Let me be clear right up front. Yes, cybersecurity threats are real. Yes, they are growing in volume and in sophistication. And, yes, they are the root of the problem. BUT, one of the underlying frustrations I have with the cyber-threat situation is that, in general, many organizations remain anything but creative and strategic when it comes to implementing effective security measures.
We see both extremes. At one end, we have strong security measures that create nothing but havoc and frustration for end-users. And at the other, we see companies implement incredibly weak security measures because they are so careful not to burden their customers with hindrances to the online experience. The net result is similar — users bear the wrath of the security measure and either the pain of using it, or the pain of not having it effectively protect their identities and online assets.
There’s no need to list the significant breaches that are occurring. Simply do a search on the term “Internet breach” and a host of government groups, media giants, online retailers and even security companies pop up based on the incredible cyber-threat activity we have seen in the past 12 months.
Equally, there’s no need to explain the user frustration with having to remember a host of complex passwords that need to be reset on a continual basis; answering challenge questions that are anything but intuitive; entering “captcha” that are virtually impossible to read; or the employee challenges of forgetting/losing OTP tokens when it’s critical to VPN into the corporate network.
So what’s the problem? Too many threats and not enough effective security? The truth is, there are excellent technologies available to deal with the most advanced security threats today. But some of them are not easy to use and organizations still see security as a necessary evil. So much so that many ignore implementing it until they are forced to by legislated regulatory compliance laws.
So what’s the answer? In my opinion, let’s take a page from the leading Web companies of the past five years. Let’s take a lesson from mobile OS vendors and implement features and capabilities that are relevant, effective and simple to use. We should hide the complexity and deliver on user-experience.
Is this even possible in the security world? I say yes. Just yesterday, a colleague explained to me how Facebook implemented a new security process to regain access to your account. Instead of very basic questions and answers, they present random pictures from your social collage and challenge you to correctly identify people in pictures — easy and fun to do, hard for criminals to breach.
While many may know Entrust as “PKI geeks,” we’ve come a long way in the past 15 years. Today, we leverage our PKI and security pedigree in all we do, but it’s our innovation in embedding security in applications, devices and machines that makes it possible for our customers to deploy effective AND simple-to-use security.
I’d love to see more of that — in the industry, in our customers’ deployments and hopefully at RSA later this month. Entrust will be staging innovative approaches to leverage the cloud and mobile for best-in-class identity-based security.