In this interview, Ymir discusses whether data breaches are unavoidable, how a culture of security can be built throughout the organization and the biggest barrier for security practitioners to tackle in 2023.
Ymir Vigfusson, Associate Professor at Emory University, carries out research on practical security, large-scale distributed systems, and data science. He was a panelist in the session entitled “Key characteristics of an effective insider threat mitigation programs” together with Laurens Binken, General Manager Information Risk Management Strategy and Transformation at Shell, David Jacoby, Co-Founder and ethical hacker at Sprinkler Security, and Brett Conlon, CISO at American Century Investments at the Global Cyber Conference 2022.
What opportunities do you see in cyber security that aren’t being taken advantage of, and why?
Security, defined by the absence of vulnerability, is notoriously difficult to measure. Consequently, snake oil abounds in the industry: boxes full of blinking lights, products with superlative but hollow assurances (“X secures everything everywhere now!”) that are built for unrealistic threat models, and people inviting you on trendy bandwagons, like artificial intelligence and machine learning, where the devil is in the details.
It is easy to feel overwhelmed and despair when looking at the security landscape, especially when considering the speed and tenacity by which the adversary adapts.
Yet many things are actually going right. The public awareness of threats has grown. Cyber insurance is providing incentives to which companies rightfully respond. At a technical level, multi-factor authentication is proliferating. When done right, machine learning can pick out, detect, and even prevent some attack patterns.
Nascent theoretical work on program verification – automated mathematical proofs that software or hardware is actually secure against known attacks – is becoming increasingly practical. All of these make the life of the attacker more difficult, which is the essential ingredient of usable security: making exploitation too expensive for the adversary.
Hiring people who both recognize and can capitalize on the utility of emerging trends, and particularly how they contextually fit into the security landscape, is the single biggest opportunity for decision-makers at big organizations.
Are data breaches unavoidable, and is there a right and a wrong way to deal with them when they do occur?
Yes, it is best to assume that breaches are inevitable. A whopping 68% of businesses surveyed in 2020 claimed to have been hit by ransomware. Every organization should both assume compromise and have a well-oiled plan for dealing with them when they occur. For example, 1 in 7 attacks comes from within: is your organization able to curtail insider attacks?
GDPR adds further pressure on your breach mitigations being efficient. There is no silver bullet for how they should be tackled, but many companies that have been breached speak longingly with hindsight that they wished for better auditing tools to have visibility and understanding over exactly what was compromised and taken.
This circles back to the emphasis that companies should assume that they have already been breached. How do you have layers of protection around what matters most? How do you handle authorization to data? Who is accountable?
How can security leaders better help their organizations build a strong culture of security?
The single biggest piece of advice I can give is to empower your employees. Shame, strong power differentials, disincentives, structural apathy, and opaqueness are the perfect ingredients for a dysfunctional security culture.
You want your employees to feel that they want to report attacks, that it is okay to make and report mistakes without fearing repercussions, that there is a shared organizational mission for security, and that security isn’t just a separate untouchable group of elites who are set on making it harder for employees to do their jobs. Train them. Support them when something goes wrong.
Maintain accountability for security near the top of the organization, so the ordinary employees don’t feel they will be sacrificed as scapegoats when things go awry.
A strong cultural DNA cannot be baked into an organization without resources. It is the role of the C-suite, the board, and internal/external auditors that security is a cornerstone of all training in the organization and a regular topic in all discussions.
Get regular external penetration tests from different providers that help illuminate areas of concern and opportunities for improvement while also keeping everybody on their toes. Be paranoid yet sensible. Help people care.
What do you foresee will be the biggest obstacle for security leaders and practitioners to overcome in 2023 and the years ahead?
Even in the weakest sense, the cybersecurity industry is recession-proof. There is intense turmoil looming in the world of geopolitics. Whether future events include invasions, civil wars, prolonged cold wars, or sudden disasters, the ensuing economic instability and a battle for power over scarce resources will only intensify the role of cybersecurity.
As a result, regular companies, organizations, and even nations will increasingly find themselves in jeopardy because of shifts in the focus, scale, and capabilities of their adversaries, it is particularly challenging to assess risk under such uncertainty, but consequently, there is also a very real sense in which only the paranoid will survive. What a time to be alive!
