The public and personal threat every American faces from hackers has been declared a national emergency by President Obama. Recent hacks at Sony, Anthem and CENTCOM prove that there is a serious security risk to citizens, businesses and government alike. Sanctions from Washington, DC may slow down hackers, but the challenges we face are not from a lack of laws, knowledge or resources. Like many modern day public challenges, the issues we face in confronting cyber-attacks are very solvable. Silicon Valley certainly has enough brilliant minds to win the war against hackers.
The problem is that the CEOs and Board of Directors, the anointed “stewards of trust” of our private data, don’t know what they don’t know. From credit card companies to retailers to health insurance providers, the top executives too often rely on flawed implementations and poor understanding of the efficacy of their digital counter measures. Add in a toxic mix of public complacency and over reliance on technology alone to fix the problem, and we have a big security problem.
Organizations must take responsibility for creating and embracing business practices to ensure the efficacy of digital security. Shareholders and the public understand what is at stake and have the most to lose, but there is no “easy button” to press that fixes it. We need to create a “fabric of trust” in our rapidly emerging digital lives. Trust is not about one company, or one industry, or a brilliant technology. Trust is built through checks and balances that over time create a cycle of continuous adjustment and improvement.
The implementation of digital security must be supported by a comprehensive system of independent third-party reviews, rating agencies and regulations that will create more trust. It’s a maturation process that the healthcare, airline and financial services industries went through to create the trust the public seeks. No one gets on a plane without trusting the airline industry’s process for safety and security. Industries that are based on trust have one trait in common – an administrative framework of continuous adjustment and improvement that applies to all of its members equally. Currently, the implementation of digital security by organizations is like the Wild West. The Computer Age, Internet Age and Social Media Age advanced and transformed the way we live, but there’s been a shocking failure to embrace and implement robust business processes with checks and balances that protect individuals and businesses from hackers.
The businesses that have vital customer data are failing to implement the necessary business processes to keep up with the threats that are growing from a variety of bad actors that range from amateurish “script kiddies” to organized crime syndicates to nation state hackers. Digital security practitioners spend too much time trying to create a “better” technology. They live in a technology cocoon and don’t understand the business process necessary to effectively execute what they build. Technologists are busy disrupting and ideating and redesigning, but effective solutions are already out there. Those solutions just need to be deployed with a comprehensive administrative framework that implements a secure process allowing businesses to successfully protect our private data.
There is very little conviction of purpose related to digital security on behalf of corporate CEOs and Board of Directors. They have not embraced the challenge of creating a truly top down organizational commitment to solving digital security. Would a bank offer a new type of loan or credit instrument without a credit policy, lending criteria, risk assessment, audits, on-going repayment monitoring, fraud detection, documentation, defined roles and functional responsibilities, segregation of duties necessary in order to prevent fraud? Of course not. But when it comes to a company trying to protect our private data, there is no such network of internal and external controls and resources that measure the effectiveness of keeping our digital lives safe. There’s no way to tell the good from the bad.
Nobody wants to hear that the answer to protecting against hackers lay in an administrative framework that implements a sound process. But until this “fabric of trust” becomes real, the public trust in digital security will continue to erode.
The digital security industry will gather next month in San Francisco at the RSA Conference, one of the biggest meetings for technologists and Silicon Valley entrepreneurs. It’s time the digital security industry grows up with a real investment from its leaders to working together rather than working alone.
Trell Rohovit is the CEO of HydrantID, a leading provider of digital identity and advanced authentication services for large organizations.