How can security professionals drive consumer awareness of new tech without hampering mainstream adoption?

Quite simply, the best way is to think of the consumer first and where that consumer's pain may lie from a protection perspective. Touting benefits of new technology while weaving in specific cautions to take will not only educate and promote new tech, but also bring awareness to possible security issues one might encounter while utilizing that tech. Far from hampering mainstream use, this will further empower usage of new tech, but with the added benefit of awareness of possible threats specific to that tech.

When I was watching PCI (payment card industry) Security Standards roll out, I saw that all of the pressure was put on the banks and service providers, but not on the merchants. Part of the reason I perceived at the time was that if someone's putting money on a credit card, you don't want to encourage them to think about risk because that's against the business model of credit. You want people to spend, so the last thing you want to do is say, "Stop that, it's potentially dangerous." You can see this idea throughout a lot of the problems that we try to solve in this industry, where there’s an incentive almost to allow the bad behaviors whilst trying to enforce the good ones. It's one of those issues that we can't quite nail down. If you can make secure obvious and insecure easy for the user, and then have your product be seen as superior, less dangerous and more useful as a result of that, that's an ideal outcome. But there are not a lot of organizations that pursue that goal.

I cut my teeth on the solution side in security architecture, mostly driven by PCI, so that influenced my point of view. But it's an interesting dichotomy to process: To what degree is risk acceptable for the audience that we're trying to build out into, from a customer standpoint? Where do we factor them in? When do we need to stop freaking them out? The conversations that we have around cybersecurity are fundamentally scary, so we have to factor that in.

Voting machine vulnerabilities was one of the things that we pushed that drove much adoption of vulnerability disclosure in the US government around the 2020 election. The problem is not the fact that voting machines have vulnerabilities because they're a computer. The problem is that if you get on Twitter and tweet a picture of a voting machine with ransomware on it, even if you Photoshop that, you'll create a broader issue at that point. How do you address the issue of trust and transparency, and the idea that it’s being approached in a rational way, not in one that's purely beholden to the attacker or purely exploitative of the consumer? If we solve that, we'll solve the planet.