SAN JOSE, Calif. -- The New IP -- Here's a message that should strike some level of fear into the hearts of any company's senior management team IT operations staff: "Most of you are doing cyber security wrong, you work for companies doing it wrong and you probably all have clients or customers doing it wrong. You are not just missing a technical opportunity, but the whole approach you are taking is profoundly wrong."
Scott Borg, CEO of the US Cyber Consequences Unit, an independent, non-profit research institute, threw this glass of cold water on The New IP conference attendees last week.
But Borg isn't playing a name and shame game: "It's not your fault. You never had the opportunity to do it right, because our whole corporate approach to cyber security is so profoundly wrong," he told attendees, heralding a mass unclenching of glutei maximi in the audience.
That some cultural changes are required will not come as news to anyone who has attended other Light Reading events. Heavy Reading research consistently shows that security is a top priority for network operators, by far, but they're still stuck in a "it's someone else's problem" mindset, relegating the enormous task of security to one specialized security group. (See Security Suffers From 'Not My Job' Mentality .)
As Borg described it, however, the problem goes much deeper than that. It's threefold, he said. First, cyber security needs to protect the creation and distribution of value, but teams often don't know how their companies create value. Second, companies don't have a clear idea of what they are defending against -- the types of attacks, the attackers and their techniques. And, third, cyber security needs to be directed towards what companies will do next to create value, not what they do now -- it needs to be future-oriented. (See FCC Launches Downloadable Security Push and ISOC Urges Faster Security Standards Adoption.)
"We are not organizing our cyber security to defend the ways we create value, the things the matter," he said. "We're not defending against the kinds of attacks that come after us, and we're not looking at how we'll do things in the future, which will dictate cyber security management. This is really bad."
Service providers may still be in the early stages of developing effective cyber security strategies to take advantage of these new business opportunities, but they are far from the only ones. Borg also explained how the US government is getting it wrong. When asked by an audience member why the US isn't more aggressive in cooperating with the private industry to stop cybercrime, Borg said it's because there is no national cyber security policy in the way there was, for example, a much-discussed, public nuclear weapon policy during the Cold War.
"The private sector will participate if they're paid for their time; if they get value out of it," he said. "But government people aren't providing information, so the whole thing dies."
Borg was also asked about the security implications of drones. His answer? "What can I say? It's really scary."
"Drones are a huge vulnerability" for cyberattacks, he said, and should be considered in the same equation as the rest of service providers' cyberdefense plans. (See FAA Lays Out First Proposal for Small Drones and A Drone for the Holidays? The FAA Wants a Word....)
— Sarah Thomas, , Editorial Operations Director, Light Reading