WASHINGTON -- In the fast-moving field of cybersecurity, where technologies evolve rapidly and hackers are constantly digging up new attack vectors, the missing ingredient all too often is common sense.
That was the emphatic message that Roger Johnston, a member of the vulnerability assessment team at the Argonne National Laboratory, imparted to his audience in a keynote address here at the USENIX security conference.
Johnston warned against a syndrome he described as "security theater," a condition in which enterprises might pay lip service to protecting their digital assets without addressing the root causes of security vulnerabilities.
He described false friends in the security world, such as "sham rigor" and "false precision," the fallacy that checking off the boxes on a meticulous list will somehow produce better security.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Instead of such a compliance-driven approach, Johnston suggested that enterprises go out of their way to bring creative, even rebellious types with the mentality of a hacker into the security process. Security, he argued, is not a beneficiary of "group think."
"Committees and bureaucrats aren't just dumber than the sum of the parts," Johnston said. "They're dumber than the dumbest member."
Similarly, he warned that firms that delegate security to their engineering staffs do so at their own peril.
"If the only people you have looking at security are engineers, you're in trouble," he said. "In general they have completely the wrong mindset about security."
Engineers, Johnston argued, are not generally prone to thinking like a hacker. More concerned with solving problems of design and function, engineers too often add features that create new attack vectors to systems that would benefit from simplicity, he observed.
He also cautioned that businesses put themselves at a disadvantage when they treat information security as an afterthought.
"Security is difficult enough if you design it from the beginning," he said.
The push to incorporate security as a bedrock of product design and management has been gaining traction in the industry.
Cisco (NASDAQ: CSCO), for instance, earlier this year announced a new approach to security it's terming the Cisco Secure Development Lifecycle, a holistic approach to mitigating vulnerabilities the networking giant patterned in part on Microsoft's (NASDAQ: MSFT) own company-wide security push.
For many enterprises, improving the information security posture will entail a culture shift, Johnston argued. To start, businesses would do well to purge the notion that security is a winnable battle. The vulnerabilities are real enough, and ever present.
"The assumption that there are a small number of vulnerabilities is always wrong," he said. "Because vulnerabilities always exist, if you find one you can do something about it. Finding a vulnerability is excellent news."