If the security industry wants to succeed in the long run, it needs to undergo a cultural shift, Facebook's Chief Security Officer Alex Stamos said in a keynote at Black Hat 2017 in Las Vegas on Wednesday.
Stamos, who is also the former Yahoo CISO, said the security industry has finally been validated, with widespread and significant security incidents calling attention to the importance of security for both businesses and consumers. However, he said the industry had not changed its attitude to make it more open to the broader technology community.
He said the security industry also needs to revamp how it thinks about security problems, shifting to focus on areas that create the most amount of risk, rather than smaller, more niche threat areas.
"Our community overall – we're not yet living up to our potential," Stamos said.
"It’s a critical moment," he said "We've been asking people to pay attention to us for 20 years – they are now. We have the world's attention, what are we going to do with it?"
Stamos called out three key areas that the security industry needs to change. First, he said the industry needs to stop focusing on complexity and start focusing on the areas that cause the most harm to businesses. He said the security industry had focused most of its resources on solving the most difficult problems in security, but the vast amount of damage came from more straightforward issues, including phishing, unpatched systems, password reuse and mass compromise, and abuse.
Second, Stamos said the security industry needs to stop punishing people who fail to implement solutions effectively or those that go inadvertently cause security incidents. Instead of blaming users, Stamos said the security industry should focus on building "nets under tightropes" for users facing security challenges by building better technology.
"Every single day we ask billions of people to walk these tightropes, and if they fall off, we just say that is the situation, and we can't do anything to help. This is a real problem for us and we have to put ourselves in the shoes of those we are protecting," Stamos said.
Finally, he said the security industry needs to become more effective in engaging the world. He said the security industry could use more humility and empathy when addressing companies and governments looking to make security buying or policy decisions.