No, We’re Not All Cyber-doomed

Last week we explored the cybersecurity issues facing governments, policymakers, and society at large in an attempt to convince you that the world isn’t necessarily cyber-doomed.

So, how are you feeling?

If you’re still concerned about the state of cybersecurity after Part I, which you can read here, we hope that Part II will ease any fears that might remain.  What can the private sector do to help make you feel safer? Our cybersecurity experts offer some ideas.

Laura Bate

Senior Program Associate, New America

Let’s start with workforce training methods. The emerging trend towards work-based learning models, and particularly apprenticeships, is a good first step. Though there are not many registered apprenticeship programs operating yet, the move in that direction could fill many of the hundreds of open jobs in the field, employing people who need work and filling jobs on the front lines.

Devon Rollins

Director of Cyber Threat Intelligence, Capital One

The maturity of unsupervised, self-learning systems is showing great promise as a real-time response to malware and outright devious behavior by insiders. Assuming malware detection models using signatures or virtualized sandboxing are easily defeated by commodity tools used by cybercriminals, it gives me great joy to see AI and machine learning err on the side of becoming more than buzzwords. Marketing aside, software may still eat the world, but algorithms will deal with the indigestion.

Nicole Becher

Director of Cyber Operations, Fractal Industries

As more critical data services go online to provide essential, mission-critical services, cybersecurity is increasingly becoming a regulatory and compliance concern. With appropriate and flexible regulation, combined with free market-based incentives such as cyber insurance, corporate focus on adequate cybersecurity is intensifying and becoming a crucial question for organizational leadership. This is good news for customers and consumers of institutions that are integral parts of our global society.

Natasha Cohen

Director of Cyber Policy and Client Strategy, BlueteamGlobal

The integration of risk-based cybersecurity into regulation. Having risk-based regulation enables companies to adapt baseline standards to their environment. It also pushes a closer integration between IT security and company-wide risk management, and gives executives and board members a constructive way to think about cybersecurity decisions. IT security can’t live on its own—it needs to be a business priority.

Sebastian Goodwin

Senior Director of Cybersecurity, Nutanix

I’m glad to see industry and academia begin to take a more quantitative approach to cyber risk. How can you manage something you don’t know how to measure? Every business school in the world has courses on managing and measuring financial risk, yet none teach cyber risk management. This is beginning to change. Red/yellow/green is not going to cut it much longer as measurements of risk in the boardroom. It’s time we leverage tools including Monte Carlo simulation, Value at Risk (VaR), options pricing, and jump diffusion models. The industry will benefit from these efforts.

Robert Lord

Co-Founder and President, Protenus

Two interrelated developments are most heartening to me. First, an awareness of the need for industry-specific solutions to protect our critical cyber infrastructure. Second, an acknowledgment that advanced analytics can be much more effective when focused on a single industry because they can incorporate industry-specific knowledge and provide leverage to understaffed security and privacy teams that are overburdened with manual forensics. For example, we’ve seen transformational success in healthcare breach detection systems that incorporate clinical information from electronic health records to determine which hospital personnel should or shouldn’t be looking at a given patient.

Katie Moussouris

Founder and CEO, Luta Security

As we continue to experience more complex vulnerability disclosures, like the recent WiFi protocol issue known as KRACK, that affect many vendors of widely deployed products and IOT devices, I have hope that organizations are getting better at multiparty vulnerability coordination. At least one of the hardware manufacturers of wireless access points already had a patch available at the time of broad public disclosure, and more will follow. It’s time for all organizations to build response capabilities for when there’s an issue in a common library or protocol, and this recent demonstration of multiparty vulnerability coordination gives me hope that this is getting better as we slide into the era of IOT.

Trevor Rudolph

Chief Operating Officer, WhiteHawk

Although we’re bombarded daily with news of the latest cyber attacks, the opportunity space cannot be dismissed. Talented professionals should never want for work—conservative estimates put the workforce gap at nearly 2 million people internationally. Increasingly, young people are answering the call; recently 3,935 students competed for 100 scholarships in the SANS Institute CyberStart Program. And it seems inevitable that the market will drive sustainable cybersecurity solutions. In 2016, venture capital firms invested $3.1 billion in a record 279 cybersecurity startups.

Jessica Ruzic

Senior Information Security Analyst, Conference of State Bank Supervisors

The public's demand for accountability is increasing as people begin to recognize cybersecurity incidents for what they often are: leadership failures. Too frequently, executives and officials claim an incident was inevitable when the real culprit is systemic negligence. This year I’ve witnessed greater understanding on the part of the C-Suite, and the public, that if you are not a cybersecurity expert, the most effective way to prevent incidents is to surround yourself with those who are. And then listen to them.

John Scott

President, Ion Channel

I see two encouraging signs. First, it seems we’re at the end-of-the-beginning for taking cyber and security seriously versus just throwing people, technologies, and money at the problem. Second, investments to achieve agility and resilience via continuous development and integration (DevOps) coupled with security (SecDevOps) should start bearing fruit in the coming years.

Allison Stanger

Professor of International Politics and Economics and Founding Director of the Rohatyn Center for International Affairs, Middlebury College

2016 and 2017 forced many Americans to become aware of the need to be proactive and preemptive in keeping their personal information safe. Because cybersecurity is a federal-state-local partnership, those individual contributions matter on all three levels. The more Americans can think for themselves, the less likely they are to be putty in the hands of firms like Cambridge Analytica. Be an algorithm-buster!

Bhavani Thuraisingham

Louis A. Beecherl, Jr. Distinguished Professor at the University of Texas at Dallas

While data mining applications for cyber security have been discussed for almost two decades, it is only within the past year that such applications are being taken seriously and considered mainstream cybersecurity. The developments in data science, including in big data analytics and deep learning techniques, are showing promise in multiple areas such as malware detection and analysis, cyber forensics, and fraud detection. These techniques are also reducing the number of false positives and negatives as well as improving the accuracy of successful detection.

Tarah Wheeler

Principal Security Advisor at Red Queen Technologies

Ransomware is the best problem Infosec has had in years. Corporations and even governments often fail to disclose data breaches, making it very difficult for those affected to gauge long-term effects of losing personal information to the dark web. However, if someone’s treasured photo album or a small business’ customer list is encrypted by ransomware, cybersecurity threats become very real, very quickly—even to nontechnical people. Ransomware is giving cybersecurity new prominence in the minds of the public and impacting the international dialogue about securing the future of technology.