To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.

A few months ago I had a conversation with the CISO of a multinational logistics company who told me that his company will never allow citizen development. "I see that the benefit could be massive, but we will never allow it," he said.

This statement made perfect sense. Allowing employees with little IT or coding experience to develop applications seems counterintuitive to companies that are used to seeking strict controls over developers, applications, and digital assets. For many executives, citizen development seems to belong to a distant future.

In a follow-up meeting with that same CISO a few weeks ago, the conversation went in a very different direction. Marketing teams found their way around the CASB and started using no-code automation. Business applications teams started using Salesforce to streamline business processes rather than focus only on sales and customization. Employees all around the company were using Microsoft's built-in platform to build custom applications in Teams. "Turns out, we didn't get to choose. Citizen development is now a reality, and I am now expected to mitigate its security risks," he told me.

This CISO is not alone. The world's largest banks, retailers, and manufacturing companies are going all-in on citizen development. At a recent online event, Microsoft announced that 97% of Fortune 500 companies use its low-code/no-code platform.

**How Low-Code/No-Code Platforms Find Their Way Into the Enterprise**  
To understand how organizations can transition from "low-code who?" to "business developers" in just a few months, we need to understand how low-code/no-code finds its way into the enterprise. We also need to look at low-code/no-code platforms' go-to-market (GTM) strategies.

**1\. Land-and-expand:** Low-code/no-code platforms follow multiple paths into the heart of the business. The first and most obvious one is a top-down approach. In organizations where digital transformation is a strategic effort, senior management often looks for platforms that can accelerate the productivity of their business teams. Low-code/no-code platforms are built to do exactly that. Two popular choices for digital transformation are low-code application platforms (LCAPs) and integration platform-as-a-service (iPaaS).

In the digital transformation scenario, an organization would typically set up a center of excellence (CoE) that starts off by finding key use cases that quickly produce business value. Think of business applications used to manage a giveaway campaign by HR, welcome vendors to your facilities, or facilitate IT equipment orders by employees. Even more importantly, the CoE serves as inspiration for business users to think of more ways in which they can improve their productivity with business applications and automation. This centralized team leading by example doesn't have to be explicitly called a CoE. It can be the business applications team, the intelligent automation team, or the integration team, for example.

Once users start getting an appetite for applications that streamline business processes, the CoE's backlog quickly overflows. It is at this stage that business users start building their own applications, either with guidance from the CoE or on their own.

Both LCAP and iPaaS vendors rely heavily on this process of expansion within the enterprise as their core growth strategy. While it's easier to get through the door with a solution used by a centralized team, the value that can be realized grows significantly when low-code/no-code tools are placed directly in the hands of business users. Indeed, LCAP and iPaaS vendors are investing a lot in making their platforms easier for citizen developers to use. Slowly but surely, business teams across the organization become aware of these platforms and start to use them to get their job done.

This land-and-expand model is a win-win for vendors and customers alike. Centralized teams bring these platforms into the corporation and demonstrate their value, leading to business teams realizing their potential by addressing a wide range of business needs quickly, on their own.

**2\. Bottom-up (shadow IT):** The marketing team at the aforementioned logistics company has been hard at work on a big conference. The company plans to make a few key announcements, with the intent to make it a big deal and generate lots of buzz. To translate this hype into leads, they want to set up a dedicated landing page with content optimized for conference visitors. The marketing team hires a vendor to build the page. In order to deliver quickly, the vendor uses a no-code automation platform to set up an email campaign and sync leads to the company's CRM. The end result is a great conference experience, powered by a no-code automation platform connected to the company's CRM.

In the rush of things, however, the CRM integration was set up with an administrator account shared with all developers on that account. At launch, only a few developers have access to the account, but after seeing the value, the whole marketing team is granted access, inadvertently sharing administrator privileges to the CRM. Security teams found out about it after the fact. The platform was purchased out of pocket due to time constraints, so there was no security assessment or an opportunity to say no.

This is a typical story, where platforms are introduced directly by users to solve a specific problem, without security visibility or guardrails. Once inside, they continue to expand to additional use cases and business groups. Vendors call this product-led growth (PLG), and it has been the hot GTM trend for the past few years.

