InfoSec 2017 is under-way and Kensington Olympia is bursting at the seams with cybersecurity vendors, consumers and professionals. Amongst the free pens, t-shirts and boxes of mints up for grabs (there are no free USB sticks here), predominantly red and black banners of enterprise vendors rule the horizon.
There are demos, simulations and talks on loop on how and where the next threat will arrive from and plenty of dotted lines to sign on, for those caught up in the paranoia of missing GDPR, and all of its smoke and mirror rules.
Before the hubbub started, I caught up with Dug Song, the skateboarding co-founder and CEO of Duo who doesn’t quite like the us vs them take that most cybersecurity professionals have towards hackers and malicious actors. It won’t be off the mark to say that he is a ‘softly softly catchee monkey’ kinda guy.
Song starts by mentioning that the motivation for starting Duo was basically a reaction to what he and his co-founder saw around them. “It was militaristic- being a warrior against threats. I thought it was just rubbish. Over and over again the notion was of ‘us vs them’. Everyone was concentrating on keeping out the attackers whereas the reality of the situation was that customers kept falling victim to known threats. Part of the problem was simple; like keeping devices uptodate.
The perfect analogy according to him is akin to when people were falling sick and dying but doctors couldn’t figure out why, only to realise it was because people were not washing their hands when they left the bathroom.
“Cybersecurity needs to be different. Users should be able to adapt it instead of adapting themselves to it.
“With the rise of cloud and mobile, IT is everywhere, not just in the hands of the few. My 11-year-old has more technology in their hands than any of us did 7 years ago. This has inverted everything. Users provide such a massive attack surface… Security strategy should be designed for users, almost like a public health strategy.
“We sometimes forget that easy security is effective security. Instead of selling on fear, based on scare tactics, guiding them towards safer behaviours would serve everyone better. Walk them through the process, instead of saying if you don’t do this all is going to go to hell, we need to say this needs to happen for it to function properly. It allows them to understand the process. We tell people they need to upgrade their device to continue accessing the system. This new type of security culture where you bring people along with you instead of issuing new devices to everyone, is the way forward. It needs to be more of a negotiation with users.
“You only need to look at clinical workflow to understand it. We have to understand their processes deeply because we cannot make security a barrier to their job. If doctors have to jump through hoops, they simply won’t do it.
I interject to say that sometimes you have to put the fear of God into people to get them to do things- what do you say to that?
Song, as it turns out has an answer to that too. “Security was about making people do what you wanted them to do. Without regard for end user- they just had to follow. But today, if you want to share a file with a colleague and the official route is via VPN and then jumping over firewalls, you simply wouldn’t do it. You will just use DropBox or email them directly. This is because of all the solutions available to the user, it is down to the consumerisation of IT today. And it has in turn run away from the notion of enterprise control. So enterprises cannot just tell users what to do, they have to work with them.
“Enterprise security is so overly complex today because the idea used to be to bolt security onto everything. A lot of the agent based, firewall kind of security has now gone away. For instance, there is no anti-virus market for iPhones and that is exactly the way the world should be going. Mobile devices are so much safer these days than anything we have had in the prior generations so directionally, we are going in the right way but security has been left behind in a much older era of wanting to play whack a mole and failed to keep up.
On the InfoSec show floor, there will always be people who say higher firewalls are better to keep things locked away but that is not necessarily the way forward. As the devices world becomes more heterogeneous, governing the murky middle of access is tricky. Standardisation of access is down to the cloud. More security is more adaption. Single sign-on is the solution.”