Speaking at 44CON exploring how “Bad analogies make bad realities,” Charl Van Der Walt, strategic director at Sensepost, said that “while we were talking about hacking sex toys, Russian hackers changed the world quite substantially” and began “a new era in on our industry.”
He said that this changed the cybersecurity industry significantly, and as attackers upped their game “our world is different to what we knew before, a threat is emerging that has potential to change the world.”
He told the audience that as the world is “going to change in significant ways, then you’re a part of that battle and at the front of a war that shapes our world in a substantial way,” and we can shape it in the decisions we make, and it is “up to us to determine how to change.”
Using a series of analogies including the 2008 financial crisis and the Doomsday clock, van der Walt argued that it was time to develop the “why” of security and “why it matters” if it is done right, and how we need to explain why security is important in a way others can understand.
“Metaphors matter, and changes the way we think,” he said. “Compare severity and likelihood, and express where the Doomsday Clock is in terms of the security concept. The problem is risk is thumb sucking; estimating concepts with no way to quantify them.”
Speaking on debt management, van der Walt recommended creating and maintaining a debt register, and deciding who is best positioned to determine the right thing to do, and think at the right level of security.
“Every time a security trade-off is made, get the recommended cost and what the actual cost is and deduct one from the other and get the debt. Dial it up or down depending on the severity of issue, and once you have the register you communicate it to the board for them to consider.”
He concluded by saying that we see breaches all of the time, and it is easy to look at each in isolation, but collectively these can be a problem for everyone. “We are facing real threats and that is where the fundamentals of the world can be changed,” he said. “If we address the ways we talk and analogies we use.”