People are confused about cybersecurity
We need to better message the nuances and stop being confusing
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I regularly come across articles that show confusion around cybersecurity best practices. However, this week, I saw two archetypical examples of security misconceptions: high school changing students’ passwords to Ch@ngeme! and this LinkedIn post conflating compliance with security (screenshot below). These types of instances show why security is hard, but insisting that only security professionals should be able to do security places an unnecessary burden on the community, especially during a time when there’s a talent shortage.
What’s going on with these misconceptions?
The main issue with security is that it’s always evolving. Technology itself is a rapidly changing field, and security is risk-based. Unless you plan to do nothing, it’s impossible to be perfectly secure, but it doesn’t mean you can reduce your risk. Again, some risk doesn’t mean there’s no risk. What makes it more difficult is that risk depends on the context and changes over time. For example, security best practices that worked a year ago might be obsolete because attackers might have figured out a way to circumvent certain protections.
It’s already hard for security practitioners to keep up with these changes — it would only be more difficult for a regular person to stay up to date. With that said, there is some responsibility on the cybersecurity practitioners to make security easier both through better products and less confusing messaging. For example, a good product would have made it easier for the school to reset passwords, especially since schools and educational institutions generally have high-risk IT setups. Maybe, the product should have detected when the school wanted to reset every email with a low-quality password and/or the same password.
I’m going to talk a bit about each of these two misconception examples.
The craziness with passwords
Passwords are always a point of dispute. Consumers have seen the whole gambit. Sometimes, you have to have specific characters. There’s a specific length required. At some companies, they require you to change your password every X number of days. I can only imagine how this is confusing. 1Password and other password managers have done a good job trying to obscure this complexity away (an example of a good product) while trying to ensure there is sufficient security.
However, the lack of consistency around passwords has caused a ton of confusion (and rightfully so). Ultimately, the goal of all this was to create substantial entropy so that an attacker cannot guess a user’s password with high probability. This concept is unnecessarily complicated and should be abstracted away from the user. To help clarify this message, NIST and other compliance certifications should be clear about and enforce best security practices for passwords. On top of that, they should be recommending everyone use password managers. Outdated practices of special characters and password rotations should stop showing up. Especially in an area as “mature” as passwords, we should be guiding people toward best practices and abstracting away the “hard work” from the end user.
Compliance and security misconception: Tale as old as time
BAAs, SOC2, HIPAA, PCI… All these acronyms represent compliance requirements/documents. I’ve talked about compliance numerous times in previous posts. Compliance is a good way to create a good baseline of security, i.e. it is necessary but not sufficient. However, the issue is that many companies conflate the two many times for business and sales reasons because there’s no good way to evaluate the security posture of a company in a quick way, and these compliance certifications are a good “checkbox” especially for low to medium-risk vendors. It is also a way for security teams to avoid lengthy vendor questionnaires that both sides dislike. Third-party vendor risk assessment as an industry needs to change, but that’s a conversation for another newsletter.
The problem with most security certifications is that they are behind mNDAs and only available upon request. However, I have several problems with that statement above. First, achieving SOC2 compliance shouldn’t be seen as an accomplishment but rather a necessary prerequisite. For example, car companies don’t celebrate passing safety requirements, but they do celebrate scoring high on safety ratings, something that unfortunately doesn’t exist for security. Second, comparing compliance achievements between companies isn’t productive, i.e. a company that has met more compliance standards isn’t necessarily more secure. It just shows that the company has dedicated more time and resources toward compliance, which could potentially be negative because they could be spending that time on improving their security posture.
The reason this misconception exists is that there’s no accepted standard to compare the security posture between companies. There are risk exchanges through vendors, such as CyberGRX, OneTrust, etc., but you have to purchase a product to do that. There’s also no way for companies to advertise this publicly. We need to create a framework for customers to understand the security posture of a company outside of these outdated compliance requirements, many of which don’t make sense in the cloud world.
Takeaway
Unfortunately, many parts of security are nuanced, and it leads to misconceptions, which confuses non-security professionals and leads to bad security practices. We need to communicate nuanced security problems better, and we need to create products, services, and standards that can abstract these nuances away. In other words, we need to make it easier to understand and do security well. This will take time, but for now, the best we can do is to fight against the misconceptions and try to make security easier and not harder to understand.