Bringing accountability to the Internet
As leaders, we must be accountable.
Choosing to be accountable is what distinguishes a leader in our world today. Accountability is bold—and it can drive innovation. Accountability can act as a catalyst for the change required to solve seemingly intractable problems.
As industry leaders, we are accountable for protecting our organizations’ proprietary and sensitive information, our employees' digital and physical well-being, and the reputations of those we do business with. We are accountable for building trust with our customers and stakeholders. We are accountable for delivering results. We are accountable for working within financial constraints. We are held accountable when there is an incident.
In this moment of incredible technological advancement, taking responsibility for cyber security means a commitment to curbing potential damages from incidents. It also means an emphasis on communication and empathy and working to change the economics of being a cyber criminal—which remains a good business, since the chances of getting caught are unlikely.
Unfortunately, the cyber security doom narrative has become deeply embellished in our minds. As a result, many leaders have lost the nerve to act. Despite billions of dollars spent globally on security solutions, we’re still in a precarious position. We’ve largely moved beyond hackers playing tic-tac-toe, defacing websites, and stealing passwords and credit card numbers. Cyber attacks now rank alongside extreme weather events, the prospect of nuclear war, and the overtaking of humanity by artificial intelligence as the grand challenges of our age.
Still, we can successfully address cyber security threats with the right mindset and solutions.
Here are a few recommendations based on my personal experience on how to change your mindset and become more accountable for mitigating damage.
Reject commonly held beliefs: If we want to prevent damages, then we have to reject some of the commonly held beliefs about attacks. In particular, we should reject the idea that catastrophic outcomes are just a matter of time. We should also abandon the notion that attackers have the ultimate, long-term advantage. And we should discard the belief that the total cost of damage equates to severity of impact—a $100,000 attack on a municipal government might have a greater organizational impact than a $100 million attack on a large enterprise. We must be methodical and scientific, and avoid the continued cargo cult of science, in which erroneous claims and conclusions are formed by misinterpreting the causality of results.
Invest in what works: At the same time, we need to leverage economic power in the marketplace of security solutions. You wouldn’t pay for a car that you couldn’t drive off the lot, or a meal you didn’t get—and you shouldn’t pay for cyber security that doesn’t work. The equilibrium of the marketplace in cyber security needs to be restored so that companies who build the best products, succeed.
Insist on performance metrics from vendors: How do you know if a cyber security solution works? You need quantifiable proof. Before you invest, insist on seeing performance metrics from vendors. After you invest, regularly check metrics to ensure that the solution continues to deliver on its vendor’s promises.
Focus on the root cause, not the symptoms: What’s the single biggest challenge facing security teams today? Many teams can’t agree on a focus area. Without that internal agreement, it’s going to be difficult to meaningfully counter or prevent cyber threats, regardless of what security solution you buy. Too many security teams have fragmented approaches. Instead they need coordinated, comprehensive strategies that focus on root causes of attacks, not symptoms. For instance a concern over malware attachments is best addressed by eliminating the delivery mechanism, email phishing.
Achieving accountability
Cyber security today needs a paradigm shift. Teams need to implement a comprehensive, value-based approach to security. And they need to hold partners and vendors accountable. Because being increasingly pessimistic about the effectiveness of cyber security solutions isn’t a solution in and of itself.
Visit the Cloudflare trust hub to learn about the polices, technologies, and certifications that enable us to be accountable to our customers—and that ultimately help those organizations strengthen their accountability as well.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Author
Oren Falkowitz — @orenfalkowitz
Security Officer, Cloudflare
Key takeaways
After reading this article you will be able to understand:
How to change your mindset about security threats and become more accountable for mitigating damage
Why you should adopt a value-based approach to security solutions