Henry Ford once said, “Coming together is a beginning, staying together is progress and working together is success.” While each one of us is different—visionary or pragmatist, builder or fixer, disruptor or peacemaker, mentor or non-conformist, comic relief or observer—bringing all our individual traits together results in a stronger, more diverse whole. This was the overarching message of RSAC 2020, the security conference that just wrapped up last week in San Francisco.
Finding Humanity Within Security
The RSA Conference brings together a large number of cybersecurity practitioners, vendors, analysts and other experts, creating a valuable opportunity to really understand what’s important in the industry right now. This year’s conference theme was the “Human Element.” For all the sophisticated technology out there, it’s actually the cybersecurity professionals—their ideas, creativity and knowledge—who are central to protecting the digital world. These experts approach the security challenge from a variety of directions: InfoSec, SecOps, AppSec, DevSecOps, security policy and management, security tool development, security training, plus many more. And when you look at cybersecurity through a people-centric lens, you start to see a thread running through all of these disciplines. For maximum effectiveness, cybersecurity must become a notion and a practice, to be embedded in everything we do. Like a natural habit.
Trekkies from around the globe who made the trip this year were delighted by special guest George Takei, who took to the main stage with an inspirational presentation about the unusual theme of “human element.” And what makes us, us. In the cybersecurity industry, “homogeneity equals disaster,” Takei warned. “But unity and purpose among very different people—well, that’s another story. No matter what differentiates you, you are united by a common purpose: preventing, detecting and responding to threats.” That’s what the “human element” is all about.
This notion of a larger whole is far more than lip service. For the second year in row, the RSA Conference has featured its RSAC Engagement Zone, a dedicated networking space on the show floor meant to encourage interactive, collaborative and cooperative learning for the thousands of security experts in attendance. During a non-stop week of presentations, panels, demos, evening events and mile-long coffee queues, the Engagement Zone offered a chance to slow things down, get off your feet and engage in meaningful human interactions, often about ideas and challenges in the industry. Attendees can use the space to catch up with peers one-on-one, join meet-ups focused on hot topics, collaboratively problem solve, engage in free-form discussion with like-minded individuals and crowdsource learning experiences across people, processes and technologies. For many, this opportunity to connect more deeply about professional issues is a valuable one.
Following Security Trends
Two other areas getting a lot of attention were product/application security and board-level visibility into the methodologies and their effectiveness. The concept of enabling security as a natural motion is particularly important in both these areas and was explored throughout RSA 2020. Long before this year’s event began, over 2,400 would-be presenters responded to the RSAC 2020 call for speakers. As the event organizers pored through submissions, some distinct trends emerged, which they published in the RSAC 2020 Trend Report. This year, they received more deep-dive technical submissions focused on secure product development than ever before. So much in fact, it spurred them to add new focused tracks on product security and open source tools. They also saw continued growth and maturation in DevSecOps-centered proposals which populated the tracks dedicated to DevSecOps and Application Security.
It’s no coincidence this is all happening now. When RSA President, Rohit Ghai, kicked off the keynotes, he said, “In the world of edge computing, where the technology footprint is pervasive, and with the advent of DevOps, the speed of software (and therefore vulnerability) creation is exponential.” He reproached the industry for failing to hold IT and software makers accountable for cyber hygiene and vulnerabilities, and he added we are not well-organized to collaborate with users, business, and IT teams.
Ghai is right. We’ve got a vast marketplace of tools, each of which plays a role in securing our systems, applications and operations. But as long as they continue to function independently, we’ll never make cybersecurity an instinctive and automatic part of doing business. That’s why risk-based vulnerability orchestration across applications and infrastructure is so effective. It enables us to integrate security into the development process, align development and security teams around business priorities and provide a standard framework for understanding, communicating and managing software and infrastructure risk.
The RSA Trend Report highlighted a number of speaking submissions to help C-level executives communicate “up, down, across and throughout their organizations and the organizations that are part of their extensive supply chains,” including dashboards, metrics, and other ways to share not just the same language, but a common purpose. Ghai also addressed this in his talk. He said, “The great news is business leaders, directors, boards and risk officers are now keenly interested in our [cybersecurity] story, but they’re on the sidelines, asking questions, seeking to understand.” This needs to change. As Ghai remarked, it’s not enough for them to be keenly interested observers. They need to be actors in the story. He called them the “zeroth line of defense.”
Remembering to Collaborate
There was also a panel discussion on “How Corporate Boards and Governments are Collaborating on Cybersecurity.” In his introduction to the session, Larry Clinton, President and CEO of the Internet Security Alliance, told the story of ISA’s efforts to get boards involved in cybersecurity. When he started the organization in 2002, they tried to teach boards about IT. But, as Clinton noted, boards don’t want to talk about NIST frameworks and ISO standards. Then in 2013, AIG, who was working with the National Association of Corporate Directors, approached ISA with a new idea. Instead of making boards learn our language, let’s learn their language.
Rather than imposing cybersecurity onto the board as an “extra” thing to deal with, ISA’s goal was to embed it into the things boards already care about—namely, growth, productivity, strategic partnerships, innovation and mergers and acquisitions. They were able to start creating that “zeroth line of defense” by giving boards a handbook which put cybersecurity into the context of the things they were already doing. And that made all the difference.
A handbook outlining key guiding principles to enhance board oversight of cyber risk is valuable. Yes, it provides the overall know-how. But to actually enable effective oversight, you also need the right tools and controls in place, something most organizations struggle with. Orchestration delivers the comprehensive, continuous and accurate visibility needed to create a standard framework for understanding, managing and prioritizing application risk based on potential business impact and to support executive and board-level reporting requirements.
Form New Habits
Aristotle said, “We are what we repeatedly do. Excellence, then, is not an act, but a habit.” And so it must be with cybersecurity. We know asking people in non-security roles to perform acts of cybersecurity results in only marginal improvements. That’s why we instead need to help them make security a habit. It needs to be something they just do, without even thinking about it.