Indeed, users are introducing these platforms because they actually solve their problems. Manual processes around order-to-cash, customer care, and marketing operations are a common example. This is great for business productivity. However, over time organizations can find that their business-critical data and processes have slipped out from under the security umbrella.

**3\. SaaS becoming the new business cloud:** Name your favorite corporate SaaS platform. Chances are, it's a low-code/no-code development platform too, and your business users are already building with it. Don't just trust me on this — I encourage you to check it out yourself.

In recent years, SaaS vendors are increasingly shifting toward becoming low-code/no-code development platforms. Microsoft, Salesforce, ServiceNow, Workday, Slack, and other leaders in SaaS have all introduced their own low-code/no-code platform, embedded right into the platforms your business users are already using. Some vendors are focused on if-this-then-that automation and others on custom application development. But all of them are reaching out to business users directly, empowering them to do more on their own.

Back in the previously mentioned logistics company, the CISO found out that users across the organization were using Power Platform, Microsoft's low-code/no-code platform embedded in Office, to build custom applications for their Teams channels. These applications gained access to resources on behalf of their Teams users to do useful things like set up calendar invites, send emails, or share SharePoint files. Inadvertently, it also gave the application creators control over application user identities, allowing them to impersonate their users through the applications. Like any application that gains access on behalf of users, that access could be used to do harm, either by malice or by mistake.

SaaS vendors are pushing strong on low-code/no-code as a way to expand their business. They are using their advantage of already being at the fingertips of business users and are building app development platforms for their specific personas. This, again, is great for innovation and business velocity.

**The Time to Act Is Now  
**With all of the different ways low-code/no-code finds its way into the enterprise, it's becoming clear that organizations can't just opt out of citizen development. Gartner has predicted that the number of active citizen developers at large enterprises will outnumber professional developers four to one by 2023. Other analyst firms have predicted similar numbers. Even if we end up having _just_ one citizen developer per professional developer, can we really let that slip outside the security umbrella?

Instead, security teams should embrace low-code/no-code and help guide the new generation of citizen developers in line with enterprise requirements. The sooner this is done, the better.

You Can't Opt Out of Citizen Development

New quantum encryption standards will stand up to spy-snooping, NSA cybersecurity director said.

As the National Institute of Standards and Technology (NIST) is busy developing — and gathering industry buy-in — for a new set of quantum encryption standards, the cybersecurity chief for the National Security Agency (NSA) has vowed it won't build in a backdoor for snooping.   

The NSA has a shabby track record when it comes to violating privacy and Fourth Amendment protections with its massive surveillance operations, but in an interview, NSA director of cybersecurity Rob Joyce said, "There are no backdoors" being designed for spies to bypass new quantum encryption standards. 

Although the reality of quantum computing is still years away, its potential to crack even the strongest encryption has the cybersecurity community on the hunt for protection against this future risk.  

The NSA is also helping NIST test its various quantum encryption algorithms, Joyce told Bloomberg News. 

“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NSA Cyber Chief Vows 'No Backdoors' in Quantum Encryption Standards

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

What's a cartoon without a clever caption? For that we turn to you, our witty readers. Send us your ideas not only for the chance to win a $25 Amazon gift card, but also because it's just plain fun to play! Here are four convenient ways to submit your idea:  

*   Email _\[email protected\]_ with the subject line "Dark Reading April Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

The contest ends Wednesday, June 8, 2022. We look forward to your submissions.

**Last Month's Winner  
**A $25 Amazon gift card is on the way to Gene LeDuc, technology security officer at San Diego State University. His caption for April's "Helping Hands" contest was the hands-down winner. Congrats, Gene, and thank you to all who played along. 

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Knives Out

Just one day after disclosure, cyberattackers are actively going after the command-injection/code-execution vulnerability in Zyxel's gear.

Zyxel firewalls are under active cyberattack after a critical security vulnerability was disclosed last week that could allow unauthenticated, remote arbitrary code execution.

The bug (CVE-2022-30525, CVSS 9.8) was silently patched in April, but no public disclosure was made until last Thursday, May 12, when Rapid7 released a technical report on the issue. It also debuted a working proof-of-concept exploit that clearly snagged the attention of the bad-actor set: Just one day later, in-the-wild attacks started.

