The cybersecurity poverty line is a human rights issue • The Register
RSA Conference Exclusive According to Jeetu Patel, Cisco’s executive vice president for security and collaboration, establishing some level of cybersecurity measures in all organizations will soon reach the status of a human rights issue.
“It is our civic duty to ensure that anyone below the security poverty line has a level of security, because this will eventually become a human rights issue,” Patel said. The registerin an exclusive interview ahead of his RSA conference keynote.
“It’s about critical infrastructure – financial services, health care, transportation – services like your water supply, your power grid, all of those things can go down in an instant if there’s a breach,” did he declare.
This idea of a cybersecurity poverty line – basically those below the poverty line don’t have the budget or human resources to implement security measures – was coined by the head of Cisco’s advisory CISO, Wendy Nather, at a previous RSA conference.
Raising all businesses above the poverty line should matter, even for those already there, as people and organizations become increasingly interconnected due to software dependencies, shared data, hybrid work, etc., Patel said.
“We live in a holistic ecosystem where the weakest link can break the whole chain,” he explained. “A small supplier to an automaker who gets raped could shut down an auto company’s entire production line.”
Plus, “everyone is an insider,” Patel added.
If we don’t take care of people who are below the safe poverty line, you can do whatever you want to protect yourself if you’re above the safe poverty line, but you’ll still be at risk.
Physical walls and software perimeters no longer separate people and information inside or outside the organization, he said. It also expands the potential attack surface as people and devices connect and share data with others outside the traditional corporate perimeter.
“And if we don’t take care of people who are below the poverty line, you can do whatever you want to protect yourself if you’re above the poverty line, but you’ll still be at risk,” he said. patel. said.
Establishing security protocols in an organization requires sufficient budget to purchase products and employ security professionals who can defend against threats. However, influence also plays a role in separating security haves and have-nots, added Shailaja Shankar, SVP of Cisco’s Security Business Group.
“Large organizations that are above the poverty line have been able to negotiate excellent terms with their suppliers in this interconnected system,” she said. The register. “But when you’re a small actor, it’s very difficult for you to negotiate and you just take what your suppliers give you.”
Shared risk, shared defenses
As for how the industry ended up with a significant number of organizations below that line, there’s a lot to blame. It’s the internet’s fault for making us more interconnected, it is claimed. Complexity is also an issue: as security architectures become more sophisticated, they also become more complex.
And yes, Cisco executives have also admitted that the vendor community also bears responsibility for selling a plethora of products that don’t work together or still deliver on their protection promises.
Likewise, it’s going to take a collective effort to get out of this mess. Part of that involves security vendors contributing their expertise, donating, and collaborating to share threat intelligence.
To that end, Shankar cited Cisco’s Talos threat intelligence team which operates 24/7 security products for critical infrastructure customers in Ukraine and provides free cloud security products. to organizations in the war-torn country as examples of what his company does.
Additionally, she added, Cisco is a founding member of the Cyber Threat Alliance. “We partner with over 30 different global security vendors and share threat intelligence that helps us protect customers and defend this digital ecosystem,” Shankar said. “Shared risk requires shared defenses.”
Business models also need to change, Patel said. “People will start thinking about protection, not at the level of the individual organization, but at the level of the supply chain – thinking of the ecosystem as a whole rather than what is in my domain” , did he declare.
This extends to vendors providing free or low-cost security to nonprofits and NGOs, and large corporations using their purchasing power to help smaller organizations improve their security posture, Patel added.
“I just don’t think it’s an overnight thing, but I think recognition is starting to hit people pretty hard,” Patel said. “A small supplier who makes a small component that might cost seven cents in a $100 item can literally stall the entire production line because they’ve had a breach. It’s a profound impact because billions, hundreds billions or even trillions of dollars could actually shut down the feature if it was systematically attacked by the wrong actors.” ®