Addressing the 800lb cybersecurity gorilla in the room

The Malaysia Cyber Security Strategy (MCSS) launch came with all the prerequisite speeches and welcoming notes. But there was also a panel discussion between NACSA, MAMPU, Axiata, and even 3 cybersecurity vendors.

Of all the presentations during the panel discussion, Crowdfense’s stood out  because of the ‘800lb gorilla in the room’ it wanted to address.

Crowdfense Director, Andrea Zapparoli kicked things off by commenting that the MCSS took into consideration all the right points and defined all the right pillars and priorities.

Agreeing with his esteemed colleagues that cybersecurity is a technical issue, as well as a societal, organisational and cultural issue, he pointed out that many tend to forget, or intentionally overlook that cybersecurity, most of all, is an economic and financial issue.

Conflict of interest

“Because as ICT developed over the years, it created a conflict of interest between security and performance, between speed, time-to-market, and risk management.”

Fast forward till today and security is considered a tax. “Users are suffering security, instead of embracing it,” Andrea said.

“So, they will always spend as little as possible, for example minimise cybersecurity spending while trying to retain ability (for systems) to function and operate.”

He drew parallels between the automotive industry and the ICT industry.

The auto industry used to have a very high death rate, when it was first introduced, because no traffic lights, paved roads or laws were created to support these automobiles. On top of that, the automobiles themselves were dangerous, as they were often without brakes, according to Andrea.

When cars became a mass phenomenon and mainstream, a few things  happened. Firstly, governments started to set rules, built paved roads, set traffic laws and police had oversight to ensure laws were enforced.

More importantly, producers of cars were made responsible for defects in products.

This is not yet happening in ICT,” Andrea said, adding that cybersecurity is the only area where vendors are not responsible for the security issues of their products.

He also reminisced about Silicon Valley in the 70s, when personal computers were not yet mainstream, and considered bleeding edge technology, still.

The first five lines of the end user license agreement (EULA) would somehow always have a phrase indicating that the user would be using the product at ‘their own risk.’ Vendors will not be held liable at all.

“But this is still the case in 2020,” he said drawing attention to the fact that this should not be and also highlighting this could be the reason cybersecurity vendors are not held responsible for defects in their products.

“This is not sustainable anymore,” he emphasised, implying that something, somewhere, has to give way.

“Basically, users can either refuse to accept the risk, or accept to face it and try to mitigate it somehow,” he said. The state of our cybersecurity currently perhaps gives a clue of the many masses that chose the latter and are unsuccessful, so far.

Incentivising better security posture

Andrea proposed that the industry has to find a way to transfer this risk. “This is not very common and extremely hard to do in the cyber domain.”

“You can’t transfer it, and there is no way to properly manage this risk as we do in other fields, currently,” he said also adding that security levels for the digital domain, has to raised to be as secure as for the automotive industry.

“We need cybersecurity products with ‘seatbelts’ and ‘airbags’. We need to be able to transfer the receiver risk to someone else (maybe an insurer),” he recommended, explaining that the idea is for this process to create a positive loop and incentivise everyone to improve their security posture, instead of seeing cybersecurity spending as a tax cost.