Zyxel’s ATP, VPN, and USG FLEX series business firewalls are affected. Shadowserver identified nearly 21,000 potentially vulnerable devices hanging around as of Sunday, prompting US National Security Agency cyber director Rob Joyce to issue a call-to-patch tweet.

The vulnerability can be triggered via a device’s HTTP interface to open a reverse shell and allow code execution as the “nobody” user. The nobody user is less privileged than actual user accounts, but a successful attack could still allow a nefarious type to "modify specific files and then execute some OS commands on a vulnerable device," Zyxel warned. In a worst-case scenario, attackers could potentially gain control of the host operating system, disabling the firewall and opening the network to follow-on attacks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical Zyxel Firewall Bug Under Active Attack After PoC Exploit Debut

In a Black Hat Asia keynote fireside chat, US national cyber director Chris Inglis outlined his vision of an effective cybersecurity public-private partnership strategy.

BLACK HAT ASIA – The future of cybersecurity public-private partnerships (PPP) will be about sharing efforts and pooling resources to provide a common defense, explained US national cyber director Chris Inglis during a fireside chat at Black Hat Asia.

Inglis called it a "new social contract" and defined the joint work that lies ahead for both government and business to protect their interests. It should be a "collaborative, not a division of effort," he told moderator and Black Hat founder Jeff Moss. He added that it's up to businesses to build secure systems from the start rather than being "the poor soul at the end of the supply chain."

**Building a Defensible System**  
In return for adding the cost of security into the design and build phase, these companies won't be left alone when it's time to respond to threats.

"We have to build a defensible system," Inglis said. "And in a collaborative fashion, we are going to defend it."

Market forces are pushing companies toward that model, but not fast enough, Inglis said, with the assurance that any regulation will be with the "lightest touch" by government.

**Business as a Government Cybersecurity Collaborato**r  
He added that since the Russian invasion of Ukraine, the US government has shared intelligence with the private sector to help defend their systems against cyberattacks. Inglis also lauded the action by Microsoft to roll out a patch against the Russian wiper virus used in attacks against Ukraine, but warned that it's imperative that we not "conflate geography with risk."

For instance, blocking Putin from platforms is different than blocking the wider Russian population, which has happened on TikTok, Netflix, Facebook, and many others.

Inglis also expressed that the private sector should demonstrate that is has an interest in protecting privacy and providing more transparency into their businesses.

Ultimately, the relationship between business and government is evolving.

"Today, there are instances where the private sector is the supported organization and the government is the supporting organization," Inglis said. "This is a new social contract, but we've done this before. It's about allocation of responsibility across the entire ecosystem."

US Cyber Director: Forging a Cybersecurity Social Contract Is Not Optional

A decentralized future is a grand ideal, but secure management of private keys is the prerequisite to ensure the integrity of decentralized applications and services.

The lyrics to the 1937 song of the same title, "Me, Myself, and I" speak to individual identity – me, the whole person, and nobody else. In the context of the emerging paradigm of decentralized applications and services, often wrapped in the cloak of Web 3.0, one of the promised benefits for the individual is control over their personal data. Central to this anticipated benefit is the irrefutability and verifiability of a "digital self," comprising the "digital twin" of our actual person. 

The central thesis of the decentralized future is that I should be able to demonstrate certain aspects of my identity in the digital domain that are manifest in the physical domain – for example, my valid passport, academic record, Social Security details, and financial transactions. These characteristics, or "claims," about my identity should be able to be verified, independently, by a relying party, to establish the necessary trust for some transaction between us. The change from existing federated identity methods is that I choose whether to disclose my personal data for a specific purpose and I retain control of the disclosure process under the concept of self-sovereign identity (SSI).

How do I gain this control over my identity? The answer is through the use of public key cryptography, where I provide a public key that others can use to verify my unique cryptographic signature, generated using a private key to which only I have access. This system of digital signature and verification is in widespread use today and is the basis for secure communications between the server hosting this article and your Web browser. To enable decentralized verification of credentials, public keys are written to a distributed ledger using a decentralized identifier (DID) that represents my uniqueness within the decentralized environment. DID standardization is currently being worked on by the World Wide Web Consortium (W3C), with the aim of establishing interoperability across discrete, decentralized networks. 

