Cyber Wishlist - Christmas 2024

I still have my front teeth, and I have no interest in a hippopotamus, and never got the hang of the hula-hoop. So my wishlist this year trends towards cybersecurity things that I'd like to find under my proverbial tree this year. That said, none of these are things my Secret Santa is going to get me at the office holiday party, they're concepts, actions, and shifts we need in order to wrestle better control of our collective cybersecurity situation and make it better.

Software Liability Ownership

If the building industry operated like the software industry we'd be rioting in the streets about it. When a software company that sells security software can put in their contractual T&Cs that their software is provided "as is" with no warranty to actually function what liability is there to ensure they're writing good quality software?

How is it that when a for-profit company utilizes free software components in the product they sell as part of their revenue stream that a vulnerability in that free component isn't seen as their problem to resolve, but is instead kicked back to the (generally) unpaid maintainers of the free project?

If your solution allows me to configure it in an insecure way - such as with a lousy password and no multi-factor authentication for admin level accounts - is that really my fault when my account is taken over, or is that yours?

Seems to me that we let companies get away with murder with regard to their software products - they don't pay for many of the "raw materials" they use in their own software, and they contractually deny any liability for the actual performance of their software. This leaves consumers - both corporate and individual - stuck with little to no recourse when the software impacts them negatively, including when the software itself has security vulnerabilities in it that are compromised by malicious actors. (This especially unforgivable in security software and hardware - I'm looking at you VPN/Firewall vendors, with your directory traversal crap)

It seems to me that making those who sell software liable for at least parts of the software's performance and security would be a great start to resolving a number of our cybersecurity ills.

Reward Secure Behaviors

There is plenty of evidence out there that human beings (and companies) are motivated more by rewards than by penalties. But somehow with cybersecurity issues we're focused on the penalties from both regulatory, financial, and contractual perspectives. We can do this at a lot of levels, from individual to national. Just some off-the-cuff thoughts:

• Instead of embarrassing the person who fails your cybersecurity training check, celebrate and reward the person who aces it.
• Make sure the family knows that Grandma and Grandpa are using a password manager and have used it to replace and reset all their old reused passwords. (Old dogs can be taught new tricks, honest)
• Reward your internal developers who have the fewest bugs/vulns found in their software after pen tests are completed, and after the calendar year's worth of "real use" is completed.
• Make vulnerability trends part of your RFP selection criteria for new tech, using things like ratio of zero-days to market share, average time to remediation, upgrade/update process, and others as the metrics.
• Reward your software vendors annually for having delivered secure software and services - make it part of their contractual obligation to receive full payment from you.

Are all of these perfect ideas? No. But they're a starting point.

Connect the Dots on Data Collection, Retention, and Loss

Privacy advocates know that you can't lose data you don't collect. Unfortunately marketing departments, sales departments, and many others believe that every piece of data has a potential use.

PCI made a good start with this, forbidding organizations from keeping full card numbers, CVV/ CVC numbers, and other content after an electronic credit transaction is completed. (Can you imagine if every T-Mobile, AT&T, or Verizon breach meant that everyone that pays those companies with credit cards needed to get new cards?) So why, in 2024, does every company on earth believe they should hold on to my full SSN after they've used it initially to run a credit check, validate my identity, or for whatever other "legitimate" (I use that term loosely) purpose they needed it for? Why do cellular phone companies keep data on people who merely applied or are former customers for years?

I'd truly love to see an analysis done for, say, a cellular phone company about the value that data brought to the company vs. the cost of litigation, settlement, and the like once the dust settled on the after-breach activities. I'm willing to bet the value isn't worth the cost. I'd like to see boards, risk officers, and organizations in general recognize this and act accordingly.

Treat third-party data like a liability, not an asset.

Actual Entry Level Cybersecurity Jobs

I'm among the generation that got into Cybersecurity before we had much structure. In 2002 CISO had existed as a title for only 7 years, and we were just sorting out how important things like email filtering and PGP were, or weren't. Our firewalls didn't have GUI interfaces - or if they did they were terminally slow. You could seemingly get into the field from any background, and with no real experience.

Today, as with much of tech, we seem to have this expectation that cybersecurity professionals fall off the tree, fully ripe, fully ready to go. That they've all got at least 5 years of experience in the field and are ready to work for starting wages. (I wonder how much of this leads to resume embellishment, but that's a rabbit hole for another person to head into)

I promise you there are a great many things for a truly entry-level security person to do. From documentation to patching, there are plenty of things your cybersecurity team would consider "busy work," and prefer to let someone else handle. Those tasks can be extremely enlightening, and expose a recent entry into the field of all sorts of things, and free up your more expensive resources for the work you'd like them to focus their time on. Later on those entry resources will be able to climb the ladder (in your org or otherwise) based on the work they do in those formative years. Seems like a win-win to me.

Global Law Enforcement Cooperation on Cybercrime

As I write this, there are clearly jurisdictions that do not cooperate with their global peers on investigating, arresting, and prosecuting cyber criminals. I don't imagine I need to name names, and the reality of it is that the difference between state-sponsored cybercrime and state-sponsored legitimate state-craft is one that can be difficult to achieve consensus on, especially with those who take a broader view of state-craft. I think we can all appreciate that international cooperation on ransomware prosecution would be a net good thing for the world as a whole, and I hope that those world leaders who don't think that way today will start changing their minds soon.

Putting a Bow On This List

Delusional you say? Aiming high I say.

Unrealistic you say? Easily achieved goals aren't worth wishing for I say.

I hope we can all agree, however, that on the whole these would be net positives for cybersecurity, and that's the most important part to me.