Whether or not we recognize cloud security’s presence on our wristwatch, our car, our kids’ online homework assignment, or even our thermostat — cybersecurity is woven into the very fiber of everything we do.
Technology without security is like a home without a lock. So how do we protect something so important? Influential management consultant Peter Drucker said, “Culture eats strategy for breakfast.” With so much at stake, we have to examine the culture of cybersecurity on both large-scale and intimate levels. The global marketplace depends on it.
We interviewed four top representatives in cloud security to share their insights.
Cybersecurity begins in the schools
“What could I do right now to make our country more secure?” said Ed Amoroso, CEO and founder of TAG Cyber Security, “I say go get your sixth grader and help her with her calculus homework. That’s the best thing you can do to help us with cybersecurity in our country.”
We look at things from a product perspective, but Amoroso encourages tech executives to think more broad-scale.
By advancing an emphasis on STEM (science, technology, engineering, and mathematics) from an academic level, we raise up leaders to help offset talent shortages and be innovators of the future. Amoroso is thinking long-term, generationally. And because digital transformation is the direction of our shared narrative, this focus on the micro (like math homework) helps the greater global picture overall.
The right incentives fuel focus on cloud security
Casey Ellis, founder and CTO at BugCrowd, has a different take. He believes the most effective way to change a cybersecurity culture is by creating different incentive programs at the development level.
Right now, there is no immediate consequence to developers if a minimum viable product goes to market without airtight security. Security teams are often looped in after the fact, or worse: once a problem is discovered six months later.
“You can kind of gloss over these inconvenient truths,” he said. “That’s the root cause of a lot of the problems that we actually see.”
Malcolm Harkins agrees. He’s chief security and trust officer at Epiphany Systems, formerly in development, and said, “There’s no penalty as an engineer for the security flaws. You don’t get demoted by creating a product that has a security flaw; you get promoted by having the functionality that can sell.” He adds, “Minimum viable product is going to get you maximum security exposure.”
Ellis advises that incentives need to begin from the ground up. “Builders don’t think like breakers. They’re not incentivized to do the same things. And that’s just a fact.” He believes that the gap can be reconciled by having economic pull at a macro level. “I think legal changes are an aspect of it; they’re not a silver bullet … I feel the security industry at large has made it all about the stick. It should also be about the carrot.”
He urges people to consider the human aspect of when security goes wrong. If we don’t keep in mind that there are other people at the end of our development consequences, it makes our actions far more removed from the event.
For example, Harkins asked the CTO of a cement company how he was dealing with security for their product. Security in cement? Yes, the sensors are used for regular road maintenance and traffic routing. However, in the hands of the wrong people data can be used for malicious intent. Something seemingly irrelevant is actually a loophole in design. “I could utilize flaws in the logic or technology and move traffic toward something rather than what it’s intended for — if I knew how to manipulate,” said Harkins. “We’ve got to start putting human stories on it and looking at the fact that people’s lives are at stake.”
Global leaders can work together for cloud security change
Taher Elgamal, CTO for security at Salesforce, is in cloud security for the long haul. “I’ve been involved in security before the word ‘cyber’ was even invented,” he said. “The world does need to get proactive.”
Elgamal and Amoroso discussed how so much of working together in security is reactive. We come together in big times of crises — 9-11, the worldwide coronavirus pandemic, times that shake our nations — and show our solidarity. But what is really needed is solidarity en masse to protect people as a whole. “Detect and protect,” Elgamal said. “We do need to simplify things. We’re all connected to each other.”
One way Elgamal recommended simplifying is through automation. He recommended creating some kind of “neighborhood watch” program where companies, even competitors, can look out for each other. “Participating kind of feeds into itself,” he said, because you can protect each other in real time.
Amoroso saw this happen two decades ago after the 9-11 attacks. “I remember being in a conference room where my boss was saying, ‘Hey listen, what’s ours is yours’” to another company’s president. “It was clear that all of the telecommunications providers were going to work together — it was a proud moment.”
Use workflow automation to save time and money
Learn how IT execs are extending automation strategies to accelerate operations and work smarter.
He also believes it doesn’t take a catastrophe to unite a nation together in cybersecurity. “I think the first thing we need is more young people going into computer science, trained in something technical and exposed to computing. That period of time [after high school] should be a period of national service. A really scalable CyberCorps program, something meaningful.”
Amoroso goes on to explain how treating cybersecurity threats is similar to treating climate change: “Long-term. Generational.” Cloud security is a global priority.
It’s time to advocate for cooperation
Ellis is thinking even more long-term than that. “The idea of someone leaving the front door open and another person taking advantage of that predates the internet by a couple thousand years,” he said. “So this is not an internet thing. It’s really the nature of crime, the opportunity.”
Because of that, security is here to stay. Whether or not we work together as nations is up to us. Our global teamwork is imperative for protection against bad actors. Each nation has a choice to pursue solidarity, automate securely for mutual benefit, and educate young people to help us all be stronger leaders for future generations.
Get the IT Leader’s Guide to Data Security and Governance
Enhance your data security and governance using the Salesforce Platform.