Cybersecurity

The Ethical Hacker: Can We Talk About Safety, for a Change?

I really enjoyed the Enfuse conference in May (three days devoted to security and digital investigations). In fact, this was my first time attending, and I didn’t know exactly what to expect. I was impressed by both the sessions and the content provided. In the technical realm, the session on dissecting the Amazon Echo was amazing. And from a more strategic viewpoint, the session on risk management and getting to the board was enlightening and engaging.

What really struck home for me, though, were comments made by Patrick Dennis, Guidance Software’s CEO, in his opening keynote address. He talked about something that I have been thinking about for years now, but have failed to communicate to my peers and colleagues. He directly addressed the difference between safety and security.

We always seem to be pursuing security when what we are really looking for is safety. No one wants to live sequestered away behind locked doors and barred windows, in a constant state of fear. Don’t go to that website! Watch out for that email! And for crying out loud, don’t click on that link!!

We want to live in an environment that is safe, one where we feel comfortable leaving the door unbolted and the windows unbarred. But cybersecurity has at its core the goal of (and even the word) security. It’s not cybersafety.

We are diligently working to put bars on our cyber-windows and bolt our cyber-doors. And I have a very hard time arguing against that, since it appears necessary, unfortunately. What we’re not addressing is the core issue of why the environment is so unsafe. We’ve engaged in a scenario where our baseline assumption is that safety is impossible, and we have to armor and protect everything.

Can we change the channel? To do that, we have to ask ourselves: What makes an environment safe, and can that even be applied to the landscape of cyberspace?

In the physical world, what makes us safe is not the police, it’s not locks on the doors. It’s us. You and me and everyone within the community that we interact with on a daily basis behaving in a manner that promotes safety.

I walk down the street from my home to the coffee shop without worrying about being mugged or attacked. Are there places in the world where that would not be possible? Yes, of course there are. And maybe that’s part of the problem. In my community, it’s unlikely that someone with nefarious intent would be present. And if they were, they would likely be identifiable as out of place. And my guard would be up.

In cyberspace there are no borders, no boundaries, which has a great leveling and equaling effect. But it also has a cost in terms of safety. When my neighbor is a stranger from halfway around the world, the benefits of that diversity are great, but so are the risks.

So, what’s the solution? Honestly, I don’t know. Maybe that’s why I have such trouble communicating the concept. But I do know that if we don’t start asking the questions, we’ll never find the answers. In the end what we really want – at least what I really want – is for us to be cybersafe. Is that too much to ask?

Published .