By Urpo Kaila, Head of Security at CSC
Security is a thriving and exciting field, but security breaches can contain nasty elements too. Compromised accounts, system intrusions, denial of service attacks, defacing web sites and data breaches can cause many kinds of harm, from financial loss to reputational damage including health issues.
To avoid security breaches we need agile, comprehensive and proactive security and some security heroes to take care of all this too.
Unfortunately, information about security incidents has lately become both more complicated and more biased. Also, understanding root causes of incidents becomes yet more difficult as cloud services are replacing in-house solutions, and many IT professionals are hence slowly transforming from IT producers to IT consumers. In a customer role you can become dependent on information provided to you by an account manager instead of reading technical manuals or research papers.
Advancing technologies can add complexity and make it more challenging to identify security risks. Quantum computing or large language models with pre-trained transformers for example, are both intricate and complicated, but contains also many non-disclosed components.
Quantum computing has brought us concerns on how secure our current encryption is and how it could withstand brute-force attacks by the huge capacities of future quantum computing. While still waiting for official post-quantum cryptography standards, security teams have fortunately already began to mitigate risks transforming to more quantum proof encryption protocols and key lengths.
Views on current security scenario seems to be as confused and frantic as the mood during the Y2K chaos. Then media and later companies were on call during the new year eve December 31, 1999 in the eventuality that date fields overflows would crash IT systems and cause catastrophic overflows to real-world operations! None of this happened, though. I was there too!
***
A lot of confused, moralising and often also biases comments on cyber threats can be encountered all the time. As the saying goes, there is nothing new under the sun when it comes to stories. Do not trust everything you read or hear at face value.
It is quite common to stumble upon self-proclaimed cyber security experts trying to impress you with their horror stories and as the next step to promote their own cause, in a way or another.
Social media comments on cybersecurity can be quite toxic and biased, with the objective of elevating the writers’ own views and interests as the real objective. It is a classical dramatic technique to praise the hero in a story – and the storyteller – by describing the villain to be as mean and evil as possible. The same method is amply used in war propaganda as well, by the way.
I wonder what attracts people to be entangled in an eternal toxic social media discussions for blame games. No sane and decent adult should look to get lots of clicks and likes for petty comments in murky discussion threads.
This brings me to the true subject of this blog.
Let’s start from the basics. Cybersecurity is about protecting joint assets from risks, both intentional malicious acts, but also from unintentional faults, which might be caused by omissions – or in some cases, just bad luck.
Cybersecurity is a bit different field than securing your private and personal belongings, although many similar basic principles apply. Data protection, or privacy, as they say in the US, is about protecting personal data. Data protection requires adequate security, but also procedures to inform the data subjects of their rights and, if needed, ask for consent.
Cybersecurity is by default teamwork: everybody involved needs to contribute. In security jargon, we talk about technical and managerial controls, but I don’t really like the military style authoritarian top-to-bottom term managerial controls. In IT service development and productions we need experts who can make educated decisions. A better term could therefore be people security. To make cybersecurity all-inclusive, it requires all roles to do their fair part.
- Senior management and board should manage risks and establish security policies.
- Operational management should ensure that security is applied on all activities and identify emerging risks and anomalies.
- Developers and projects should identify risks and create security by design and by default.
- Support functions of the organisation should provide procedures to monitor assets and services.
- Security teams should draft security policies and guidelines, monitor anomalies, handle incidents, support hardening of services and provide information about security.
- Last but not least, all of us, that is you and me, should implement security in all our daily tasks.
Despite all thriving and exciting technologies both on the attacking and defending side, security is totally dependent on people! Without people security there will be no security at all, only hollow policies without implementation.
Data breaches can unfortunately happen in many companies. Unfortunately, it is not uncommon with somewhat unpatched servers and weak configurations that are unattended – despite what the commenters on social media claim.
All staff including everyone should have clear and realistic roles and tasks on cybersecurity. It might be just following guidelines and procedures, but might also include supervision and risk identification. If you see something, say something.
Security is not about moralising comments on social media about incidents that affected somebody else. Security is about taking care of your own job and task, also about being a trustworthy and reliable person.
We all need to get information and discuss security issues to able to make good and informed decisions, security can often be complicated and the information available can be opaque and partial. At the end of the day, when decisions must be made, it is important that we can all can trust and rely on each other. Therefore, the most important thing for me is that you take care of your own job on security.
Because the real security hero is you.
About the author
Urpo Kaila is the Head of Security at CSC – IT Center for Science Ltd., which operates Funet, the Finnish NREN. Urpo is also the Security Officer for the LUMI supercomputer consortium and steering committee member of GÉANT SIG-ISM.
Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Become A Cyber Hero’. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm23