It was a pleasure to chat with Brian Contos about a range of topics, focused mainly around reducing the information security professional deficit through architectural changes rather than an actual increase in staff to fill the gap. It was a fun conversation that hit on transformative technologies that have the potential to end an era of interception technologies to provide protection and defense by shifting to more inherently secure systems. For this change to be possible, defenses will have to be integrated rather than added on later with additional tools and systems to deploy. These themes all fit in with my upcoming book Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain. I’ve been working on this book since my term ended as an IETF Security Area Director, where I read hundreds of pages of new standards, constantly gaining insight over a broad spectrum of evolving technology.
Brian hit on some key questions including the path forward with strong, provably secure encryption that cannot be intercepted passively and what this means for detection and prevention technologies going forward. They must shift to the end point. NIST’s Security Content Automation Protocols (SCAP) is in process of undergoing a transformation that should help make secure posture assessment easier to deploy and more cost effective in the SCAP2.0 work. One goal of SCAP2.0 is for the assessable security controls to be provided by the responsible vendor for the software (OS, application, service, etc.). The add on assessment products could access a repository rather than each requiring hooks into the full infrastructure. Attestation is another evolving technology of many that will support a possible architectural shift in support of strong encryption. Attestation provides a set of claims and a signature on code from the provider, placing responsibility with that provider for the maintenance and trustworthiness of their software. This impacts the detection and prevention market and has the potential to shift the industry to more scalable technologies. This is an oversimplification of possible changes further explained in my above referenced book that considers additional technology advancements and other architectural shifts to support several trends in and outside of information security.
None of this works without secure coding practices. Have we finally hit the point in which software providers understand the need to bake in security? I hope so. If not, the deficit in information security professionals and inability to manage security through add-on security mechanisms will become a heavier burden. Selecting platforms, operating systems, and applications that provide inherent security with attested and trustworthiness scores coupled with the ability to perform secure posture assessment in standard ways should become the norm from a purchasing perspective.
Visit here to subscribe to the Verodin Cybersecurity Effectiveness Podcast, winner of the 2020 Cybersecurity Excellence Awards in the category of best cybersecurity podcast for a company with 1,000 to 4,999 employees. Listen in to our latest podcast series and gain insights from some of the most powerful women in cyber.