The annual cybersecurity big bash, the RSA Conference, is now well and firmly underway. All around the place the story seems to be about soft skills, people and taking back control. For anyone from Europe, the latter sounds like the UK’s Brexit chant and not something to get excited about.
The conference opened with a brief but entertaining appearance by George Takei. Takei introduced the theme for the conference keynote, The Human Element. While focusing on the benefits of diversity he told the audience “Homogeneity spells disaster” and “Diversity is good.” Irrespective of the conference theme, these are messages that Takei regularly talks about online.
Time for cybersecurity to take control of its story
Rohit Ghai, President, RSA Security decided it was time to focus on stories. More importantly, his view was that cybersecurity has lost control of its own story. It has allowed the media to set the narrative. Ghai claims this is presenting a false impression of the state of cybersecurity, not least that it makes most cybersecurity teams look like bumbling fools.
He might have a point over the portrayal. The problem is that breach after breach is caused by basic poor cybersecurity hygiene such as a failure to patch. Another element is the inability of the software industry to deliver a safe and secure product. It’s unclear, therefore, why Ghai should think the industry should be portrayed any more positively.
There are two other factors that don’t help. The first is that the cybersecurity industry has courted any self promotion it can get. Press releases are increasingly fluffy and full of soundbites. The target audience is not the technically aware who can understand the issue, but a much wider and more diverse audience.
The second is that publications, blogs, podcasts and even analyst companies see lots of money to be made from the industry. This means that they push a lot of resources at the industry but nobody stops to ask “do they understand it.” It is a point that was brought home in a conversation with Jeff Man who hosts the Security Weekly podcast. He sees journalists and analysts as a major part of the problem due to a lack of knowledge.
How do you change the narrative?
To address Man’s point, in the early days cybersecurity vendors invested in journalists and analysts in terms of education. They didn’t just pitch up for a short briefing and lunch. There were day long sessions to understand the issue.
That also ties in with something else that Ghai said that the industry never talks about its successes. Yes and no. The industry working with law enforcement and security agencies always makes for good headlines, especially when arrests are made. Equally, vendors talking about how many attacks/breaches they have prevented in the last year also gets coverage.
Running people through issues from both an attackers and defenders viewpoint helps provide better understanding and context. That allows journalists and analysts to have a more balanced knowledge set when they write. The result should be what Ghai wants, a better quality of output. More importantly, output that more fairly reflects what the industry is doing.
Time to stop the focus on a pure technology solution?
Ghai also said that the media has made this all about a technical conflict and focuses on the skills of the attackers not the defenders. Much has been written about the shortage of defenders and number of attackers.
It is easy to get hung up on the numbers. As Ghai says: “There are more script kiddies than technically savvy hackers.” As any military commander will tell you, numbers matter unless you have an overwhelming technical solution and the ability to properly deploy it. The last decade has seen the narrative from the cybersecurity industry focus on customers buying the latest, shiny, all singing all dancing product. It has masked the skills shortages at one level and amplified poor reliance on technology at another.
One thing that makes many attacks successful, at least initially, is the social engineering that takes place. It takes little effort to find enough information on a target individual and then craft a phishing attack with a malicious attachment. The more it appeals to them the more likely they are to open it. What is needed is for cybersecurity to do more around social engineering its own user base. Gamification, promoting those who demonstrate best practice and creating security champions, a phrase used by Veracode, are first steps.
Users really are a first line of defence. However, a once yearly cybersecurity online refresher and draconian policies hinder, not help to engage with them.
Change that employment process
A need to address the talent gap and burn-out were also part of Ghai’s message. When it comes to bringing in new talent Ghai said: “It’s time to shift from elitism to inclusion.” Many HR teams dump CVs for cybersecurity roles, even junior ones, if people don’t have the right letters and awards. They often ignore experience. Think that isn’t true? Go and ask the community. Many of the cybersecurity communities I sit in talk continuously about the problem of getting a foothold because they haven’t done the courses HR thinks are requirements.
Ghai called this out when he said: “We need to find defenders outside the tech community. It’s time to stop being STEM snobs.” One solution that Ghai proposed is to look more at the neurodiverse community. He said: “80% are unemployed. It is a new talent point.” It is, but working with that community also requires an accepting culture that embraces not isolates.
Burn-out is a much bigger issue. From CISOs down to every security first line responder, the industry is in firefighting mode. This leads to stress, mental health issues and people leaving the industry. There is support, but few companies have real policies that address the issue. Ghai chose not to call any of them out but I will:
Mental Health Hackers: A community support group where anyone can seek help.
VeteranSec: A community for military personnel inside cybersecurity.
Both of these groups show how the community can self support. However, companies need to do more. CISOs might talk from stage about unpaid overtime, stress and mental health. But they have the ability to fix things for their staff and get organisations to take the issue seriously.
Enterprise Times: What does this mean?
Ghai is right that the cybersecurity industry has lost control of the narrative and often appears to look bad. However, before playing the blame game the industry, from vendors down needs to ask why. This is a self-inflicted problem that can be addressed but only if the industry engages to educate the media and stops relying on soundbites and social media snippets.
The problem of skills shortages cannot be solved by purely technical measures. Vendors have to help organisations understand how to better engage the entire workforce to provide better early detection of attacks. Similarly, it needs to work with different communities and, as Ghai said: “Stop being STEM snobs.”
As keynotes go this was no snore fest and there were some serious issues thrown up. Will it lead to taking back the story? Maybe, but it requires culture change and positive actions not just keynotes.
Ghai closing words were: “We are only as good as the story we leave behind.” Let’s see what that story is next year.