Initial thoughts on the ill wind blowing through infosec teams across the country:

1. The overall security quality of enterprise IT products is terrible and that is the responsibility of every F500 CIO, CISO and board for creating the wrong incentives. I include myself in this.
You might call it the "Gartner Effect": the way we qualify, test and choose enterprise IT vendors is faulty. Vendor risk management is an invisible, incredibly expensive and mostly useless process as executed by most companies. When decent, it happens too late in procurement.
As a result, there are dozens of companies that represent critical, systemic risk across the public and private sector and most of the "security community" has interacted with none of them. The outside pressure that has pushed consumer IT to improve does not exist for most of IT.
There have been attempts by Google, BITS and others to better coordinate vendor risk management but none have really taken off. We need a deeper focus on security program maturity and transparency up and down the stack.
2. We desperately need an NTSB-like function for cybersecurity failures, probably housed in CISA. I expect that shareholder lawsuits have already been filed against SWI and FEYE and thousands of hours will be spent on depositions and discovery only to enrich class-action lawyers.
If we had a liability carrot-and-stick approach, where these reviews were conducted by professional staff, penalties were applied by a competent regulator, and we had 400 public pages to read on the root causes in six months, other companies could learn and improve.
I talked about my own experience with this at Yahoo last year, and what an incredible waste the post-breach investigations turned out to be. (Remember conferences?)
3. The investment our government puts into offense and intelligence gathering versus defense is spectacularly off. @C_C_Krebs built a great org with CISA, but they have something like 2,000 employees for the entire critical infrastructure and cyber mission. NSA has over 40k.
I hope the timing of this reveal means that the Biden administration and Congress will really think about investing in defense and motivating companies to be responsible in 2021. I also hope we see some defensive operators in key administration cyber roles.
I love me some "cyber lawyers". I work with them, respect them, and I think a legal background should definitely be represented in these roles. But maybe not all the roles... we aren't going to indict and sue our way out of this problem.
You can follow @alexstamos.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.