Crucially, the public key associated with an individual or machine participating within a decentralized network forms part of the DID that all relying parties within a decentralized network use to validate my identity and my transactions. The distributed ledger provides irrefutable and immutable evidence of those transactions, based upon the use of my public-private key pair. In a decentralized world, your private keys become your identity. Your private keys are, therefore, not only a source of control, restricting who can access your data, they are also a source of acute vulnerability.

**Identity Loss**  
The consequences of either loss of your private keys or someone gaining unauthorized access to them are evident in several well-publicized examples of cryptocurrency theft, notably the separate attacks perpetrated against Mt. Gox, Bitfinex, and Coincheck. Once access had been gained to the private keys used to authorize cryptocurrency transactions, hundreds of millions of dollars in crypto-asset value were lost from user wallets. Ironically, in the case of the Bitfinex theft, it was a lack of adequate security to protect the alleged perpetrators' private keys that enabled law enforcement agencies to recover approximately $3.6 billion in Bitcoin assets that were stolen in 2016.

We are now witnessing a societal transition to the use of DID verification and associated ownership and custody of digital assets. As decentralized services proliferate, DID claims will also be enriched. Credentials issued by traditional identity providers, such as governments and banks, will be complemented by information from other sources. Not only will my digital persona reflect my activities and interests in the physical domain, but transactions made with my DID will be recorded across disparate blockchains, creating an immutable record of my life history.

With my private keys controlling the use of my identity in tomorrow's decentralized context, unauthorized access to those keys could be catastrophic. A malicious entity appropriating my private keys could not only gain access to wallets holding valuable cryptocurrencies and tokens, but they could also perform any variety of fraudulent transactions. In a worst-case scenario, my physical identity could become completely decoupled from my digital twin, rendering a demonstration of my identity virtually impossible in the digital domain. The problem being that where my DID is misused, the nature of distributed ledger transactions makes it extremely difficult to refute their authenticity after the event. How can I deny knowledge of a fraudulent application for a credit card or bank loan where my private key was used to sign the digital contract? How can I assert the continuity of my physical residence, after the use of my DID with a claim based on a fraudulent address?

Global initiatives such as the World Bank's Identification for Development (ID4D) project and the W3C's DID standardization activity are providing a framework for SSI management within a decentralized world. Secure management of private keys remains, however, the prerequisite for robust identity management and the integrity of decentralized applications and services. As the recent problems at Okta indicate, SSI can mitigate the risks associated with contemporary identity management services. Nevertheless, independent, secure, and available key management solutions represent the foundation of this new identity management model. While it is tempting to focus on the opportunities of the decentralized future, there is still much to resolve when it comes to securing our individual identities in this new ontological domain.

Me, My Digital Self, and I: Why Identity Is the Foundation of a Decentralized Future

Cyber-researchers are testing the bounds of optical attacks with a technique that allows attackers to recover voice audio from meetings if there are shiny, lightweight objects nearby.

BLACK HAT ASIA — A soda can, a smartphone stand, or any shiny, lightweight desk decoration could pose a threat of eavesdropping, even in a soundproof room, if an attacker can see the object, according to a team of researchers from Ben-Gurion University of the Negev.

At the Black Hat Asia security conference on Thursday, and aiming to expand on previous research into optical speech eavesdropping, the research team showed that audio conversations at the volume of a typical meeting or conference call could be captured from up to 35 meters, or about 114 feet, away. The researchers used a telescope to collect the light reflected from an object near the speaker and a light sensor — a photodiode — to sample the changes in the light as the object vibrated.

A lightweight object with a shiny surface reflects the signal with enough fidelity to recover the audio, said Ben Nassi, an information security researcher at the university.

"Many shiny, lightweight objects can serve as optical implants that can be exploited to recover speech," he said. "In some cases, they are completely innocent objects, such as a smartphone stand or an empty beverage can, but all of these devices — because they share the same two characteristics, they are lightweight and shiny — can be used to eavesdrop when there is enough light."

The eavesdropping experiment is not the first time that researchers have attempted side-channel attacks that pick up audio from surrounding objects.

