This weekend in Las Vegas, the huge cybersecurity event Black Hat USA kicks off, followed immediately by the other big cybersecurity event of the year, Def Con. There are always some big hacker stunts at these events — hackers already broke into a voting machine as a Def Con demonstration. But after a year of major data breaches, there's also a sense of security fatigue. Chester Wisniewski is a principal research scientist at Sophos, a security firm. He talked with Marketplace’s Molly Wood about how security fatigue is affecting business. Below is an edited transcript of their conversation.
Chester Wisniewski: It's a complicated thing. I mean, security in the end for a business ends up being insurance, and selling insurance is hard. Like, I want you to pay me, and if everything works correctly, you won't notice anything, yet if you pay me, and it doesn't work correctly, then you're going to be really upset, because you spent all this money, yet it didn't do what you paid for it to do. Sadly, we have to try to find ways of relating that message, that preventing fires in your warehouse is a good idea. It's just hard to prove the value to a business.
Molly Wood: Is the sense that nothing is working actually fair? I assume security products must have gotten better, right?
Wisniewski: Absolutely. I mean, we're getting better all the time, but we're also kind of coming to a point where we're recognizing a big labor shortage in this space as well, and products can only do so much. I mean, products in the end are just tools, and you need pretty smart people to use those tools and interpret the results of those tools to really know what's happening in your organization. With hundreds of thousands of job openings in security just in the United States alone, companies are facing a lot of financial pressure for how much wages are going up and to fully staff their departments. I do think we are improving, though. You look at the amount of information that's encrypted that is transmitting over the internet these days, and the vast majority of it's now encrypted, where it wasn't five years ago. We're making really good progress.
Wood: Are the products evolving, then, into more like security as a service?
Wisniewski: Yeah, I think there's been a lot of evolution. For smaller businesses, they've been moving a lot of their data to the cloud, and I actually did some research that to my surprise showed U.S. websites are being hacked less frequently to host malicious content. As I dug into it, U.S. small and midsize businesses are now moving a lot of their hosting into cloud providers, and whether that's Google or Amazon or Microsoft, all these companies that are providing these services are way better at securing those platforms than an individual small business with 25 employees.
Wood: What effect does security fatigue have on readiness within companies? Are people letting their guards down?
Wisniewski: Yeah, I think many organizations that I'm talking to are spending upwards of half of their security resources complying either with regulatory rules or responding to executives responding to what they saw on cable news or read in the paper in the morning. So we're having to respond to these things that aren't really necessarily relevant to how we need to protect our organization and our customers' information. So it's certainly been kind of a drag on our efficiency.
Wood: Do you ever feel worn out?
Wisniewski: I do and I don't. I mean, I'm optimistic in that I think we really are making progress, and I'm very frustrated with a lot of the media out there because it does feel like we're losing. It's another Russian hack, another data breach, and it's quite depressing. Of course, law enforcement and government lags five to 10 years behind the industry, always, just in that it's not flexible, so people feel like they're not reporting crimes, and because they're not reporting crimes, we don't get the funding we need for cyber cops to actually investigate these crimes. Because you can't just go to Congress and say we need $4 billion for more cyber FBI agents if you can't prove that there's a giant problem.
Wood: Just as a side note — would it be more helpful to your industry if there were a cybersecurity czar in the federal government?
Wisniewski: It couldn't hurt. I mean, we've had them in the past. The problem the government has with that is that historically, they've tried to sort of be a central broker of information to assist with information sharing. But in the post-Snowden world, nobody trusts the government, and nobody wants to share anything with the government. You have to take security and privacy as two separate things. I think there's a giant hole in the United States in that there is no federal commissioner for privacy to oversee the abuse of the data when it's not protected correctly. I mean, whether you have regulation or not, it's more — pretty much every country has a privacy commissioner aside from the U.S. The role of oversight in the U.S. ends up being scattered across 16 different agencies. That needs to be centralized more, because it applies to nearly every industry now.
The other important role that's really missing in the U.S. that's very concerning is just the government itself is so unbelievably insecure and falling so far behind. All the attempts that have been made at improving it unfortunately end up being more of the red tape that gets in the way, where you're spending all your time filling out forms and none of your time fixing any of the problems. You know, we've been waiting for that new IRS system from the '80s to come online for 35 years now. So if they manage to finally get it to work, we'll have a brand-new 1987 system. That kind of stuff is quite concerning, because obviously the government holds tons of information that's not just important for national security, but obviously for our individual privacy as citizens.