Tony Sager has not only witnessed the revolutionary change in cybersecurity over the past several decades he has lived it, through several decades with the National Security Agency (NSA).
The most significant, he says, is the transformation of cybersecurity from a government monopoly to a vast marketplace of threats, enemies, defensive tools and solutions that are far too complex for any one organization or institution to manage. The only hope, he said, is simplification and collaboration.
Sager, a founding member and chief technologist at the Council on CyberSecurity and also director of the SANS Innovation Center, focused on explaining that change and its implications in his keynote address at the SANS Security Leadership Summit Wednesday morning in Boston.
Among his key points:
The way we were: A government monopoly facing a single enemy.
"I'm a reformed monopolist," Sager said, noting that in the 1970s, early in his career at the NSA, "the business of cybersecurity was a government monopoly. Who controlled the context, who decided what constituted success, who decided what security was good enough, who paid the freight for most of the R&D? It was the government.
"If you wanted encryption of sensitive or classified information, you had to come to a monopoly the NSA. There was a kind of implicit notion that government would save us and solve the problem," he said.
There was also the perception that the nation faced a single enemy an existential threat from a single nation "that we didn't know much about, because it was a closed society."
The entire notion of connectivity was still in the future as well, so the notion was that cybersecurity was primarily a technology problem. "If we could build better technology, people could use that, our information would be safer, our operations would be more assured, and that would fix it," Sager said.
The way we are: Millions of connections, millions of enemies
None of those notions of the past, "match the world we live in today," Sager said. "We don't have centralized ownership of the problem. We're all connected, all using the same commodity IT, no one is breathlessly waiting for the government to tell us what is safe enough."
Meanwhile, "we're fighting all the time against an infinite number of bad guys," he said. "It's changed the flavor of the whole security business and how we think of leadership."
Security leaders even have a tough time convincing their CEOs that the latest technology from Google, Apple, Microsoft or other vendors needs some study before it's deployed.
"Your boss is absolutely sure you must have it right now," he said. So, for security leaders, the new challenge is, "What's the best we can do with what's coming out of the marketplace? What are the prudent steps we can take? It's no longer central control it's driven by consumers."