RSA Conference 2019 kicked off with a visionary call to action by RSA leadership Rohit Ghai and Niloofar Razi Howe. Ghai and Howe described two alternative paths society could travel in terms of security; one is chaos and the other is trust. Chaos would be born from resigning our judgment to others on matters of artificial intelligence, biologically infused tech, and security. Trust, on the other hand, could result from each of us being accountable and transparent to each other about the risks we pose.
Ghai and Howe warned that our current path of making opaque assurances about our security, or innovating at all cost both create a culture of resignation to the fates. Either we swallow the DNA-reading nano-cybers to cure our diseases, or we assure our privacy and fall ill. Either we lie about how impervious our business is to hacking or we lose customers. Certainly these trade-offs resemble our current thinking about the powers and hazards of information and automation, but they are not necessary. We should be honest about our limitations and risks so that people and businesses can make informed decisions about the risk they will engage in when they work with us.
The nature of trust, RSA asserts, comes from transparency about the value we provide and the risks we pose to others. Their call to action that morning was to use risk management to appraise our capabilities and our limits, and to communicate transparently with those who rely on us.
An organization may not be able to guarantee that hackers will never get their customers’ data. But they may be able to demonstrate that foreseeable attacks on the data are prevented and detected. Now their customers can make informed decisions about working with an organization that can stop anything but persistent well-financed attackers.
A developer of medical devices that collects and transmits health data may demonstrate that their devices operate safely even while experiencing system failure or attack. But they may also inform patients that the safety controls may occasionally leak information about the patients’ condition. The patients can then understand the trade-off.
And when a failure does occur, the organizations notify the public, they protect who may be harmed, and they address the root causes of their vulnerabilities.
This, RSA states, is the nature of trust. Honesty, transparency, and accountability.
This is refreshing to hear from leaders in an industry that too often makes promises that it cannot deliver.
So what can you do achieve RSA’s vision of trust?
- Consider others in your risk assessments. When you evaluate the security of your environment gap assessments, audits, and maturity models aren’t enough. Those assessments look only at you. But security and operational failures harm more people than just you. Estimate the risk of harm to yourself and others (the public, customers, clients, employees) using risk assessments instead. Trust should be based on your concern for others who you may harm.
- Remember that “acceptable” risk must be acceptable to everyone. Risk assessments allow organizations to decide when risks are acceptable. Your risk acceptance criteria must consider whether you and any potentially harmed person would accept the potential of harm. Trust should come from equating your well being with the well being of others.
- Risk is about reciprocity too. While your security controls are meant to protect you and others, your controls should not create more of a burden than the harms they are meant to prevent. Trust should be based on a common good.
- Be honest about your strengths and limits. Doing business with you is worthwhile. People and business are willing to go out of their way to benefit from your services and products. But they need to know whether it’s worth the risk. If they know that there is a small chance of some harm, they can weigh that against the large chance of large benefits. They can weigh that risk for themselves. Trust requires transparency.
- Engage others to keep them safe. Many risks that we expose others to can be mitigated with some help. If a key vendor cannot provide a certain level of security, work with them to find a mutually workable process. If extra vigilance helps keep a vital system operating, work with your customers and clients to maintain and monitor that system with you. If your network design permits excessive traffic to partner networks, work with those partners to keep that traffic to a minimum. Trust is also about responsibility.
RSA’s keynote message was enlightening and refreshing. We should stop choosing between binary extremes where we either promise to be perfectly secure, or we throw in the towel completely. We should instead honestly review the risks we create to ourselves and others, and demonstrate to the public how much we can protect them. This allows the marketplace to choose what risks are worth it and which are not. It helps us choose which safeguards are beneficial or overly burdensome. And it helps us understand that we can’t delegate risk to others; that we must mutually engage that risk honestly.