We are headed for an ecosystem of cyber haves and cyber nots: Cisco advisory CISO

A combination of resourcing, government initiatives, and innovation will mean some organisations are able to handle cyber threats in real time -- and then there is everyone else.
Written by Chris Duckett, Contributor
Image: Getty Images

When policy makers are dreaming about how cybersecurity will be handled in the future, it consists of governments issuing warnings to organisations, the community sharing intel with each other in real time, and the ecosystem being able to respond with a degree of unanimity.

For Cisco advisory CISO Helen Patton, that dream leaves out lots of organisations that are struggling underneath the security poverty line.

"We've got a lot of organisations that don't have the resources to be able to participate in that kind of environment. They've got old pieces of equipment, they don't do automation, they don't have the resources to make it happen, they're never going to engage in that kind of environment," Patton told ZDNet.

"Maybe the financial sector, maybe the big companies that have got a lot of money that they can throw at this problem, might engage. But now you're into these two tiers of security, we've got the upper tier that can take advantage of machine learning and artificial intelligence, and real-time info share.

"And we've got everybody else who is hoping that some kid on a keyboard can do something about it, and obviously they won't be able to. We will have a bifurcated security community is what we will end up with."

One way to lift those at the bottom is something akin to a co-operative, with Patton describing a community that shares resources and uses purchasing consortiums along with governments using the tools at their disposal to help under-resourced organisations help themselves.

Previously, Patton spent a decade at JPMorganChase, and said even in banking it sometimes felt as though more security resources were needed.

"I don't know of anyone in any size organisation that feels like they've got everything they need, but I do think we need leadership to understand when they make a risk-based decision to put money in one area and not in security that they are taking a gamble, that they are making a choice that could lead to a real problem for them operationally," she said.

In order to help boards get to proper grips with risks and cybersecurity, Patton believes governments need to consider legislating a requirement for boards to have someone that understands technology and risk, and governments should be trying to inform the C-suite, not security professionals.

"When AWS burps and half of social media goes out ... do our CEOs and boards really understand that? No, they don't," Patton said.

"We've got to get them educated on that. And the guy who's trying to run a security program with one other guy and a dog doesn't have time to sit and educate the board. The government does.

"Stop training security people about how to do security better with no resources, and start training CEOs on how to think and manage the systemic risk, that's what they should be doing."

Following legal requirements imposed by government on breach reporting, it should comes as no surprise that lawyers are getting involved with such a process, and Patton says CISOs are having to determine how to manage risk yet work with requirements that say all breaches are equally bad.

"We're seeing CISOs separate themselves operationally from the reporting requirements," Patton said.

"So now we've got lawyers who are making a decision about whether something is material enough to require a report, which is not really the spirit of the regulation. But I've seen it in Australia, and I'm seeing it overseas as well.

"This is a coping mechanism because the reporting requirements are sort of vague." The advisory CISO said reporting demands mean if an incident is in a low-risk area, no security lead is going to tell lawyers or regulators they were going to sit on it because it was assessed as low risk, as compared to critical infrastructure elsewhere.

"These reporting requirements that say you've got 72 hours or 48 hours will generate a lot of inaccurate noise, that both the governments and the organisations will then have to unpick after the fact, once they have more information. There's going to be a lot of misinformation, that goes out into the environment because of the short windows that we're [dealing] with, it's a challenge," Patton said.

"It's not until you've had a certain amount of time to explore the incident, respond to the incident, learn from the incident that you really have good quality information. But our regulators want us to tell them immediately when something looks funny. And there's lots of things that look funny in our environments, because our environments they're inherently odd.

"They're going to get a lot of really bad signals early on, and we're going to have to work out how do you talk about that publicly when the information is really asymmetrical in terms of what you know, and what's actually happening. It's a problem."


ZDNet's Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We're a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 10:00PM GMT in London.


Editorial standards