Cybersecurity: Get out of the niche

Cybersecurity is made by nerds for nerds. What was good in the beginning is just not enough today. Because the topic affects everyone and everything. We need to get out of our cosy but restrictive niche. But how?

Text: Katja Dörlemann, published on 09. July 2024

The number of cybersecurity conferences, meetings, events, working groups, associations and societies is growing every year. Current cyber-attacks are regularly reported in the mass media, and 95% of the Swiss population consider cyber-attacks to be a serious problem. Cybersecurity is no longer a niche topic - is it?

Summarised results of the ‘Population survey among Swiss Internet users in 2023.’ Source: www.internet-sicherheit.ch

Cybersecurity is designed in the niche

As our lives become increasingly digitalised, cybersecurity is lagging behind. Policies, technological solutions and processes are still almost exclusively designed in and for the cybersecurity niche and then unleashed on the rest of humanity. The hope? That's about right. The reality? Inadequate security and frustration. One example:

How do we authenticate ourselves in everyday digital lives? For decades, with passwords. They should be unique, complex and at least 14 characters long. And since this is no longer completely secure, please use 'multi-factor authentication' (Google) or turn on 'two-step authentication' (LinkedIn) or 'verification' (MS Teams). Have you ever wondered how many accounts you have created so far? With all the web shops, social media platforms, banks, insurance companies and the like, it's probably well over a hundred. Authentication with passwords that follow all the security rules is almost impossible.
Fortunately, a lot has happened in this area in recent years. There are password managers, single sign-on solutions and passkeys - in other words, security technologies to support internet users. Unfortunately, these improvements have not yet reached the centre of society. Only 38% of Swiss internet users use a password manager at home.

There are many more examples: VPN, firewall, data classification, secure data sharing, etc. The following applies to all of them: Usability? Hardly any.

Cybersecurity does not like to collaborate

Cybersecurity is an issue that affects us all, so why shouldn't everyone be involved in shaping it? So far, it’s been the exception that the security community has opened up to experts and influences from other disciplines. It would rather keep to itself and reinvent the wheel than invite society to work together. Making people aware of secure behaviour? The only way to do that is with e-learning courses and phishing simulations created specifically for this topic by vendors who specialise in this very area of security. Improve the security culture? Great idea, let's just start researching with a greenfield approach.

The fact that disciplines such as organisational psychology, communication, adult education and areas such as the physical safety of nuclear power plants have been offering solutions for decades has only recently been recognised.

There is nothing special about Cybersecurity. The field faces many problems that are familiar from other fields. People just don't like to work with others.

Interdisciplinary collaboration at SISA

Collaboration with different organisations and specialist disciplines is complex. It requires a lot of commitment, translation, encouragement and understanding. This is exactly what Switch has been doing for ten years now with the Swiss Internet Security Alliance. I have been involved in this work for seven years and have seen first-hand the changing needs of its members. What started out with the need for inter-organisarional data exchange, has now evolved into an interdisciplinary collaboration that aims to meet the complex requirements of the cybersecurity landscape using iBarry.ch as the platform for internet security, the Web Security Day, the Swiss Security Awareness Day and working groups.

A welcome to the participants of the Swiss Security Awareness Day 2023 — Marcus Beyer, Lead iBarry Advisory Board, welcomes the participants of the Swiss Security Awareness Day 2023 on 24 October in Bern on behalf of iBarry. Photo: Mathias Karlsson, Switch.

On the board, I work with experts in security awareness, prevention and insurance, as well as the security teams from Sunrise, Swisscom, Mobiliar and Swiss Crime Prevention, and I benefit enormously from the exchange. We all have similar problems and face similar hurdles. The input and experience of others makes our work more efficient. After all, we all have the same goal: to secure data and information and to protect our customers. So why not pull together? Why not inform the Swiss population together? Why not protect all members from identified phishing URLs? We don't need to reinvent the wheel. There is a lot of potential here.

Cybersecurity is simply too relevant

Cybersecurity, or IT in general, has one major problem: its relevance. To people. To society. To the economy. Every organisation and person that moves digitally - practically the whole world - needs processes, software and skills that are also shaped by disciplines outside of cybersecurity. They form the foundation, the framework, of digital life. By way of comparison, a literary scholar discovers a previously unknown work by Johann W. von Goethe that challenges the prevailing interpretation of his entire oeuvre. Who would be interested? No one outside the literary bubble. But when a cybersecurity expert develops a new authentication method, such as Passkeys, it turns the habits of the entire population, the internal infrastructures of all organisations and entire industries upside down. Cybersecurity, a discipline that still operates within the confines of its own domain and rarely thinks outside the box, is simply out of luck.

Learn from each other, pool resources

Existing, leading cybersecurity experts need to open up to input from other disciplines. These include politics, diplomacy, psychology, communications and many more. Finally, we need an interdisciplinary, collaborative approach that reflects the diversity of how technology is deployed and used in the real world. Security technology must be developed by security geeks – of course. But please in collaboration with experts in usability, UX design, process optimisation and others. Tech by techies for techies can be done, but is often unsuccessful. Let's make security a success and not an obstacle in everyday digital life. Let's learn from each other or, better still, let’s pool our resources.

Of course, this also requires the interest of other departments and their willingness to participate. They must also understand that they have a say and demand it. They need to develop the confidence to challenge the status quo and support change.

Conclusion: demand collaboration!

Cybersecurity is relevant to all digitalised aspects of our society. On the one hand, the discipline must (self-)consciously accept the consequences if it does not reduce its own boundaries more quickly. And it must welcome, integrate and, above all, actively demand supporting expertise from outside.

On the other hand, other disciplines must also understand their relevance to cybersecurity and open up to it, demanding integration and co-design.
Cybersecurity is an everyone’s business.