TRUST AND THE ECONOMICS OF INSECURITY Malcolm Harkins Chief Security & Trust Officer
/in/malcolmharkins
@ProtectToEnable
On June 19, 2015, doctors insert a retinal implant into a patient's eye and connect it to high tech glasses, a camera and a video processing unit. The idea is to cure blindness.
The idea is to extort money. All a bad person needs is poorly developed or managed technology and the ability to execute malicious code.
TRUST
Competence Capability Results
Character Intent Integrity
"Accept it...they are going to get in." CISO Panel ISSA Los Angeles, May 2017
TODAY'S REALITY
T O D AY ' S R E AL I T Y
ISSA Thru the Eyes of Cyber Professionals Part 2
½ significantly vulnerable ½ somewhat vulnerable
100% Vulnerable
World Economic Forum Risk Report - Feb 2017 / 2018 Income/Wealth Disparity Climate Change Polarization of Societies Cyber 2018 it's the #1 Biz Risk Aging Population
T O D AY ' S R E AL I T Y C O N T. Edelman Trust Report Feb 2017/2018 Implosion of Trust 2/3 distrusters We are in treacherous seas without a firm mooring Europol - Internet Crime Report Oct 2016/2017 Acceleration of previous trends APT & cybercrime boundaries blur Majority of attacks are neither sophisticated or advanced
9 BO X O F CO NT RO L S : RI S K M I T I G AT I O N Where most of the industry is focused Respond
Control Types
Detect
Prevent Automated
Semi-Automated Control Approaches
Manual Source: Managing Risk and Information Security 2nd Edition Malcolm Harkins
T O D AY ' S R E AL I T Y Information security is an economic inefficiency.
W HAT I S E CO NO M I C E F F I CI E NCY ? Economic efficiency implies an economic state in which every resource is optimally allocated to serve each individual or entity in the best way while minimizing waste and inefficiency. The ideal state is related to the welfare of the population as a whole with peak efficiency also resulting in the highest level of welfare possible based on the resources available.
T O D AY ' S R E AL I T Y Our approach to information security is the cause of economic inefficiency.
TEMPORAL ADVANTAGE To put it simply: threat actors have had a temporal advantage over us. We have been playing catch-up for decades.
T O D AY ' S R E AL I T Y 74.1% correlation between breach activity and security industry revenue growth.* *Piper Jaffray, Breacher Report 10.16
T O D AY S R E AL I T Y WAN N AC RY M AY ` 1 7 Cybersecurity stocks boom after ransomware attack The market capitalizations of the five biggest cybersecurity related companies in the industry rose by more than $5.9 billion*
- The Guardian and Fortune May 2017
HUGE OPPORTUNITIES IN ALL AREAS OF LIFE
ACHIEVING ECONOMIC EFFICIENCY Where most of the industry is focused Respond
Control Types
Detect
Prevent Automated
Semi-Automated Control Approaches
Manual Source: Managing Risk and Information Security 2nd Edition Malcolm Harkins
HOW DO YOU FRAME THE RISK DISCUSSION? BUSINESS SPEED VS BUSINESS CONTROL
THE 1971 FORD PINTO
FAILURE TO INCLUDE AN $11 PART
1911 SOUTH POLE EXPEDITION "...wait for the spring. To risk men and animals by continuing stubbornly once we have set off, is something I couldn't consider. If we are to win the game, the pieces must be moved properly; a false move and everything could be lost." - Roald Amundsen, Norwegian Explorer
1st to the Pole, led by Roald Amundsen
2nd to the Pole, led by Robert Scott
"Victory awaits him who has everything in order. Defeat is certain for him who has neglected to take all the necessary precautions in time." Roald Amundsen, on the South Pole
KEY LEARNINGS FROM AMUNDSEN & 10XERS: Fanatical Discipline Productive Paranoia Empirical Creativity Limitless Ambition Different Behaviors NOT Different Circumstances
- Great by Choice
PREVENTION & PANAMA
HOW IT BEGAN In 1879, the French started building the Panama Canal. Torrential rains averaging 200 inches a year washed away much of the work.
A TOXIC CONTROL The Solution? Quinine... ...but the quinine used to treat malaria left many workers deaf.
1903 · Panama declares itself a country. US gains construction rights.
THE TIMELINE 1909 · Work on canal locks begins.
Aug 15 1914 · Canal officially opens in August.
Feb 1904 · US Congress officially created the Panama Canal Zone.
1913 · US Congress officially created the Panama Canal Zone.
PROBLEM? SOLUTION. Major Ronald Ross discovered that malaria was transmitted by mosquitoes. The control of malaria was vital for the construction of the Panama Canal.
A MAN... HIS PLAN... AND A CANAL. Experts on sanitation. Col. W.C. Gorgas, along with others in 1904, formed the sanitary department for the canal zone.
MALARIA CONTROL PROGRAM RESULTS Eradication of yellow fever Death rate dropped in workers from 11.59 per 1000 in November 1906 to 1.23 per 1000 in December 1909 Death rate dropped in total population from 16.21 per 1000 in July 1906 to 2.58 per 1000 in December 1909
ECONOMIC EFFICIENCY The construction of the Panama Canal was made possible only after yellow fever and malaria were controlled.
LESSONS FOR SECURITY Malaria wasn't eliminated but the root causes were identified, the source of problems were prevented, and construction was completed, leading to dramatic worldwide social and economic benefit.
"The greatest danger for most of us is not that our aim is too high and we miss it, but that it is too low and we reach it." Michelangelo Italian Renaissance Man
"Accept it...they are going to get in." CISO Panel ISSA Los Angeles, May 2017
"...where our interests are clear and our values are at stake and we can make a difference, we must act and we must lead." Madeline Albright, "Doability Doctrine" Statement before SFRC January 8th 1997, Stockholm Sweden
THANK YOU