**Improving on Past Optical Eavesdropping  
**In 2016, for example, researchers demonstrated ways to reconfigure the audio-out jack on a computer to an audio-in jack and thereby use speakers as microphones. In 2014, a group of MIT researchers found a way to use a potato chip bag to capture sound waves. And in 2008, a group of researchers created a process to capture the keys typed on a keyboard by their sounds and the time between keystrokes.

The MIT research is similar to the technique pursued by the Ben-Gurion University researchers, except that exploitation required more restrictive placement of the reflective object and required substantial processing power to recover the audio, said Raz Swissa, a researcher with Ben-Gurion University of the Negev.

"This \[older\] method cannot be applied in real time because it requires a lot of computational resources to recover just a few seconds of sound," he said. And other well-known techniques, such as a laser microphone, require a detectable light signal to work.

The researchers thus focused on creating a process that could be accomplished with everyday objects already in the targeted area and using instruments that are readily available. Using objects 25 centimeters — about 10 inches — away from the speaker, the researchers could capture fluctuations in the light reflected off of them up to 35 meters away. The recovered speech was quite clear at 15 meters and somewhat understandable at 35 meters.

Overall, the experimental setup, which the researchers call the Little Seal Bug, could be used to capture audio with everyday objects The attacker can be external to the target, thus less detectable, while the low computational requirements make capture available in real time.

**Great Seal, Little Seal and Beyond  
**The Little Seal Bug is a nod to a well-known early espionage incident, known as the Great Seal Bug. In 1945, the Soviet Union gifted the US ambassador a crimson, embossed eagle seemingly celebrating the US-Soviet collaboration to defeat Nazi Germany. Yet the Great Seal also had a hidden audio recorder that allowed Soviet spies to eavesdrop on high-level conversations in the embassy.

Similarly, the Little Seal Bug could use common items around an office to capture audio via reflected light. In addition, most mobile devices come with a photosensor that does not require special permission to access. While the researchers have not come up with an attack chain using the sensor, such a resource could very well be used by future attackers.

However, there are many more likely threats for espionage attacks, Nassi said. From compromising systems with malware and capturing the audio that way, to using microphones already embedded in Internet of Things devices, such as AI assistants and video cameras, our world is quickly becoming filled with potential eavesdropping devices.

"A smartphone, a laptop, an IP camera, and a smart watch are probably more risky in terms of privacy than these devices or objects," he said.

How to Turn a Coke Can Into an Eavesdropping Device

The Budapest Convention is a multinational coalition that agrees to share electronic evidence across international jurisdictions to track down cybercriminals.

The US Department of Justice has signed on to the Budapest Convention international treaty, which allows its 66 member countries to expedite the sharing of electronic evidence to more effectively track down cybercriminals, wherever they are on the globe.

"The Budapest Convention is a truly remarkable international instrument," Deputy Assistant Attorney General Richard Downing said. "Its technology-neutral approach to cybercrime has created an enduring framework for cooperation that ensures law enforcement has the tools they need to respond to new criminal methods.”

Signed by Downing, the agreement, according to the DoJ, makes it easier for law enforcement agencies to obtain subscriber and traffic data from service providers for cybercrime investigations. The agreement followed nearly four years of negotiations, the DoJ noted. 

“It is our collective vision that every country that is serious about fighting cybercrime and that provides for the protection of human rights should become party to the Budapest Convention," Downing added. "The Convention strikes the right balance between imposing obligations on nations to have robust laws and capabilities and providing the flexibility necessary for nations with different legal systems to join."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Agrees to International Electronic Cybercrime Evidence Swap

In a keynote address at Black Hat Asia in Singapore this week, CISO and former NASA security engineer George Do discussed his go-to model for measuring security effectiveness – and getting others in the organization to listen.

BLACK HAT ASIA 2022 – When it comes to demonstrating the value of cybersecurity to a business, one of the biggest challenges is communicating ROI to the C-suite. The entrenched perception of security as an obstacle to productivity and other areas makes it very difficult for security engineers and nontechnical management to be on the same page.

During a keynote at Black Hat Asia this week, George Do, CISO at Gojek and GoTo Financial and former cyber-pro at NASA, tackled the problem of how to encourage security to be viewed as a valued part of the business for all departments, not just the CISO's office. It starts, he said, with quantifying that security effectively.

