Cybersecurity pros: Give your product the ‘Mother Test’

The sophistication of AI-enhanced cybersecurity technologies has grown exponentially in the past
few years – so much so that only highly-trained experts, of whom there are far too few, really
understand how they work, and sometimes how they fail. But the most serious security weaknesses
of today’s networks, data centers, clouds, and applications are less likely to result from flaws in their
advanced technologies than from ordinary human weaknesses.

In a December 10 webinar featuring three cybersecurity experts, moderated by Threatpost Senior
Editor Lindsey O’Donnell and hosted by Lumina Partner Samantha Singh, there was considerable
agreement about where the greatest threats to security lie. At the root of them all were failures of
accountability by those whose job assignments touch most closely on a project’s vulnerabilities.

It starts with non-IT employees whose security training has been perfunctory and lacking in
imagination. It continues with developers whose overwhelming priority is to get their application
out on the street, where security is a very secondary concern. It is amplified by the lopsided ratio of
development team members to those working on security – about 30:1 according to Kristina
Balaam, a Senior Security Intelligence Engineer at Lookout. And it is further magnified by the
frequent management view of spending on digital security as an unwelcome form of worst-case
insurance rather than investing in a positive business asset, according to Netenrich’s CISO, Brandon
Hoffman.

Then, once a business discovers that it’s actually been hacked, there is an impulse by company staff
and management to circle their wagons and minimize the information they share about their loss,
hoping to mislead clients, investors, the media, and their competitors. Instead of sharing details
about the incident – details that can help protect the entire business community, the tendency is to
leave everyone else to learn for themselves the attacker’s mode of operation.

But perhaps the greatest human foible contributing to attacks by hackers is the tendency of security
software vendors to overstate the capabilities of their products, putting prospective clients at ease
concerning future threats. However, no system is completely secure. Even security companies
themselves can get compromised. Making false promises of safety, as well as exaggerated claims of
product performance, are simply disrespectful. Researcher, Consultant and vCISO Chris Roberts,
offered a simple test: “Would you talk that way to your mother?” he asks. “If not, don’t talk that
way to your clients either.”

Educating people to act respectfully, to be accountable for their actions, and to recognize that being
vulnerable to cyberattack doesn’t make you a weakling, are all fundamental to building a more stable,
more secure digital culture.