What Works with Security Risks: The Carrot or the Stick?
We just wrapped up an intense focus on security at RSA in San Francisco this past week. Thousands of IT professionals gathered from near and far to discuss the latest advances, trends, and concerns around securing our businesses. All happening against a backdrop of political unrest, from Dubai to Egypt and even to Wisconsin–projected on to the internet for all to see. At the same time, The New York Times reported that the Canadian government had been hit by a cyber-attack in early January that created an internet blackout for nearly two months. It got me thinking: As the world becomes smaller—or we gain visibility into events and occurrences not possible before—how does that impact our spheres of influence? And if cybercrime is your domain, how does this shape your thought process or approach?
Interestingly, I had the pleasure of sitting on a panel at RSA, which included Jeff Moss, Director and Founder of Black Hat and DefCon and member of President Obama’s Homeland Security Advisory Council; Tim Wilson, Editor in Chief, Dark Reading; and Eric Aarrestad, VP of Marketing, WatchGuard. Jeff provided rich commentary on the business of cybercrime from the criminals’ perspective—what’s in demand, what gets noticed, etc. And Tim provided the balance to that equation, offering a view into what his readers mostly want to know about: What are the latest threats. Makes sense, but the problem with that is that it sets up your security posture as reactive, rather than strategic.
As the conversation evolved, the kernel of discussion became this: What’s the best way to help organizations understand their security risks and what they can do about them? Do you play up fear (the stick), or do you play up enablement (carrot)? From Cisco’s perspective, we believe in enablement. It’s an interesting debate—especially as we find ourselves more and more in the cloud, and working with an increasing number of connected devices, be it tablet, smart phone, or even our refrigerators.
As IT consumerization proliferates and more and more devices cross the chasm between work and home, cybercriminals are going to find more opportunities. And that’s why we need to think about and implement security upfront, embedded throughout the network. But even more importantly, we need to unite—across organizations and industries—to identify real ways to combat the threats. If we leave the business of fighting cybercrime to individual solutions, we’re doing our customers and our businesses a grave disservice. It’s time to get aggressive and create a united front so that we truly can approach security from a posture of strength and enablement.