The digital security crisis

"Crisis" has many meanings, so it's worth making it clear right now: the information security industry is not panicking and has not lost its way. But a series of circumstances and uncertainties have been creating a less encouraging broth for the coming years, and it is necessary to be aware of these events so that it is possible to offer digital and connected solutions with the reliability that consumers and citizens expect. 

The Covid-19 pandemic was another ingredient in this broth, but not the only one. Cyber attacks and their impacts were also on an upward trajectory: in 2017, the WannaCry virus exposed technical weaknesses in some essential services, showing how dependent we are on technology and connectivity – whether in public transport, education or healthcare. 

The search for professionals has increased since then, sounding an alert about the shortage of manpower for the sector – and remote work made everything even more confusing. It is clear that it increased the demand for connectivity and secure communication channels, stimulating revisions even in information security policies that previously did not contemplate remote and diverse accesses. But it did not stop there. 

After Facebook fell in October 2021, the social network revealed that one of the challenges for normalization was in the locomotion and physical access of engineers to the routers that needed to be reconfigured – the company, used to carrying out remote maintenance, did not expect a scenario where the network itself was unavailable. 

This is evidence of a shift in the job market. If the router and servers need to occupy a physical space somewhere, the professional doesn't always have that limitation. Nor have travel restrictions stopped tech and security experts from seeking and finding jobs anywhere in the world – and working from home. 

With the shortage of professionals and competition for manpower becoming increasingly global, finding and adopting solutions (even if they are "simple" best practices, found in any manual) has become increasingly difficult. 

Demand without conscience 

The Windows "Start" menu was born with the label "System", but the usability tests were not good: those who had never used a computer in their life didn't know what to do in front of the keyboard and mouse. When Microsoft tested the "Start" label, many users risked the first click, opening the menu that gave access to the system. 

The button label is gone in Windows Vista, but the usability lesson remains. What is still not very intuitive are the risks involved and the care it requires. In the same way that the system menu has become "start", there are many words in the field whose meaning has less intuitive histories. 

The conscientious user knows how to receive a novelty – understand how a service works, check security options and leave everything adjusted to avoid surprises. But it's not like that for everyone. The charm of the facilities often overshadows the vision for the risks – whether it's a cute app, a promotion registration or a CPF at the pharmacy, it's not always that everyone asks why things are like this. 

It cannot be strange, then, that not everyone is suspicious of fraudulent messages, nor that it is difficult to educate the new generation about the risk of video game addiction mechanics or engagement algorithms that act as predators of our attention. The technology did not anticipate all the risks of its own adoption. 

Legislation helps but is limited 

When people find it difficult to impose their interests, this task passes to legislation. In December, journalist Kara Swisher published an op-ed in the New York Times saying just that: Congress needs to do more in the tech sector. 

In Brazil, the General Data Protection Law (LGPD) came into force in August. Inspired by existing laws in Europe and in some American states, it causes a transformation in the culture of companies – many saw personal data as mere files and spreadsheets, and not as the property of a citizen. Even three years after the text was enacted, the meaning of this is not entirely clear to everyone. 

And systems do not always give us the ability to enforce guaranteed rights. We are required to accept or decline "cookies" with each website visited, although the technology to do this automatically has been around for decades. It's good that LGPD and other similar laws (like GDPR in Europe) require people's consent, but what are we consenting to with a click on "Accept"? 

Like the "Start" button, "Accept" is very intuitive. But where did the idea of the conscious click, which is so important for security, go? 

Taking control of people (either by adopting algorithms that decide everything for them or by trying to circumvent browser settings) has left us with the legacy of a hostile web. The digital way is "accelerated", without a doubt, but it is worth asking what fraction of this speed is due to the lack of knowledge of data and privacy policies ("the signaling") that governs the exchange of information. 

In fact, unlike highway signage, there are no standards for web signage. Nor are the security icons the same on different systems and browsers. Conscientious people and quality information can reduce the impact and rate of cyber attacks, but this is not an easy problem to solve, especially without creating barriers to innovation. 

The convergence of solutions

As diverse as the problems are, there is a lot of convergence when it comes to solutions. 

Educating the new generation better, remembering that digital security starts early - as proposed by the DISI event in 2021, promoted by RNP's CAIS -, will yield prepared professionals in the future. 

People who are more aware and interested in security contribute to the maturity of systems when they pressure the market to prioritize the topic, in addition to acting as barriers against cyber attacks. 

And if there aren't enough experts in the latest technologies, bringing outside views into the field of security and technology, with diverse human and aptitudes, can help defuse the "technological blackout." And plurality can contribute to more humane, simple, predictable and resilient systems. 

Of course, we have to improve in technology, reducing the chance of human error and its impacts – and this contributes to the entire chain, from the user to the system administrator. And if problems do happen, you need to know how to assess the impacts and trigger a recovery plan. It is the sum of these elements that gives people the necessary guarantees to further integrate technology into their routine.

;