Information security has evolved to become a huge business: Gartner forecasted its market value to be $150bn in 2021 as vendors around the world develop more and more tools to combat an ongoing, morphing threatscape. But as challenges continue to mount and stretch even well-funded infosec and SecOps teams, many experts are calling for more human-centric approaches that go beyond swelling arsenals and bolstered digital defences.
Among the most interesting organisations to have arisen against this backdrop is Cybersecurity Advisors Network (CyAN). Established in 2015 in Paris, this professional association provides an international platform that makes it simpler to identify, and communicate with, trusted advisors with the requisite skills that match organisations’ needs. Members tend to be proven experts in their fields, whether they are users or providers of cybersecurity. They should also crave a more secure digital world and are willing to share best practices, speak at events and work on projects.
“It’s a cybersecurity organisation that is not thoroughly focused on technology but different perspectives of cybersecurity,” says Jean-Christophe Le Toquin, CyAN president.
“Cybersecurity used to be handled by ‘the serous people’ and you couldn’t find a place or an organisation on cybersecurity across topics so having a transversal approach [was difficult]. Today we’re in a much more diverse environment and cybersecurity has become a lot more related to broader security issues in general. CyAN is a place that is open to diverse fields in the technology business but also communications, policy, psychology and beyond. The big ambition was to break the silos cybersecurity was suffering from and more pragmatically to provide members with an opportunity to develop their projects. It makes it possible to connect with different types of expertise that can be respected by hardcore specialists.”
Another planet
Le Toquin is a former Microsoft lawyer and director of its EMEA Digital Crimes Unit to protect users from online threats, and chairs INHOPE, a global federation of 50 hotlines against sex child abuse images and videos. He says he felt a new network was needed to help people open up and talk about what is a hugely complex challenge.
“I’m coming from another planet,” he says. “At Microsoft it took me seven years to meaningfully communicate with the security experts. The challenge is that we have this super-efficient, hardcore expertise but this [can lead to] silos and you can miss the big picture. Collecting people who are thinking more broadly [will help us to] understand threats and motivations and what people are looking to do. It’s about broadening people’s minds.”
So why is the state of security so reactive?
“People are lazy. They will take the easiest path to dealing with a solution but doing something easier does not necessarily mean better. It’s easier to buy an antivirus package and say ‘we’re secure’ but who’s taking care of patching and updating? At the end of the day, security is hard: it goes counter to [the classic business imperative of] going as quick as possible.”
Are new roles or new security teams structures useful?
“I don’t think it’s a new role that’s needed,” says Le Toquin, “I think the roles need to be slightly redefined. The CISO is not thinking about the business, they’re thinking about security technology as opposed to talking to the business and their needs.”
What’s needed, he suggests is a translation layer that sits between techies and the business:
“There are enough roles but we need to redefine the role of the CISO and help them talk to the business in a meaningful way. People stay in their comfort zones: the cybersecurity community started small with a homogenous set of guys and what you get is a very efficient group because people who are the same are coming with the same solutions. But you can end up with groupthink because there’s a lack of neurodiversity.”
Le Toquin says that CyAN remains of modest size with over 80 members but he is convinced that it can prosper and address “taboo” areas for instance information-sharing ethics areas such as vulnerability disclosure, and the current “heavy pressure” being faced by security experts leading to mental health challenges.
He is also looking for new ways to reach out to complementary people, including a recently announced alliance with security architecture specialist ECSA.
“At ECSA, all we do is architecture,” says Neil Rerup, president and chief architect. “We don’t get into the operations side or instant-response side of things. Everyone talks about SecOps and reacting to the hack but the problem with that is you want to prevent, not react. Traditional solutions have always been about ‘oh, by the way, we forgot security, we have to add it on’.”
Do networks such as CyAN augur the future of security? Perhaps: only by looking at challenges in the round do we stand a chance of creating longer-term solutions rather than chasing our tails and playing an eternal game of catch-up. As cybersecurity challenges shows no sign of fading, we can expect more cross-cultural approaches. Certainly, the current proliferation needs new models and combinations that look beyond code and propose creative answers to the desperately challenging questions being asked by bad actors.