"All your investments into security, all of your hiring, all your projects, all of the blood, sweat, and tears that security staff puts into the trenches – does any of it matter? Is it meaningful?" he asked during the presentation, entitled, "Moving the Security Needle From the Security Trenches to the Boardroom." "You have to be able to answer that" and show why.

**Communications Breakdown  
**Security teams often have an uphill battle internally because of a lack of communication between departments. Take, for instance, the common misconception among average workers that security is there to make everyone's lives harder. Do referred to it as "ivory tower security," where the security apparatus appears to everyone else to be removed and prone to delivering a litany of "no's."

"Many of our organizations view the security team as a technical obstacle," Do said. "We are CIS-NOs, right? They think we sometimes do things in a vacuum, that we don't understand the impact of the business or at least understand, you know, the pain points the business is having. There's mistrust of the security team."

He added, "The more processes and the more gates that we set up slow down the business and add friction. We often don't weigh that heavily enough in our selection of how we're going to design something."

Another communication pitfall exists between the CISO, the CIO, and CTO. All are often dragged into the boardroom together without being on the same page, which can create the possibility for adversarial or competitive relationships. But it's vitally important for CISOs to recognize the other tech-related leaders as partners and stakeholders, Do said.

"It's not for the CISO to say, 'Hey, CIO and CTO, these are all the bad things that are going on in your organization. You need to go fix it,'" he explained. "The better idea is to partner on a presentation together to present to the board, so whatever problems we call out, there's a plan of attack, and we can communicate on how we're doing against that plan of attack."

Another important strategy is to remind board members that they have skin in the game.

"Board members have what they call fiduciary duty, meaning that if the organization gets hacked or compromised and it's found that the board members were not focusing on that risk area for the organization, they can be held liable," Do said.

Do encouraged audience members to consider the overhead with every security addition or program.

"Each logo you add to your security program will add a bit of technical debt," he explained. "You have to consider the cost to set up new processes, the man-hours, the impact on the business, \[and\] the cost of the product itself."

**5 Key Tips for Communicating Security Effectiveness  
**Do also laid out a five-pronged blueprint for communicating the importance of security programs to the entire business, and how to quantify ROI.

**1\. Know your audience:** When trying to communicate security results, it's important to use language that board members and business leaders can understand, Do pointed out. That includes using simple rules of thumb, such as avoiding jargon and acronyms.

It's also critical to understand that different stakeholders have different lenses. Security engineers may look at the number of attacks that were blocked by the firewall as a measure of success, while infosec managers and directors would rather know about the successful attacks and whether the systems were able to detect and respond to those attacks. Meantime, CISOs would be interested in finding out what could be done to prevent further breaches, while the CEO and board might be more interested in whether the organization lost money, suffered downtime, or ended up with legal liability or brand and reputation damage.

"These are all very different questions, all equally important," Do said.

**2\. Don't start with metrics:** It may seem counterintuitive, Do said, but it's important to start with the business objectives when framing security effectiveness.

"You may be a hospital, a government agency, a commercial company; whatever you are, you have business objectives, so start with that," Do advised. "This is how we generate revenue. This is what we're providing to the industry. What are the cyber-risks to that business, given whether or not you're in the cloud, your user base, your customer base? Understanding this will inform you what the metrics should be."

**3\. Be quantitative:** Once the metrics are defined, an organization's security road map should be aligned. That means investment in all of the projects, the products, the labor, the processes, and so on must be in service to meeting those metrics.

"The metrics should be public information, so every single team in the company knows what your goals are and that it's been signed off on. This isn't something security is cooking in the kitchen in a silo," Do noted.

It's important to measure what success means in numbers, not anecdotes or qualitative statements, Do added: "You have to be able to measure it and repeat it."

**4\. Remember that security is a team effort:** Do pointed out that all too often, security teams take an us-against-the-world attitude – but in reality everyone has ownership in security processes and should be communicated as such, with clear responsibilities and roles for security in every department.

"Even areas like the procurement team may need to own some part of security processes, for instance," Do said. "Literally it takes a village to secure an organization, not just a security team. And in recognizing that, you can avoid the confusion over who's responsible, who's accountable, who's consulted, and who's informed. It's critically important because it sets the expectations upfront with your stakeholders on who owns what."

