South by Southwest 2015. It came and it went just like it has for the past 22 years; without me there. My scene is the security scene – Black Hat over SxSW, but even hackers can appreciate an epic party now and again, right?
In fairness to the SxSW crowd, privacy and online security did win “Trend of the Event” at the SxSW Interactive Awards in 2014 stemming from talks by Edward Snowden, Glenn Greenwald and Julian Assange. Yet just 12 months later the festival’s security trend transitioned into a bonafide theme in 2015 making numerous appearances across the event’s vast schedule.
Yahoo unveiled its new end-to-end encrypted email service. The CTO of Decoded led a workshop where he taught attendees how to hack their personal laptops. And Edward Snowden showed up again (via teleconference) to lead a secret session on how businesses need to come together and beef up their defenses against government surveillance.
From the sound of it, cybersecurity had a seat on the main stage at this year’s SxSW. Historically speaking this is somewhat mind-blowing. We’ve reached a tipping point where online security was addressed more seriously than just a token handwave. This is good news for security professionals. For us, we know security needs to be a part of every conversation.
Maybe we should thank Seth Rogen, a few Sony executives, President Obama and some alleged North Korean hackers. These are the players who very publicly yanked cybersecurity out from underneath a symbolic dark colored hoodie and landed it across major news outlets for almost two straight months. They made it a current, relevant issue. They made it a debate. They spread fear across corporate America. Let’s be honest. What executive didn’t weigh the bone-chilling impact from a similar incident happening to his or her company?
The Sony hack was a catalyst to a new normal — like it or not, every business is a security company now. Whether you build technology or provide services to consumers or other businesses…you are a security company. If there is information inside your company you would never want disclosed…you are a security company. If your business collects and stores personal or confidential data of any kind regardless of your vertical…you are a security company. It’s a fact. Your business is going to get attacked and the threats will only get more sophisticated. In the last week alone, both Slack and GitHub disclosed attacks on their networks. In each case the motivation was different. It happens every day.
As a business, you can expect this new normal to dictate more invasive legislation and responsibilities. For example, in a recent Wall Street Journal article, writer Ben DiPietro reports that Boards of Directors are now being held responsible for cybersecurity. According to the article, U.S. regulators this year are emphasizing the importance for corporate boards to take responsibility for cybersecurity, saying directors and officers who fail to do so could be held individually liable for any lapses that occur. The article goes on to say that particularly in the last three to four months there has been intense focus by regulators on this subject, largely directed to directors and officers.
Network security also is transitioning into a significant corporate strategy demanding more commitment from executive leadership teams. Steven Norton, another Wall Street Journal reporter, recently covered a survey of 100 CFOs from technology companies. In addition to finding that CFOs are increasing security spending as they buy up new security solutions and develop ways to respond to breaches, the survey highlights how CFOs are taking on a growing role in the cybersecurity discussion.
BoDs and C-level executives strategizing on cybersecurity. Definitely a shift.
More than anything else, this new normal will force us to think differently (yes I went there) about security measures and who is responsible for applying them. If we all think like security companies, we will design and build security literally everywhere — chipsets, firmware, operating systems, databases, middleware… you get the idea.
The thinkers are already stepping up. MIT just launched 3 new cybersecurity initiatives that will pool expertise from across the institution to better characterize the security dynamics of large networked systems, with the aim of guiding policymakers. The intent is to enforce security systematically and build technology infused with “security by default.”
Intel is also paving the way. Giulio Prisco from Bitcoin Magazine, uncovered a recently listed job posting indicating that the chipmaker is planning to investigate the potential of blockchain technology. In describing the desired job applicant, Intel is searching for a researcher qualified in the areas of crypto algorithms, access control models and security/privacy protocols, proficient in the development of system and application software and familiar with relevant security and cryptographic standards. According to Prisco, it appears that Intel intends to focus on the security-related aspects of blockchain algorithms, possibly in view of the implementation of appropriate security frameworks in future Intel chips.
The sooner we embrace this new normal the better. Stop pointing blame at the players lower down the stack or higher up in the cloud. We are all security companies responsible for protecting our employees and customers. Legitimate businesses can no longer rely on ‘patch and pray’ strategies, but have to think differently about the security technology they build, invest in and deploy. To quote Marc Andreessen from his A16z Podcast: Security’s Painful Prominence and Why There is No Turning Back, “I think from a technology standpoint, businesses need to either become first class at security, with first-class expertise and first-class funding, or they need to work with vendors such as cloud and SaaS vendors who are.”