Armed with possibly the best job title ever given to a security professional - Security Empress - Jessy Irwin took a very non-typical path into the world of cybersecurity. With a background in history, languages and archaeology, Irwin looks at security challenges through a different lens to many of her peers. Her keynote presentation, which kicked off day two of AusCERT 2019 started by questioning what security is.
Irwin explains her role as being someone who protects software from people and people from software. But as she transitioned from her initial career into a new path in Silicon Valley, she understood that the problems people wanted to solve were different to the ones security teams were focusing on. She sees security as a lot more than finding bugs in security.
By looking at how humans work, Irwin said we should be designing security for what we know about people and not against them.
"For example, if we know people are going to do awful things with passwords, we should probably just plan systems around awful passwords and see what we get out of it," she said.
She also thinks security is often a usability problems and that many security mishaps stem from mistakes rather than sneaky, overseas nation-state attacks.
So, what is security? Irwin says humans have been thinking about security since the first settlements were formed over 17,000 years ago. People build walls and created strongholds for storing their wealth. Security isn't a huge technology problem - it's about people. She highlighted how our personal beliefs can influence the decisions we make about security by discussing the passion that is ignited when people discuss which password manager is best - a topic that was often discussed when Irwin worked at 1Password.
And the issues of protecting communications aren't new either. People used wax seals and letter locks - an ornate form of folding - to prove the identity of the sender and to show evidence of message interception or tampering. Today, we use encryption to achieve similar outcomes and try to ensure end-to-end encryption.
The behaviours we exhibit to secure our assets and communications aren't new. But the tools and technology we use are different. That means we can rethink how we create applications and design security in order to work with how humans typically behave. And that leads to challenging some of the assumptions security teams have.
One question Irwin encourages security teams to consider is where power comes from. Looking at some political science, she said politics can use two different tools in order to exert influence. Nation states can use military force or diplomacy. And while security teams don't have armies, she said the 'power' a security teams has comes from whether it is a team that says 'yes' or 'no'
Being a Department of No can lead to disgruntled users. Giving the security team the power to veto software releases over relatively low risk issues leads to security being sidelined or seen as a problem. But a security team that empowers developers and users to pursue new ideas safely but engaging with them and being service-focused creates a very different culture and outcome.
Irwin implored security people to think more like users and less like attackers. That means not thinking you need to know everything - or act as if you know everything. Looking back some of the great philosophers in history, Irwin suggested taking a Socratic approach where you ask questions, learn and put yourself in the user's shoes.
Security professionals need to think about how they educate users. Rather that imposing rules on developers, plant the seed for ideas and let people come to the understanding of how to behave more securely.
For example, Irwin asked developers to assist with tracing bugs in software. The developers, when thinking about automating the processes for detecting bugs, came to the realisation that changing their approach to developing software could reduce the number of bugs by adopting a number of different practices.
"It's a much better place to be if we are coaching people through solving problems and giving them the critical skills they need for thinking and problem solving rather than just dragging them through and giving them checklists and forcing them to do as we say. Nobody likes that".
There were a number of other things Irwin advocated. By sharing knowledge, being prepared to take incremental steps along the road to improving security and marketing your skills, security teams can build better relationships with their clients as well as drive towards better outcomes.
By burning down silos and working cross-functionally, security teams can leverage the skills of colleagues in other business functions such as marketing, legal and finance, security teams can better understand how people work and offer services that better meet their needs.
Irwin had three final pieces of advice that summarised her philosophy.
- Look for ways to partner with other teams
- Be fun, welcoming and inviting to people outside the team
- Use inclusive language, avoid jargon and use human terms
CSO and AWSN brings to you the first Women in Security Awards in Australia
In September 2019, CSO & AWSN will partner together to bring the IT security industry together to keep in line with International Women in Cyber Day, to celebrate the women of IT Security, along with delivering a series of Awards that recognise and honour the accomplishments , value and contributions of women within the wider world of security.
We have a series of awards that you can nominate for ranging from "The One To Watch" to "Male Champion of Change" to "the Best Place for Women in Security to work". There are also sponsorship options available if you would like to support the nominees, for all enquiries email email@example.com .
To nominate click here
To register for the event click here