When we look around today it is fair to say that almost everything we see has been shaped by the combination of Governments, regulators, vendors and consumers continuously improving the products and services that we use.
Your trip to the office, or home or school or shop today regardless of by car, bus, cycling, and yes even walking has sustained many years of functional and safety innovations and improvements.
The room you are meeting in has been shaped by health and safety considerations on maximum room size versus the size of the exits to allow a timely escape in the event of an incident. The materials to build and furnish the room are tested for structural, wear, chemical and fire protection and performance.
But what has not gone through the same security improvements is the technology you are using. Your mobile phone, your tablet, your computer - They have gone through enormous technical changes, enormous, functional changes, and enormous cost improvements but sadly security has not followed this same improvement curve.
Consider this when you purchased your phone nowhere did it state any warning about security of your personal details or protection of your identity. Nowhere would you have been able to find a commonly accepted certificate of security conformity or security testing. Electricity – yes, environmental waste disposal probably, security, absolutely not.
So we should stop and ask ourselves why technology security has followed a different improvement trajectory.
- First is the pace of change. It is sometimes hard to comprehend how technology has changed in such a short amount of time. The shelf life of products is short; the affects of Moore's law can be seen everywhere and because of this the cumulative impact of innovation built on innovation is breath-taking
- This cumulative innovation impact makes technology more usable, more comprehensive, more available and at the same time a lot more complicated – simplification for the end-user equals increased complication for the technology vendor – and increased complexity does lead to increased security risk
- Ubiquity has led to complacency. Today we take technology for granted. We do not really consider the power of what we are using, the interconnectedness of the device, the global supply chain that delivered the device and the experience and nor do we consider the amount of hands and prying eyes who have the ability to interact with our personal technology and the data we store
All of this leads to a lack of comprehensive knowledge of the technology by policy makers, regulators, buyers and users of technology. This lack of knowledge on how technology has been built, or should be built and what good security looks like leaves the buyer, whether it is a consumer an enterprise or a government helpless in deciding the good from the bad.
I started off by saying that the interplay between regulators, vendors and consumers have driven quality up, innovation up and price down. What is missing in technology is the knowledge of policy makers, regulators and buyers of technology to make informed decisions about security. This lack of knowledge manifests itself in the reality that few people are able to specify in any level of detail what security capability they want their vendors to have or build-in to the products and services they create. This in turn has not created the pressure on vendors to improve their security capability at a similar pace to that of functional, other quality and cost improvements – hence the divergence that has been created over many years.
Much good work is going on around the world to address cyber security laws but we must be realistic. It can be hard in a single country to introduce new laws. It is even harder in a region such as the EU with 28 member states; it is a lifetime journey to achieve some laws on an international scale. But we do not need laws to make progress. Good progress has been made on improving the standards and knowledge of users of ICT by the new versions of the ISO27000 standard, the work of NIST in the USA, the Open Group and ENISA in Europe. No work, as far as we can see, has been done to start the process of helping the ICT industry improve the inherent security of their products by creating the demand from buyers for better product security. To do this, buyers need to know what questions to ask of their vendors.
Today I have published our latest white paper and you can find it on our website here:
"100 requirements when considering end-to-end cyber security with your technology vendors"
We are blessed as a company of operating in 170 countries and having customers using our technology who support over one third of the planets population. This global insight provides a richness of culture, a wide understanding of requirements and laws and a comprehensive view of the differing approach people take to managing risks. Our campus in Shenzhen, China, is home to over 30,000 employees and is also our headquarters. Here we host guests from around the globe on a continuous basis. Every day large numbers of customers, Politicians, Government officials, experts and the media come and visit. We show them our exhibition centres, our manufacturing, they sit down and talk with us, work with us and importantly eat with us and through this closeness we detail everything we do – not just on security.
From this intimacy and this openness we take our guests through the approach we take to end-to-end cyber security and from this we have captured their questions, their thoughts and their concerns. This knowledge has formed the basis of the Top 100 questions detailed in this white paper.
We set out to detail the most frequent non-technical questions we are asked by our customers and other stakeholders when it comes to cyber security. In this context, "most frequent" also means the ones that generate the most conversation or review or follow-up questions.
We have taken "poetic licence" to tweak the questions posed to us to make them generic. We have also added questions to reflect the latest issues, such as the Snowden revelations, and filled in any gaps in the questions to make each section cohesive. We fervently believe that the more demanding the buyer and the more consistent the buyers in asking for high quality security assurance the more likely the ICT vendors are to invest and raise their security standards.
Whilst this white paper is a start we are delighted to be working with the EastWest Institute (EWI) on cyber security. We are delighted to announce that the EastWest Institute has agreed to take this initial Top 100 and, using its extensive knowledge and networks, shepherd the evolution of updated and more tailored versions. We look forward to the Top 100 concept becoming an integral part of a buyer's approach and helping the ICT industry drive to greater improvements in product and service security design, development and deployment.
Together we can augment the quality of security considerations in technology products and services, and from this we can collectively do more to enrich people's lives through the use of ICT