Tanium, the provider of endpoint management and security built for the world’s most demanding IT environments, was named Best Cloud Security Solution by the 2021 Tech Ascension Awards. Read the blog announcement on the full winners.
We spoke with Chris Hallenbeck, CISO for the Americas at Tanium, about the benefits of cybersecurity going mainstream, cyber awareness, and the latest government-led cyber initiatives around data protection and ransomware.
More mainstream news attention has come to cybersecurity just over the past few years. Do you believe that is helping or hurting? An argument can be made that we're becoming desensitized to data breaches and big hacks.
It is important to maintain awareness of desensitization to important topics, but there remains a very strong argument that the mainstreaming of cybersecurity issues is to our collective benefit. Society is beginning to understand that not all tech is created with noble intentions, and even when it is, it can still bear unintended harms. The reason for growing skepticism of consumer tech is because those unintended harms — like threats to one’s privacy — have been brought to the mainstream. The good news is that once those negatives are brought to mainstream attention, the public often applies pressure and effects change.
Look at smart assistants. When first introduced, consumers assumed these devices were purely helpful in nature, there to automate and streamline simple tasks through verbal commands. It wasn’t until years later that people began to critique their “always-listening” features as a privacy overstep. This public backlash resulted in Amazon, Google, Apple, and other manufacturers offering more transparency about the information smart assistants are collecting, and making it easier for users to prevent and delete voice recordings.
The “mainstream” effect is a powerful force for change, and it’s time that happens in cybersecurity.
What else can be done in terms of cybersecurity awareness?
Cybersecurity awareness is decidedly improving — a Harris Poll earlier this year found that a third of Americans believe defending against cyber attacks should be a top priority for the federal government this year — but that won’t get us where we need to go.
Right now, the most common cybersecurity framework, especially among the public, is structured with fraud alerts; unenjoyable employer IT training videos and cumbersome password-change requirements; and splashy headlines about ransomware threatening the availability of common goods or the potability of the water supply. Here is where desensitization comes in — despite the immense value of preventive measures, most individuals and businesses will follow the least lowest-friction path, prioritizing convenience and cost savings over security. As a whole we have included intrusions and loss of privacy as a “cost of doing business.” And with the broad ecosystem in question, rarely is pain felt by enough people to create a sense of shared, sustained urgency.
To raise awareness, the issue should be discussed beyond the news moments. Public and private sector institutions, along with the media, bear a responsibility to speak frankly and rationally about the risks associated with cybersecurity inaction, the increasing costs of breaches, and the tools available, even when there isn’t a spotlight on a specific issue.
The government has recently pushed some major cyber initiatives around ransomware and data protection? Do you believe these actions are helping? What more can be done in terms of public and private sector collaboration?
The government has an important role to play in bringing cybersecurity issues to the mainstream and fueling momentum for evolution in the cybersecurity space. Namely, it has the power to create programs and incentives for everything from public awareness to feeding the cybersecurity talent pipeline — a Works Progress Administration for cyber, if you will. The momentum generated by the government’s early push can then be picked up and amplified by the private sector, which can put that new talent to work and more nimbly innovate.
Part of the incentivization the government needs to do is to make it easy for private organizations to set aside profit motivations in favor of creating solutions that more thoroughly address cyber threats before they strike, as a complement to the vast number of reactive point solutions. It’s impossible to prevent every attack, so detection and response tools are a vital piece of the puzzle. Many of today’s leaders have become too comfortable with checking compliance boxes and deflecting accountability after a breach - the industry as a whole needs to invest more into prevention tools.
How can we make cyber go more 'mainstream'?
I see this as a three-legged stool that requires collective effort to make change and sustain momentum. Without any one of these three legs, the whole chair falls down.
States can pass stronger cybersecurity legislation: For example, California’s Song-Beverly Consumer Warranty Act (“lemon law”) contains a section mandating that consumer electronics manufacturers must make replacement parts available even after a warranty period expires. Such a law can and should be expanded to require technology devices to have sufficient memory and data storage capacity to handle security updates, and the law should establish standards for when and how updates must be provided. Ideally and by default, updates should be applied with minimal consumer intervention. The federal government can exert powerful influence over states to pass such laws, and in fact is already showing its willingness to do so through executive orders pertaining to specific cybersecurity issues. Though unlikely, it could also move to make an update to the Magnuson-Moss Warranty Act to incite states to act more quickly.
Private sector must set higher standards: Much as the private sector has adjusted to government requirements that electronic devices be planet-friendly, companies need to plan for a “security lifecycle” that extends beyond the 0, 90, or 365-day warranties typical of many consumer electronics. Forward-thinking companies should also look at establishing an industry association certification for devices that meet a published security standard.
Consumers need to be brought deliberately into the fold: Consumers rely on private enterprises to protect the data they collect and store, and those companies need to be more deeply engaged with consumers in ways that facilitate security. There are a lot of ways to do that, but one example I find instructive is the movement for more recyclable products and packaging. Consumers made demands and exerted their collective power to influence greener packaging standards. Businesses can borrow from the template they created when responding to that demand and build a more secure consumer base by developing an industry standard for security best practices, complete with a recognizable logo for products and packaging (where applicable).
This is a multifaceted issue with many moving parts. It takes everyone’s contributions, commitment, and buy-in to truly change how we as a society approach cybersecurity. I invite others to contribute their own creative solutions!