by Lou Steinberg
“I don’t know you well enough to trust you,” said Chet. Chet was a division General Manager at a $1.5B company and I had just joined as the company CTO. His words, based on the concept that trust is earned, stuck with me. I agree that, for a handful of deep issues, trust must be earned. Most of the time we over-specify the level of trust needed without considering the cost of earning it.
We Have Trust Issues
Cybersecurity professionals have significant trust issues. Business executives don’t trust that we will invest prudently in mitigation. We, in turn, don’t trust users; until proven, we default to not trusting.
This the polar opposite of what business teams want. They want agile development to streamline rapidly changing requirements. We impose controls. They want design thinking and digital transformation to simplify the customer experience. We have models like “challenge-response” and “zero trust.”
High-friction approaches are anti-digital. Instead of putting customers in the center, the current approach assumes customers are hostile and makes them prove otherwise.
Minimizing vs. Managing Risk
The kicker is that the business teams are right, at least in terms of frequency. Most users are trustworthy. Regardless, we apply collective punishment controls and penalize their experience. It’s true the impact of a few bad actors can be high, but the impact of many more good actors consuming our services is high in the positive direction; it’s why our firms exist.
The result of under-appreciating positive impact is that most security teams seek to minimize risk instead of managing it. Business teams measure and manage risk every day: supplier risk, market risk, sales risk, etc.
Cybersecurity is different because our measurement isn’t based on risks that mitigate upside, ours is about avoiding failure. Businesses mine the unknown for opportunities while we assume the unknown is untrustworthy.
No wonder we can’t seem to align!
Changing Our Mindset
Getting aligned will require cybersecurity to adjust to the business, not the other way around. What do we change? To start, we need to stop assuming that customers are hostile. That doesn’t mean zero security, just that we need a mindset of frictionless security which minimizes impact to the user experience. We have isolated examples like using biometrics for identity proofing instead of forcing complex passwords. Frictionless needs to become the norm instead of the exception.
Of course I’m not advocating for weak controls simply because they are invisible. Behavioral analysis is frictionless, but still a “best guess” as an authenticator. Even detective controls like biometrics are starting to be beaten as machine learning is used to create deep fakes in imagery, voiceprints, etc. Signed tokens are both deterministic and invisible. Our goal should still be to maximize effectiveness, but add a new goal of minimizing user impact.
If we assume trustworthy users, we can still incrementally ratchet up controls and their impact when we have reason to. Should we get a bad (or no) certificate above, we can reasonably dial up incremental authentication challenges. If we get a nonstandard page navigation path, or a bad device fingerprint, that gives cause to increase friction through additional controls.
The point is to start by whitelisting good actors vs treating all as potentially bad and simply applying the strongest controls possible. When I was CTO at TD Ameritrade, we tried hard to identify bad behavior and searched for bad actor’s signatures. That was challenging for us (we had 10 million good clients and billions of potentially bad) and it was hard on the clients we challenged to prove themselves worthy.
The response to “Do you trust me?” should be “Yes, until you give me a reason to not.”
4 Principles of Frictionless Security
Implementing frictionless security requires adopting 4 basic principles:
All user impact requires a compelling reason.
Assume trust first and seek to confirm.
Add friction only as trust decreases, keeping friction and trust in balance.
Provide truth in measurement.
The 4th bullet is the key to gaining business consensus. It means that in addition to measuring controls effectiveness, we need to measure user friction added by controls. You then discount the value of a control by the amount of customer or user impact.
Not only should this be a part of the dashboards we publish, but we need to be honest about both the effectiveness of the control and the user pain it creates. If our business teams don’t agree with our user impact, assume they are right.
Putting Money Where My Mouth Is
I’ve seen this system from both sides, both as an IT risk professional and a CEO. I now run CTM Insights, a cybersecurity incubator/build studio, and feel so strongly that I’ve committed my own money to fix it.
CTM started Authoriti as a better way to prevent fraudulent transactions, but quickly realized that its value was in frictionless fraud prevention. Authoriti actually simplifies the user experience of opening new accounts, authorizing money movement, sharing personal information, submitting claims, and even connecting to a call center (to name a few) while dramatically and deterministically reducing fraud.
Other CTM investments also respect the frictionless model of security. ShardSecure replaces complex encryption with what looks to users and apps like nothing more than network attached storage. CTM’s trust overlay for the Internet provides traffic with better performance. Our work to identify deep fakes and other data integrity issues is designed to be transparent to users.
In short, CTM’s goal is to move the needle on some of the hardest problems in cybersecurity while reducing business friction. Why? As we found with Authoriti, the best security is frictionless.
Lou Steinberg is a Managing Partner at Authoriti.