**5\. Pair empowerment with accountability:** Once security roles have been determined and it's clear who's accountable for what, it's important to also empower those individuals.

"Empowered means, do I have the authority to achieve my objective of, say, patching, for example? Do I have the budget? Do I have the processes in place? Do I have the people to achieve what I'm accountable for?" Do explained.

To wrap up, Do cautioned security teams to realize that implementing these best practices will be a journey with many obstacles, but that it’s important to persevere.

"Always without exception all of us are dealing with some level of challenges in this paradigm, meaning the measuring of security, and how do we communicate to our board our leadership, our owners, our shareholders, that we're moving the needle with security?" he said.

Do added, "Some organizations can turn on a dime; they can go to this model quickly," he said. "Others will take a year or more because of bureaucracy, politics, processes, whatever. But I would say don't let that detract you from pushing toward this model."

CISO Shares Top Strategies to Communicate Security's Value to the Biz

The conference opens with stark outlook on the future of global democracy — currently squeezed between Silicon Valley and China.

BLACK HAT ASIA 2022 – Technology is an existential threat to global democracy — requiring a shift to a transnationally regulated, culturally sensitive tech ecosystem that provides space for democracies to flourish.

That's the word from Samir Saran, president of the Observer Research Foundation, in the opening keynote for Black Hat Asia 2022.

"Democracy is turning on itself, and technology is the tool," Saran said. "If democracy is to survive, technology will have to be tamed." 

**Big Tech vs. Red Tech** Caught between Big Tech in Silicon Valley and what Saran called the "Red Tech" of the Chinese Communist Party, it's time for the world to establish meaningful global regulation of massive social and enablement platforms, which have often run amok and been used against the populations they purport to serve, Saran explained during the address, titled "#HackingDemocracy." 

Silicon Valley's ability to pick and choose who has a platform, seemingly based on the whims of owners, and its unwillingness to control the spread of hate speech and disinformation, primarily because it's good for business, are suffocating American democracy and should be reined in, he argued.

Big Tech in the US enjoys a quasi-utility status but uses its immense influence to fend off any sort of meaningful regulation, he explained from his bookshelf-lined office in India (his talk was remote). However, compared with the untamed censorship, malicious intent, and brutal wielding of Red Tech against populations, US-based companies are still the best hope for establishing new ground rules that can hold boardrooms and powerful figures accountable. "Perhaps even elected ones ...," Saran suggested. 

**China's Plan to Divide Democracies** China's Red Tech is more dangerous to democracy because, as Saran explained, it's used to "control the domestic population and also make mischief abroad." 

Chinese Big Tech has been able to insert itself into global democratic discourse and divide wherever possible through the use of deepfakes, fake news, and its formidable troll army, Saran warned. 

"The business model of China tech is to divide democracies," he said. "The Chinese are ensuring they are part of any conversation, any political discourse in free societies — democratic countries." 

Saran credits Chinese tech for maintaining the country's "brand" despite the COVID-19 outbreak in Wuhan by dominating and gaming the news cycle. "They were never held accountable for what happened in Wuhan," Saran said. 

But thanks to the so-called Great Firewall of China, no other countries have the same access to make similar troubles for the Chinese Communist Party. This is no longer tenable, and Saran recommends a global ultimatum to Beijing: Let the world in or we'll block you from the world. 

**Can China Be Held Accountable?** Saran said global tech's reaction to Russia's invasion of Ukraine by blocking Russian interests proves the sector has the ability to hold power accountable. 

"Can these same platforms work together to see that Chinese propaganda is offloaded?" he asked. "Can they take action against Chinese manipulation?" 

The question is whether they're willing to give up the Chinese market in the name of democracy. 

**Going for a Transnational Future  
**Transnational tech platforms also have an obligation to provide services with more cultural nuance, he said. 

"Facebook in India will have to have a different texture than Meta in the United States," Saran said, adding that ultimately, it's about taking better care of the people behind the usernames.   

Regulations could be an important part of the picture given that regional laws aren't one-size-fits-all for a culturally diverse globe, Saran added. 

"Transnational corporations need to have another level of regulation with some standards and accountability."

Source

DARKReading