Expert: Safety Will Trump Compliance In Future Security Conversations

Cybersecurity activity today is being driven by laws and regulations because of insufficient attention being placed on best practices, according to one industry expert.

It remains possible today for cybersecurity behavior to be driven by laws and regulations since businesses are still primarily concerned about the security of their environments, said Candy Alexander, a cybersecurity consultant and virtual CISO. But she said the challenges of tomorrow will be discussed in different terms as autonomous vehicles and Internet of Things-enabled biomedical devices become more pervasive.

"It's really going to be a safety issue," Alexander said during a keynote address at XChange University: IT Security, hosted by CRN parent The Channel Company. "It's going to come to be an issue of personal safety."

[Related: Expert: Rogue States Haven't Been This Aggressive Since Pirates Roamed The Seas]

Some 20 billion devices are expected to be in the Internet of Things world by 2020, Alexander said, with everything from refrigerators to lighting and heating systems connected to the internet. And the risks associated with IoT increase exponentially as the target for malicious activity evolves from a refrigerator to IoT-enabled biomedical devices such as insulin pumps, infusion pumps and heart monitors, she said.

But just like smart refrigerators, Alexander said security isn't incorporated into the product development of biomedical devices and autonomous vehicles. The industry must therefore take a look into how to start addressing the challenges associated with keeping these smart devices secure, according to Alexander.

"We're seeing the thoughts and threads of tomorrow's security challenges in our world today," Alexander said Wednesday at the JW Marriott Hill Country in San Antonio. "It's really important that we start looking at those and understanding what they are before they come fully on board onto our plates."

Some medical facilities have moved to bolster security through micro-segmentation, which Alexander said is the principle of putting like devices on like networks. For instance, Alexander said one hospital did a major rearchitecture to put all of the biomedical devices on one network, all of the doctors' and nurses' endpoints on another, and so on.

"You have to contain these things," Alexander said. "You have to break it down."

The biggest skill set deficiency as it relates to addressing cybersecurity challenges in emerging fields such as IoT, artificial intelligence or cryptocurrency is around application security, according to Alexander. The industry really needs to start pushing and driving people into application security to ensure that product development incorporates a secure software development life-cycle process within it, she said.

In addition, Alexander said security professionals need to be able to think like a hacker or malicious user in order to properly defend against them. Specifically, she said companies need to remain attuned to risk perspective, keeping in mind that bad actors are more likely to go after a factory-set password that's never been changed rather than going through a multistep process to break into a user's environment.

Part of thinking like a hacker, Alexander said, is going beyond traditional sources of education such as in-person training sessions, professional and industry events, and online training and taking advantage of unconventional training sources such as Google searches and YouTube videos.

Malevolent actors are far more proficient than benevolent actors at sharing knowledge, Alexander said, and it's therefore vital that security professionals start using their resources and getting information the same way that hackers do.

"You have to think outside the box," Alexander said. "Once you understand how they're doing it, you can stop that from happening."

Security professionals need to spend more time thinking like a bad actor and learning about how things like the dark web work, according to Crystal Sharpe, centralized services and security provider at Muskegon, Mich.-based Next I.T. To better think like a hacker, Sharpe said she plans to visit different forums on Reddit and watch YouTube videos to see how they get things done.

"She [Alexander] definitely put a different perspective on things," Sharpe said. "We need to think about the bad people to protect the good people."