Facebook CSO Calls For A Security Industry Attitude Adjustment

If the security industry wants to succeed in the long run, it needs to undergo a cultural shift, Facebook's Chief Security Officer Alex Stamos said in a keynote at Black Hat 2017 in Las Vegas on Wednesday.

Stamos, who is also the former Yahoo CISO, said the security industry has finally been validated, with widespread and significant security incidents calling attention to the importance of security for both businesses and consumers. However, he said the industry had not changed its attitude to make it more open to the broader technology community.

He said the security industry also needs to revamp how it thinks about security problems, shifting to focus on areas that create the most amount of risk, rather than smaller, more niche threat areas.

[Related: Black Hat 2017: 10 Security Threats To Watch Out For]

Sponsored post

"Our community overall – we're not yet living up to our potential," Stamos said.

"It’s a critical moment," he said "We've been asking people to pay attention to us for 20 years – they are now. We have the world's attention, what are we going to do with it?"

Stamos called out three key areas that the security industry needs to change. First, he said the industry needs to stop focusing on complexity and start focusing on the areas that cause the most harm to businesses. He said the security industry had focused most of its resources on solving the most difficult problems in security, but the vast amount of damage came from more straightforward issues, including phishing, unpatched systems, password reuse and mass compromise, and abuse.

Second, Stamos said the security industry needs to stop punishing people who fail to implement solutions effectively or those that go inadvertently cause security incidents. Instead of blaming users, Stamos said the security industry should focus on building "nets under tightropes" for users facing security challenges by building better technology.

"Every single day we ask billions of people to walk these tightropes, and if they fall off, we just say that is the situation, and we can't do anything to help. This is a real problem for us and we have to put ourselves in the shoes of those we are protecting," Stamos said.

Finally, he said the security industry needs to become more effective in engaging the world. He said the security industry could use more humility and empathy when addressing companies and governments looking to make security buying or policy decisions.

To fix these areas, Stamos suggested companies embrace an approach that includes both defense and diversity. From a defense perspective, he said security research should focus on how companies can better improve their defensive posture, instead of the most serious threats that might only affect a few companies. He said companies also need to broaden the scope of what they consider to be the security industry.

From a diversity perspective, Stamos said the security industry would benefit greatly from better diversity, both in gender, race, thoughts and background. That diversity push also includes keeping more people in the security industry, he said, by creating an environment that is welcoming to diverse people by having more diverse management, better HR practices, and helping diverse people succeed in the workplace.

"Building a diverse team with diverse backgrounds is key because you never know what problems you're going to get into. It's better to have a tool box with all kinds of tools than all of the best screwdrivers in the world," Stamos said.

Partners said they also see customers asking for a different approach to security than in the past. Kelly Bissell, global managing director for Accenture Security, said customers are becoming savvier about security and are now looking for more than just a security technology resale or "security fluff." He said companies, like Accenture, have had to revamp their entire business to view system integration or solutions deployment "through the lens of security."

Bissell said this security-focused approach will be essential as he predicted threats are only going to escalate. He said the companies that want to succeed in security, like Accenture, need to adapt their businesses.

"It's not going to stop," Bissell said. "It's just going to get worse … Companies want to think differently."