yourselves. Stop telling people that they can be 100% secure. Stop telling people that it’s hacker-proof.”
Speaking of BHMEA, he noted the power of bringing together people from different, disparate communities – cybersecurity, the hacker community, the business communities – and sharing ideas and knowledge between them.
“We’re all in this together which means we stop lying to each other, and we start holding people accountable. Let’s hold each other accountable.”
Part of this means asking difficult questions – or, for some, learning what questions to ask. For hackers, for example, instead of taking everything a vendor says at face value, it’s crucial to ask them what they’d actually do in the worst case scenario; and whether they’d take responsibility for their role in it, or shift blame onto the nearest scapegoat.
2. Listen more
“This is a big one. This comes not just from the vendor side on making an assumption, but also from us as we are talking with those partners and those vendors.”
“We have to basically listen.”
This means getting beneath the skin of a sales pitch and getting to the nuts and bolts of how vendor or cybersecurity organisations are actually helping their clients. “Not just tech,” Roberts added, “but how is the human getting helped.”
Because no matter what tech is in place, a hacker will still break into an organisation because of human beings – “because of how quickly and how easily I can circumvent the humans.”
So hackers and client companies setting out to work with a cybersecurity vendor need to understand how long it’ll take for the humans on their internal team to understand the products, services, and processes that are implemented. How much time it’ll take to create a new, organisation-wide shift in perspectives on cybersecurity – and how effective the information provided to all teams will be.
3. Improve soft skills
By soft skills, Roberts meant communication and cooperation. The ability and willingness to connect with other people, to share knowledge with them, to collaborate; to welcome others into the cybersecurity industry and help them on their way.
Instead of a guarded mystery, cybersecurity needs to have an open door.
“We need all the people we can get. We need people with different mindsets.”
And when it comes to working with non-cybersecurity people, this requires a different approach.
“Let’s face it, when we go to do an assessment, the way we currently do it is we walk up to a company and we say hey, I’d like to break into you. As a company, they’re confused. They don’t know what the heck is going on.”
So instead of doing that, offer them a cup of tea. Share a coffee. Build a relationship.
“Why don’t you open the conversation with a potential organisation simply by talking with them,” Roberts suggested. “Simply by having a conversation about situations. Rather than breaking into somebody and showing their weaknesses, talk to them. Do tabletop conversations. Do simple ways and simple conversations. At the end of the day, somebody’s still going to get eaten by the Grue. You can still have fun with people but you do it honourably. You do it in a collaborative and cooperative way.”
4. Use language that others understand
Roberts pointed to the cybersecurity term DevSecOps, thrown around by industry professionals all the time. “It’s amazing – development, security, and operations. It shouldn’t have to exist. DevSecOps is nothing more than communication and collaboration with a new name.”
“We all have to stop speaking tech. Stop the acronyms. Start talking business, start talking risk. Have conversations that others can understand, not that you’re comfortable with. And for goodness sake, ask more questions. We have to challenge the very industry itself to change. Because this is going to take every single one of us to do it.”
“Keep sharing with each other. Keep talking with each other, keep helping each other.”
We know that shared intelligence and open-source information is good for security. So let’s do more of it.
What does this all come down to?
In a nutshell, Roberts is urging everyone working in the industry to embrace simplicity and collaboration. Strip away the shiny stuff, stop being salespeople, and focus on the central purpose of cybersecurity: to protect.
And when you’re working in an industry that relies on people; on individuals with varying levels of tech knowledge; to play their part in protecting their organisation and community? Communication is the most important security skill.