Why The Security Industry Is Sitting At The Kid’s Table

A couple of weeks ago I listened to a presentation given by a senior official in the Department of Homeland Security about terrorism and domestic threats.  Because the presenter had a long career in the military and federal law enforcement, many of the questions after the presentation were about his opinion on our state of readiness to deal with future threats.  Eventually the conversation came around to the risk of cyber attacks, and he was asked what his about was about how we should be preparing for this new risk and vulnerability.  His answer actually astounded me. He replied by saying that everyone in America needs to minimize their online presence and America needs to unplug our nation’s utilities and mass transit systems from the Internet. There was an uncomfortable silence in the room while the audience waited to see if he would continue talking and discuss an actual plan of attack, but that was it.

That was his plan: just disconnect everything and everyone.  This answer is absurd for at least three reasons:

  1. It isn’t like these systems can simply be unplugged from a jack in the wall and this whole “cyber security” thing will just go away
  2. Unplugging our infrastructure and mass transit systems doesn’t eliminate the terrorist threat to them
  3. Even if disconnecting from the internet was the only way to actually secure our country, Americans would never give up the benefit that technology offers just because it comes with associated risks

I often read articles and discussions on LinkedIn written by security professionals who are frustrated that the public doesn’t give the security industry the attention that is necessary to secure our borders and cities.  I’ve read more than one article written by a security professional complaining that the public “just doesn’t get it.”  Why is the security industry, as a whole, not given the respect that we feel is deserved?  Because recommending that a company stops using a website and social media or opinions that the only way to secure our country is by unplugging cause everyone to immediately discount and ignore that advice.

Compare this DHS official’s comments to what Marine General Peter Pace says about cyber security.  The former Chairman of the Joint Chiefs looks at the cyber threat and says that if we can’t change the environment, we need to learn how to operate more effectively within it.  I love that quote.  Peter Pace understands what this self-proclaimed counter-terrorism “expert” does not: we cannot put the Internet back into a box the same way that we can’t uninvent nuclear or chemical weapons.  We have to learn to live with the risk that being connected exposes and find creative ways to protect ourselves against it.

I criticize this DHS official because his answer was to sit back and do nothing.  He couldn’t (or didn’t want to) bring up a single proactive measure. He could have brought up Homeland Security’s efforts to recruit the best and the brightest computer scientists into the government to create a multi-layered defense against this threat.  As utilities are still regulated by the government, he could have brought up a plan for DHS to collaborate with the Federal Energy Regulatory Commission (FERC) to approve an increase in the wholesale electricity rates to provide money for companies to improve their defensive capabilities. He could have brought up State Department efforts to reduce the foreign cyber risk through diplomatic channels.  Whether any of those arguments are considered effective or not is a different conversation, but at least those would have been proactive steps to secure our infrastructure.

For the professionals who make up the security industry, I admit that it is easy sometimes to view the world through a single security-centric lens.  As professionals in this field, we spend our days and nights researching and focused on security concerns, news, and updates.  This can easily lead us to think of every situation from the perspective of the worse case scenario. While that is often our job requirement, that needs to be tempered with the goals of those we are responsible for advising.

Protection is a relative term.  You must have something to protect.  The best way to reduce the risk of workplace violence is to have no employees, but you also end up without a business. Businesses are going to hire people and they are going to compete for customers on the web and use social media, and it is up to the security professionals inside of those companies to work with what they have in order to reduce as much risk as they can.  It is unrealistic to think that every risk can be reduced to zero.

The nature of threats to our country and companies, and the work that security professionals are responsible for, is changing at an incredible pace.  Because of this change, it is required that people become creative in talking about security and speak to corporate leadership in a language that they understand.  We can’t get frustrated if they don’t understand our concerns intuitively.  The CEOs looking for new market opportunities are going to look at the world differently than someone focused on security, and that is a good thing because it balances the discussion.  If we want our industry to be included in high level or strategic talks about ways we can prepare for the future, we have to be able to provide a recommendation that gets beyond “unplug from the web.” We need to look at realistic ways that we can reduce risk to a level that is not only manageable, but also acceptable if we are going to have a voice that is heard and respected in the constantly adapting environment we have to operate within.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *