Cyber Attacks and Data Breaches: Who is Responsible for Security? | Intel Technology
(upbeat music) - [Narrator] You're watching Cyber Security Inside. A video cast where you can discover what you need to know about cyber security. Here are your hosts, Tom Garrison and Camille Morhardt. - Our guest today is Dr. Magna Chelly. She is a world renowned cybersecurity leader, author, public speaker and serial entrepreneur.
She is a Certified Information System Security Professional and a Certified Information Security Officer. So welcome to the podcast, Magna. - Hello Tom, thank you very much.
I'm very glad to be here today. - We wanted to spend our time today and talk about responsible cyber security. So let's just start off with, what does that mean for you? - The topic of cyber security has been in the news for many years.
However, we still are facing a very big challenge, the common public or any one understanding really the impact of using technology and the risk associated, and responsible cyber is all about understanding the responsibility of everyone while using technology. It's not a matter of someone protecting you. You need to protect yourself first and then have the support of others to ensure safety online. - Can you give examples of what you mean by responsible cybersecurity? - Yes, absolutely. And one example that I really like to use is actually very simple one.
We are all using social media, right. And on social media platforms we have settings and those settings can allow us to configure certain controls, either for security or privacy. They are not preconfigured for us, we need as individuals to choose them and activate them. And that's a very good example of how the responsibility comes down to the individual, to the user, and they need to take that step in order to protect their accounts. - But what about that group that doesn't really understand how technology works and may not really understand even the risk.
How do you tackle that? - Our responsibility is the cybersecurity industry's professionals who need to ensure that they align a little bit more the explanations and especially the awareness around those technologies in a better and more acceptable way for anyone, any user. So we have seen commonly technical topics or even articles in the news, talking about concept that even certain technical people will not understand because they're specific to a particular domain. We're talking about acronyms that are not also easy to understand.
So if we would like to bring that awareness to the general public and ensure that users who are just using technology for daily activities understand the risk associated, take the right steps. We need to change the way how we communicate around cyber security. We cannot use the same way and approach of a little bit showing of how much we know by using those concepts. We need actually to simplify and always take a step back and assume that the other person doesn't know at all our industry, our domain. So for example, clearly we are talking about sometimes of course, about phishing.
Why do we assume that the person in the audience understand the term phishing? We cannot assume that we need to completely forget about those concept from our perspective and put ourselves in the perspective or in the shoes of someone who has absolutely no idea about our specific domain. - It's not so much to have a goal of educating or making everybody aware and using appropriate or accessible terminology to do that. You're saying it's a step past that the onus really needs to fall on the service provider or the goods provider or the information provider to either do a real time awareness or real time training where it's sort of like if you check this box this is the implication, or to make some set of assumptions that fall under kind of a what a reasonable person would want and then apply that with inability to change, but not just sort of throw their hands up and say, well, here's a bunch of really complicated information and we're gonna default to collecting all of it unless you know what to check. Would that be a fair assessment? - We are working and living in an ecosystem we're not working silos and it is the responsibility of every stakeholder to help the other stakeholder within that ecosystem to protect not only the users but as well themselves. So what does it mean? If I am a customer and I'm using a product I should trust that vendor or provider to give me the right support and the right awareness to make sure that I can protect myself online. I cannot just ignore the fact that every technology comes with associated risk and for example share complicated documentation and expect that user to be capable of understanding that and implementing it.
So it's a shared responsibility, is a social responsibility that needs to be taken a little bit more you know, at heart or from the heart of everyone providing technology, not just trying to bring or delegate that responsibility to the users because as we said, and Tom mentioned, they might not know. So take that further step and try to really help rather than just again, giving information but not really addressing the problem on ensuring the safety of the users. - Part of what the industry has done is try to make the whole installation process so easy that they've taken the choice away. And they've just gone to like a one click install and embedded in that as a whole bunch of security selections and whatnot that need to go on. And so we've like vacillated in the industry back and forth between hyper complicated and super, super simple but then shielding the security element.
Do you think that there is a fine line that we can walk where we walk customers through the implications of their choices from a security standpoint for the various applications? Do you think that's an option? - I do think that there is a lot of advancement that we can do in the security and in general in technology industries to achieve that. So make it literally, first of all by default. Security has been optional for so many tools that we are using and still providers even or even requires an additional payment without actually providing the clear reasons for that or implications like you mentioned. So I think first and foremost we need to ensure that the service providers or technology providers actually build software, build tools with the wide security by default. Imagine building a house without a door or without a lock.
Is that even possible? No, it is not imaginable. However, we still do that when providing, for example IOT devices, without the possibility to enforce a password. So now this is an example, and the first point again makes security by default and not as an option afterwards, the second of course, there might be several level of security.
Certainly for example, if you need a very strong door I'm coming back to the analogy of the house you might have several locks and you might have special keys or an electronic lock that is very much more advanced. Now, if you don't need that, because you consider that you just need a simple lock with a key because you're living in a safe country, because you don't have valuables in the house you might choose that option but you understand very clearly the difference. So if the software or the tool is built with security by default, you have then the second step which would allow the users to choose the level of additional security required depending on their environment, context requirements as well usability requirements, for example, in certain cases that is something that commonly creates challenges with security professionals. It goes too much into solutions that are too secure like in brackets, right.
So it becomes non-usable for the traditional user. So I think the two points first, we need to ensure that we build the technology with the security by default. And second, whenever we are allowing the options for the users, not only we need to make sure that we make them very clear. So like you said, understanding the implications, if yes or no, making a certain choice, but as well that we make it perhaps more adaptable to different levels of security, depending on the user use case in general. - It seems to me, it's not always the case that the incentives of the end user are the same as the incentives of the provider.
In your opinion is it enough to say this is a social responsibility and the tech providers need to make this clear and help people make decisions, or is there just an inherent conflict that arises in some senses? I mean, I can think of collecting data, for example where there's too much motivation on the part maybe of the tech provider to encourage the person to allow the collecting of the information. And so you think that we need more stringent standards or regulations to actually make sure it's happening. Do you have an opinion on that? - Whenever we want to change the overall ecosystem that has been there for many years already functionally in a certain way, and accelerate the maturity and perhaps enforce the social responsibility, we need to have a certain framework or at least regulatory requirements to force that. What I have been working on, for example, a lot of my clients in general is that I bring awareness around why you need security clauses in the contract.
It's not only about trust with your service provider. It is also ensuring that things are done and aligned with your expectations when everything goes well and when something happens. So whenever we are talking about the social responsibility in a perfect and eutopic word, yes everyone would care and will make what is the best interest for the users for everyone and find a consensus. We are not there, we are in commercial word, where of course if we have a company we try to bring additional paid services additional like you said, monetize data, or do any other related activities that help us to increase that revenue. And therefore, if a company has a certain, I would say, ethical behavior there's still a balance to reach.
But I do believe that in order to enforce that we need to have additional, not only regulatory frameworks but laws and regulations in general, that put a stop to that and ensure that there is actually protection of the individuals, protection of the users in general. - Quick follow up question would just be, what are those thresholds that a society should look at in order to know that it's time to add that? - A debate, Camille, I think it will take hours and hours to answer that. I don't think it's a black or white answer.
I think it very much depends, and like any law end regulation, it is a result of a lot of research and many lawyers coming together in order to understand what is the best way to address certain challenges. And especially when it comes to data privacy or data security in general, we have seen that privacy laws took many years and in some countries they are still not enforced because of the challenges that it leads to. Companies cannot just a matter of days implement certain new aspects for their businesses. And the same would apply if we just enforce something else around general security. If we put in place a law, we need to make sure that the companies and the users are able to implement it.
And I give you a simple example. This is a personal opinion. If we force companies to have chief information security officer for every company we need to ensure that there is the supply.
If we don't have the supply we cannot have a law that enforce that. So again, it is a very hard question to answer and I do not think that it's either simple or trivial but it is, I would say a long collaboration and work together with the right people, legal privacy professionals that would help to achieve this particular balance. - So you mentioned before that when you meet with your customers, you coach them about like what sort of clauses to put into their contracts. - Very often I have clients using outsourcing software development companies and those software development companies might not have the right secure coding practices. So very clearly advice, I'd recommend those clients to actually add clause that enforce that and enforce for example, the training of the developers.
So at least, you know that the software is built with a specific standard. On another topic as well, there are two other aspects that I really like to recommend is incident response. So what happens in case of an incident, a cyber attack or a data breach only from notification perspective, but if the supplier or the provider has the bridge what are the next steps and what is the requirement from the client, or what are the requirements from the client. And the last one is around actually managing security vulnerabilities. So this depends, of course on the particular service provider or product.
But I do encourage my clients to actually include all this security updates as a complimentary free service as part of the contract, rather than coming in front of the situation and then the provider asking for additional just fees because it's not part of the initial scope. - As your clients are now insisting on these kind of clauses to be added to the contract. Is there pushback on this or is this generally accepted by the providers? - It's generally accepted, but I would say it also relates to the fact that when you are a client, you basically have a little bit more power over them because you are buying. So you have the capability to say, those are my expectations and I want that to be achieved.
But again, it depends on the context as well. If you already signed a contract and you are renegotiating that might be requiring a different communication and perhaps it might not be as easy as when you have that expectation from the initial negotiation and initial scoping and contractual discussions. So I would say, yeah, it's mostly implemented if it's a new contract, very much more easier. And if it's a renewed contract where those costs were not included, then there might be a little bit more challenging, but it's all about how to bring that communication and discussion with your vendor or supplier supposed to be your partner. So I always encourage a partnership relationship. So just not come up as only expect expectations.
Well, explain why it's important and perhaps try to find a way to make sure that it actually brings that visibility. That is for the good of both, because when something happens then the consequence are not only on the client as well as the service provider - Magda, I know you focus a lot on diversity and inclusion as it relates to cyber security. I'm wondering if you can explain to us why you think that that's important in this field? - In the latest years, we have seen statistics about really very low of female or professionals in the cybersecurity industry. We're talking about 11% and then 20%.
And of course those statistics not only are low in general but they also discourage perhaps the younger generations into getting into the field. And I do believe that cybersecurity is extremely interesting. It's, I'm passionate about it learning every day and discovering about different things. So I would really like to see more diversity in the field and not only from the gender perspective, but just in general. Why? Because it's very, very interesting. And as I mentioned allows to learn continuously.
Now, it means that in order to achieve that diversity we need to have role models and those who role models encourage the younger generations like I mentioned, but as well, for example, young girls in schools that did not see previously professionals in cybersecurity leading or having exceptional careers or providing really the services that we provide today, right, in general. So diversity and inclusion not only is very important to achieve much more, again, like capabilities, opportunities, drive more innovation, but as well, we need that in order to drive the younger generation into our field. If not, it just continues to be very non-inclusive and non diversified. - In a strange way, it ties back to what we discussed earlier which is that sort of awareness on cybersecurity and making those intelligent choices as you have, you know whatever the product or service that you're installing that you're making the right choices. There's a level of awareness that you need. And that we could sort of also not only educate for that purpose, but educate earlier in schools and get females and minorities and whatnot that are underrepresented today get them excited about cybersecurity.
- I have seen some initiatives that start, you know bringing awareness into schools as well. You know, in Europe, for example, in Germany I've seen like cybersecurity for kids. I have seen as well initiatives with four diversity, including again, in Europe for I would say advanced where they are like for example, role models, discussions they are what so certain initiatives that help. But I would say, what is the most effective are initiatives around scholarships. I really like them personally.
So whenever we try to bring that awareness we need to ensure that there is some practical outcome. So if we bring awareness to schools, maybe we have, again like awareness online for online safety, with courses regular boot camps, or, you know, like there's games, there's a lot of, kind of very fun and engaging stuff for kids. And then if we wanna go further into the next level of, we're talking about teenagers, we need to ensure that we provide them some initiatives that helps them understand what is cyber security, how many domains they are what it actually means to be in cyber security. Because very often what they hear is, oh is it only to be a hacker? No cyber security is much, much wider. I love personally hacking, but it's not the only domain.
There are many other things that you can do. And a teenager who maybe is thinking about the future career and the university studies might not have absolutely any clues about that. So I think there are several layers and levels where we can address this awareness from the very, very young until, you know whenever the kid grows and start to try to make a choice.
So we are going into the right direction but like everything it'll take time. - Has it not gotten as much attention in the past because it's a standalone thing sitting in its own area like computer science versus saying I'm not interested in computer science but I'm doing aeronautics and astronautics. Now I'm very interested in cyber security because you know it relates directly to my field. - I think both are needed. But what we have seen during the last years is that there is a clear disconnect between cyber security and business.
Whenever we are talking about cyber security, we're talking very often about vulnerabilities, technical concept or report to boards even on things that they cannot understand. So this disconnect needs to be closed. If not we'll never achieve the outcome that we want to achieve, which is reducing the risk associated with the technology that we are using from cyber tech and data breaches. So if we are, for example, learning artificial intelligence, we should be able to learn as well about the risk association and cyber is one of those risks in order to, of course efficiently implement that technology afterwards and maximize its benefits and its usage. - I feel like we could go on for a while on this topic but we don't have infinite time on this one but we do have one segment that we always like to close on and that is called fun facts. And so I wonder if you have a fun fact that you'd like to share with our listeners? - One of the very interesting activities of myself and my husband is actually to ride camels on the beach in Tunisia.(chuckles)
- Is that comfortable? - Well, yeah, not bad, not bad, it's entertaining.(chuckles) - [Tom] Oh my gosh. - It's definitely entertaining. - Very cool, How about you Camille? - Since summer has officially started. I have a very fun fact.
Here it is, are you ready? - [Tom] I'm ready. - Why did the cantaloupe jump in the swimming pool? - [Tom] I have no idea. - It wanted to be a watermelon. - Oh, Camille. I knew it was gonna be something like that.
And it just, it had to be. All right, so my fun fact is a short and sweet and I thought very interesting. Did you know that in badminton, the top speed ever recorded for the shuttle is over 300 miles per hour? - I thought it was like 55 miles an hour. - So anyway, cool stuff. All right, well, hey Magda, thank you so much for joining us today on this topic of responsible cyber. It's a great topic and I think we can all take a little bit away from this conversation.
- Thank you very much, Tom. Thank you very much, Camille. It was my pleasure to be here today with you. - [Narrator] Thanks for joining us for Cyber Security Inside.
You can follow us here on YouTube or wherever you get your audio podcasts. - [Announcer] The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel corporation. (upbeat music)
2022-08-24 05:55
