Once again I was listening to the DtSR podcast and came across interesting things I want to comment on.
(No, I did not create this blog just to comment on Rafal and others, it’s just that their show gets me thinking. Thanks guys! 🙂 )
As an industry, we’ve spent years complaining that the powers-that-be – senior management, elected officials, law enforcement, … – don’t take InfoSec seriously. Much like the dog that barks after the car, we chased attention to our issues, in the well-meaning hope that proper attention would mean more support, more resources, and more results.
( I recall reading Gunnar’s excellent post back in Feburary and thinking that it was – and still is – solid advice for the security teams.)
[W|H]ell, it should not surprise us, then, that when they listened, they listened with their own perspective on things. And, as it turns out, their perspective includes not only looking at Cyber/InfoSec issues in the broader context of Risk Management, but also taking their own incentives in mind, be they re-election, reputation, or not rocking the boat on ‘how things are done’ ‘at that level’.
Now we’re seeing the other side of all that attention. Cue in the law of unintended consequences.
Now, we have eager lawmakers making rules that may or may not make sense. Now, we have security services on edge over cyberthreat claims. Now, we have lawyers interjecting themselves into security disclosure. Now, we have vendors increasing lobbying efforts and touting liability shields as benefits of their solutions (though, as Steve Ragan suggests, perhaps not as broad as initially thought).
What to make of all this? To me, the trend is clear: now that we’ve been successful in getting the CxO/BoD/… spotlight shining on us, this will be the new normal. Expect much more involved conversations with legal/counsel, expect organizations using more tools in their arsenal to address the risk. Don’t be surprised if, instead of appealing to ‘the better angels of our nature’ and collaborating with researchers, your organization chooses to deploy strongly-worded cease&desist letters. This is how conflicts get resolved by those we’ve asked for help.
So, dust off that suit, brush up on your Latin, lose the lawyer jokes, and embrace a more complicated but ultimately broader and more impactful set of responses to CyberSecurity.
Alea iacta est.