Why business can't keep the public safe from data breaches

Cyber-threats pose an existential challenge, says RedSeal CEO Ray Rothrock.

Why business can't keep the public safe from data breaches

TechRepublic's Dan Patterson asks RedSeal CEO Ray Rothrock: How can businesses protect clients from data breeches? The following is an edited transcript of the video.

Dan Patterson: When we talk about data, it's easy for us to forget that each one of those points is a human, or represents some sort of human activity. How do we communicate as businesses or as those who work in the government, as those who are stewards of data, how do we communicate to the public that it's their responsibility too, to be vigilant? And even the best actors within the business space at least, who are doing their best to protect information may lose it from time to time. How do we communicate the level of threat that exists to the general public?

Ray Rothrock: Boy, that's a gigantic question. Dan, I'm struggling with that one. It goes to the level of airplanes falling out of the sky or cars crashing on the street. What level do we communicate with the public? Part of both airplanes and cars, for example, is there are licenses that you have to get. You have to qualify that you can manage and handle this equipment. You wouldn't hire someone to be your cyber guru if they weren't fully trained and so forth. And the military spends a lot of money training people. So, maybe part of the answer to that is we have to report out when these things... When a plane falls out of the sky, it's always news. If someone gets killed on the street is that news? Probably for the neighborhood, but not for the world.

Again, society's going to make the judgment there. If a nuclear power plant has a problem, everybody knows about it. The world knows about it. So, I'm not sure how you solve that problem because cyber, a little bit like some of these risks, is very existential. Three people in a room are in a boat off the shore can cause great havoc to a company. Stealing the information is one thing, and using it to get your credentials is another. What's really happening to you is the trust that your customers have, the confidence that your employees have that you're a good caretaker of this data and so forth. That's what really hurts in the long haul.

Maybe these congressional hearings where Wells Fargo and Equifax and others were on the stand, those were pretty visible and they were talked about for quite a while. That's how you make the public aware. You can't hide it. Cyber's no longer a hide-able topic. It was 10 years ago. People never talked about it, never. I'm rambling a little bit there. I apologize.

Dan Patterson: Not a bit. It's a big question.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

And you said, I think the right word, the magic word there, which is existential. These are different than airplanes falling out of the sky because you can see and experience that, and you understand the risks involved. With cyber, it's difficult to, and maybe unrealistic, to expect the public to really understand how big and how small some of the threats are. But as you also said, cyber is emerging from being a vertical in its own little silo to every component of life, especially as we look at digital transformation. So, on the theme of digital transformation, as every industry becomes more technological, and there certainly are with the internet of things. There certainly are more points of vulnerability within companies.

What risks do you see to those who are fresh and new to the cyber world that are, again with this theme of proportionality, are really important for those who have woken up and say, "I need to take care of X, Y and Z right now"? What are the risks and what do I do?

Ray Rothrock: What are the risks and what do you do? Well, you mentioned two things. IOT, internet of things. These new devices are not designed with risk in mind necessarily, or cyber risk in mind. One of the things we can do as a society, I'm just going to go there for a second, is development. When you're developing these products, the people that are developing the software should have some security background and training. That's a new concept. Palo Alto networks is talking about this quite extensively, and I think they're right. It's actually a pretty clever idea to encourage your customers to drive into their dev ops, whether you're a giant bank or an oil and gas company, whatever you are, unawareness. That'll take a generation. That'll take flow. That'll take time.

SEE: Internet of Things (IoT): Cheat sheet (TechRepublic)

In the meantime, you can segment very effectively and prove it to yourself that you have actually isolated. It's like fire doors in a building. If a fire occurs in this room, it's not going to get into that room. That concept is very well known and very provable. The risk that are going to come at ... Look, the thing you talked about is what's called in the vernacular as attack surface. And the attack surface is growing by orders of magnitude. Cisco is quoted all the time, 20-billion items, whatever. There's probably on my cell phone somewhere here. But it's an attack surface. These cameras are an attack surface. You're not going to be able to deal with all of that, so you've got to have the response capability and the segment to be able to contain it and control it and knock it down.

That's a strategy that involves not just technology, but people. And not just people and technology, but processes about how to design and how to build. That's what the new guy needs to be thinking. Assume... In the book I've written, Digital Resilience, the second thing you ask yourself is "what can go wrong?" New managers need to be trained, I think, that way. Not just what can go right, but what can go wrong, because it will go wrong, if it can.

Also see