As the digitization of our lives accelerated, so did the pace at which cyber threats developed. In 2017, the number of new malicious files detected was around 360,000 [i]. Per day. A new specimen of malware emerged every 4.2 seconds [ii].
To function, the world economy used to require three fundamental pillars: reliable currencies, private property and the enforceability of contracts. It also used to run on paper, and criminals could not “threaten paper”. Now they can. Cybercriminality threatens the integrity of the digital paper on which our economy is written: cyber threats are ubiquitous [iii], hard to document and very hard to prosecute [iv].
As transactions move online at a growing pace [v], and cyber defence is lagging, cybercrime has come to threaten the fabric of economic activity and cyber security is fast becoming the fourth fundamental pillar.
Melanie’s calling in life is to battle that hurricane of digital aggression to help the clients of Radically Open Security (ROS) protect themselves. ROS also disrupts the cyber-security consulting industry by sharing knowledge and educating its customers against cybercrime, while promoting an open cybersecurity culture.
Why, you may ask, is there anything innovative in this brief? Sharing knowledge only makes sense! It does, but that’s not a prevalent strategy in security consultancy. As Melanie puts it:
"A business should always be the embodiment of a force for societal progress."
Sadly, that is far from the norm in the cyber security consultancy world. Melanie has criss-crossed this industry in many ways, as student, teacher, researcher, client and now provider of security services. And she profoundly believes that the time is ripe for a new, more mature kind of service offering.
She regrets the frequent attitude of secrecy that cyber security consultants tend to adopt regarding the practices, techniques and tools that they use. From her experience of working with them, she concludes that this secrecy only serves as an artificial differentiator, hiding in fact a remarkable sameness.
“Customers experience see this behaviour as condescending, and it gives cybersecurity experts a really bad name”.
Whilst customers may have in the past lacked the competence and experience to work shoulder to shoulder with their providers, this is no longer true. For many businesses, cyber security has become mission critical, and the market has matured very fast. If the cyber security industry is to keep a clean name, it also needs to up the level of its game.
Can you imagine your accountant hiding from you how exactly they calculated your P&L and balance sheet? You would become immediately unable to interpret your own year-end results. Well, cybersecurity should work the same.
Melanie contends that the purpose of cyber-security consulting should not only be to fix problems, but also enhance the resilience of client organisations by sharing knowledge and methods with them. Problem fixing might not be entirely catastrophic, if cybercrime was a stable, well known, and slowly morphing threat, but it’s not. In short…
"Cyber-security consultants who only fix today’s problems but do not share knowledge make their customers more vulnerable to tomorrow’s attacks."
After one year at ING, she had seen enough, and started ROS. It has now grown as a scale-up boutique cybersecurity consulting firm, built around a core team of well-known and respected hackers. With very few full-time employees, and a growing resource of battle tested free-lancers, the company is structured as a movement of like-minded professionals who all yearn for a more ethical and constructive approach to cyber security consulting. They work on increasing the collective knowledge and savvy of their customers. At the core of their approach are three principles:
Openness & transparency: ROS security interventions are fully documented in real time, and shared with the customer. Customers are encouraged to take part, ask questions and learn from what they see. The “Don’t breathe down my neck” annoyance became the “Peak over our shoulder” process. ROS contributes to threat intelligence by creating publicly available documentation, thereby building collective knowledge about security.
Ethics: ROS does not do backhand deals with intelligence agencies or governments, nor does it develop employee monitoring tools. They endeavour to build and follow a demanding code of ethics for cybersecurity intervention, and morally vet assignments before they take them.
Open source: ROS is committed to building a more secure cyberworld and share 100% of their creations online as open source. They follow development standards that render their work easier to use and adapt for others, including their competitors.
Finally, to prevent or minimize any conflict of interest, ROS is structured as a fundraising activity for a charity [vi]. 90% of its profits are sent to the NLnet foundation, a philanthropic research and development organisation working since 1982 to facilitate the exchange of digital information.
Melanie underlines that given how ROS is structured, there is no possibility that she could personally get rich from it. This seals its destiny as a societal project and lends credibility to its ambition of ushering a higher moral order.
There is not much about Melanie that I could write that is not already amply illustrated by the way she works. Some activists are vindictive, she’s not. She is not on a crusade against anyone. She’s on a journey for and with everyone, including her competitors who can benefit from the work that ROS does and openly publishes.
And that earns Melanie a choice spot in the panel of leaders who live by this principle from Abraham Lincoln: “The best way to predict your future is to create it”. She predicts a safer future, but then, she and her team are hard at work making it happen.
TL
About Melanie Rieback
Passionate about cyber security, Melanie studied computer science at Miami, TU Delft and VU Amsterdam. Her PHD dissertation exposing the vulnerabilities of RFID chips received worldwide coverage. Melanie worked in various research, teaching and management positions, before arriving at ING in 2013. She founded Radically Open Security in 2014. The company is structured as a Fiscal Fundraising Institution (FFI). ROS was named the 50th most innovative SME by the Dutch chamber of commerce in 2016. Co-founder of the Dutch Girl Geek dinner, Melanie has received many awards for her work, in particular Most Innovative IT Leader by CIO Magazine NL (TIM Award) in 2017.
[i] Kaspersky lab, December 2017 press release.
[ii] See malware trend 2017: https://www.gdatasoftware.com/blog/2017/04/29666-malware-trends-2017
[iii] See Adam Bannister, 2017, The numbers behind the inexorable rise of cyber threats. As the threat expanded in scope, so did the expertise needed to counter the threat, and cybersecurity is now a $ 150B market, slated for a more than 54% increase in the next 4 years (Source: Statista, www.statista.com )
[iv] Roger A. Grimes, 2016, Why it’s so hard to prosecute cyber criminals.
[v] Whilst cash payment continues to be mainstream, dematerialized payments of all forms are fast growing. Cap Gemini, 2017, World Payment Report 2017.
[vi] In Dutch, a Fiscaal Fondswervende Instelling (Fiscal fundraising organisation).