At a time where cyber security has become more relevant than ever to senior leadership at companies, experts challenged practitioners to simplify their focus, while taking up a radical approach, to remain effective as a field.
On Wednesday morning, Dan Geer, the CISO of Arlington, Va.-based investment firm In-Q-Tel, delivered his keynote at the Black Hat hacking conference in Las Vegas, where he argued that “policy matters are now the most important matters” as it pertains to moving forward as an industry.
Black Hat founder Jeff Moss, who welcomed Geer to the stage, kicked off the conversation, saying that practitioners need to embrace “radical simplicity” by pinpointing key systems and prioritizing those risks in today's expanding threat landscape.
At the podium, Geer proposed several steps for improving industry efforts through policy during his keynote called “Cybersecurity as Realpolitik.”
He specifically advocated mandatory reporting of security events at companies, regarding the practice as a fundamental and effective strategy at the Centers for Disease Control and Prevention (CDC), where the aim is to contain health risks to the public. Geer explained that enhanced disclosures of security threats could similarly improve his industry's detection and response endeavors.
While many states have enforced data breach notification laws, Geer believed that policy should go a step further in requiring the disclosure of security incidents “above some severity threshold that we have yet to negotiate” as an industry, he added.
During his keynote, the CISO also championed policy that would force companies to be held liable for the integrity of their software.
Geer said that organizations developing widely used software ought to “do it well,” and – in instances where they are guilty of sloppy coding or cutting corners for cost sake – that they be held responsible for whatever damages their software creates.
A clause in such contracts holding vendors responsible for their technology could also allow software users to disable or “chop out” parts of commercial software that they don't want or don't trust, Geer offered.
While some worry that such moves would inhibit innovation, he said that the action would, instead, bring about the radical changes that are, in the end, necessary to negate growing threats to users today.
As an aside, Geer also weighed in on workforce opportunities for young people entering the field, advising them to focus on a specialization within security. While longstanding practitioners have gleaned an overarching understanding of the threat landscape over time, Geer said that security issues are growing more complex and expansive, and that “no person starting from scratch can do that now.”