5 Groundbreaking—and Terrifying—Things We Learned at RSA
This week at the 2019 RSA Conference in San Francisco, business and security leaders put their heads together to figure out how to get better at information security. Read our five takeaways from one of the biggest cybersecurity events of the year.
1. The Security Industry Is Failing
RSA Keynote: 3 Things the Security Industry Isn't Talking About (and Should Be)
“Collectively, we have failed our customers,” Pat Gelsinger said, chief executive officer of VMware, during the keynote, Three Things the Security Industry Isn’t Talking About (but Should Be). Instead of building security capabilities, organizations focus on security threats. Instead of preventing threats, security teams spend about 80 percent of their time reacting to threats.
“We have to change our approach,” Shannon Lietz said, director of Intuit. That starts by investing in prevention, shrinking the attack surface.
And enterprises must focus on safeguarding applications and data instead of infrastructure and devices. “By focusing on infrastructure we have the wrong frame of mind,” she said.
Finally, the industry can’t continue to bolt on security. It should be intrinsic, simple, less silod and more manageable. “There’s a lot of awesome tech out there,” she said. “But complexity has really become the enemy of security.”
2. Machine Learning Will Help Cybercriminals Be Faster and Smarter
With machine learning (ML), who will out-innovate whom: companies or adversaries? In the keynote, “Lightning in a Bottle, or Burning Down the House?”, McAfee leaders cautioned security professionals to understand both the potential and the limitations of ML.
Emerging technologies companies use to detect and respond to threats will be accessible to cybercriminals. Paired with publicly available records and content, ML can reveal weak spots to commit cybercrimes more effectively and at scale. As an example, Steve Grobman, vice president and chief technology officer, and Celeste Fralick, chief data scientist, built a basic ML model using openly available city data to predict under which conditions city crimes result in arrests or allow criminals to get away.
Alternatively, adversaries could invade a company’s ML model and change portions of data in order to skew conclusions. In Fralick’s example, she tricked artificial intelligence to interpret a picture of a penguin as a frying pan. In more malicious scenarios, the impact of a false negative or a false positive could be detrimental. Imagine if the same were done with traffic light colors, she proposed.
3. PowerPoint Is a Common Response to a Security Crisis
Caleb Barlow, vice president of IBM Security, is behind the company’s X-Force Command cyber ranges, where security teams learn crisis leadership. His team exposes the weaknesses in organizations’ processes and culture. One insight he’s gained: Enterprises are particularly guilty of slowing down response times with meetings and PowerPoint presentations. “Slowing down to achieve perfection is just going to derail your response,” he said in the keynote, Change Your Approach to Get It Right.
These types of rigid processes were “meant for an era I think is disappearing,” Mary O’Brien said, general manager of IBM Security. Enterprises not only need to update their technology stack for the evolving security landscape but also their mindset, processes and culture. She advocates an agile security culture, where the security team is connected to IT, engineers, executives, lines of business and even customers.
After all, “human adversaries don’t play by the book,” she said. New and diverse perspectives will help security teams detect weaknesses beyond what technology is designed to do—and ultimately win the war, not just the battles.
4. The Talent Gap Will Weaken the Entire Security Industry
“We must come together as an industry to address the major gaps that we have: the gaps we have in cyber talent, cyber skills and inclusivity,” Ann Johnson said, corporate vice president of Microsoft cybersecurity solutions, in The Power of People: Amplifying Our Human Capacity through Technology and Community. “If we do nothing to address these gaps, it will impact every single one of us in our everyday lives.”
“What happens if these jobs remain unfilled?” she continued, on the estimated 3-million shortfall of cybersecurity professionals in the next two years. “Our defenders, those people on the front lines, they are going to burn out. They will leave us defenseless.”
So what can leaders do? Empower these defenders with more powerful tools, like the cloud and AI, so they can be more productive, and look outside the typical profile for cybersecurity professionals. “Our teams must be as diverse as the problems we are trying to solve,” she said.
5. The Erosion of Trust Could Halt Human Progress
Security is more than protecting a company’s data and assets. It’s the business of protecting trust. And trust is an enabler of human progress: the creation of wealth, the use of technology for social progress, the level playing field for innovation.
“Trust is to the economy what water is to life,” Niloofar Razi Howe said, cybersecurity strategist and entrepreneur, in the keynote, The Trust Landscape. She and Rohit Ghai, president of RSA, imagined a biodigital era in 2049 where humans embed technology in themselves and print digital organs. The key to progressing to this next era is trust, they argued. But today, humanity is up against a trust crisis.
To help rebuild trust, security leaders must help the institutions they protect do the right thing. Leaders need to stop aiming to eliminate risks, but instead, manage risks. They should consider machine learning a partner, not a replacement, and treat every cyber crisis as an opportunity to demonstrate accountability and transparency. Reputation is the best marker of trustworthiness, they said, and it shows how an organization will survive when it missteps.
Explore Radius for more exclusive, expert insights into the changing landscape of cybersecurity.