Cybersecurity is getting better, not worse.
While the headlines of the past several years cast dark shadows on whether what we, as an industry, have been up to for the past several decades matters – it is not all negative.
But, I submit, Cybersecurity is getting better not worse.
As the opening keynote speaker at RSA Conference 2018, I highlighted our successes – our cybersecurity silver linings.
Marcus Buckingham, a leading business expert, has spent years studying breakthrough performance. His recipe for lasting success is simple. Double down on your strengths. Just do more of what is working and do it faster.
“When you study lastingly successful people, you find that they have one thing in common: they focus on their strengths and manage around their weaknesses.”
We should consider this approach in cybersecurity. We need to pay attention not just to the technology of defense, but the psychology of defense. The spirit of the defender matters as much as the shield she or he wields. For years we have motivated ourselves by the fear of what happens if we fail. Lets inspire ourselves with the glory of what we enable when we are successful.
Lets focus on silver linings as the blueprint for our current strengths, the fuel for our spirit and a catalyst for the advances yet to come.
End of the Silver Bullet Fantasy
Teams that win consistently do not rely on silver bullets. Success boils down to grinding out the basics – getting the big things right and not ignoring the little things.
In cybersecurity this means we are not chasing after the latest shiny gizmos, but rather taking a business-driven security approach to managing digital risk. That starts with knowing the terrain, the business context or as Rob Joyce, former Cybersecurity Coordinator at the White House states – knowing your network.
“If you really want to protect your network, you really have to know your network – you have to know
the devices, the security technologies, and the things inside it.”
We are making amazing progress by taking a risk orientation to cybersecurity, which is the hallmark of the NIST Cybersecurity Framework. While it is intended to protect U.S. critical infrastructure, it is getting strong global adoption and across industries. Version 1.1 was published yesterday.
The rise of cyber insurance is perhaps the best proof-point of all that cyber risk is mainstream. The value of premiums worldwide is already in the billions and it’s a hot growth area, estimated to grow from $2.5B to $14B by 2022. More importantly we are maturing as an industry in terms of quantifying cyber risk with standards like FAIR and Bowtie. Cyber Risk Quantification and Cyber Risk Economics are hot fields, getting venture investment and are great tools for business folks to understand cybersecurity in terms of dollars and cents.
We are getting better at cyber hygiene in order to not be easy targets, but we need more “fleet learning”. When one Tesla car drives over a pothole, the entire fleet learns about it and avoids it. If a vulnerability has been exploited in the wild, we can avoid being easy targets by patching it.
We are focused on being safer everyday rather than being unhackable someday.
Quicksilver Law of Cyber Defense
The best defensive teams anticipate better than anyone. Cybersecurity is a world of high velocity offense and defense - being at the right place at the right time before the adversary.
In cybersecurity everything moves pretty fast. Technology has grown exponentially, powered by Moore’s law. Over the next decade a trillion lines of code will be shipped by companies that have never shipped code. Companies that make trucks, pacemakers or sell insurance. Artificial intelligence will be pervasive as 46% of organizations already report some level of adoption. In addition - the S-curve of technology adoption has flattened out over time. Technology is everywhere and it is getting adopted faster than ever.
For us in cybersecurity, new technology is an accelerant. But the Murphy’s law of cybersecurity states – New technology equals New vulnerabilities. Technology is as much a target as it is a weapon. A weapon for both the offense and the defense. The bad guys have all the same technology we do.
There has always been a gap between when an emerging technology becomes mainstream and when cybersecurity professionals have learnt how to protect it and leverage it. We conducted a quick study going back nearly two decades and looked at when a technology achieved mainstream adoption and then looked at when that technology featured at RSA conference. We observed that we are, indeed, closing this gap. As an example, Biometrics emerged as a mainstream technology in 2001, but it took until 2009 for it to be mainstream in our industry. On the other hand, for cloud computing that gap was three years; IoT a mere 12 months, and Machine Learning in near real-time.
Malware identification and spam detection have been poster child use-cases for machine learning and now with sophisticated risk models, it is also helping us combat fraud and money laundering. According to the CISO of a large multinational financial services firm that I recently spoke to, the most exciting use-case is the intelligent SOC where we have recruited machines to join the good fight. At the center of this is the evolved SIEM which brings pervasive visibility from all facets of the attack surface: users, endpoints, network and the data center. User and Entity Behavioral Analytics (UEBA) serves insight to anticipate attacks and augment the speed and efficacy of the human analyst. Finally automated orchestration and response are enabling timely action. Visibility. Insight. Action.
We are also finally paying attention to the user experience - adopting state-of-the-art visualization technology. We have seen the emergence of the “beautiful security” – the concept that security tools should be intuitive, effortless, and even enjoyable to use. We have purpose built Slack-like UIs augmented with chatbots available for security analysts to collaborate and orchestrate response. At the heart of the recently introduced standard called 3DS 2.0 for credit card not present transactions is the idea of reducing friction for users. At RSA we are honored to be leading the charge to drive global adoption of this standard in our Anti-Fraud offerings.
As any new technology becomes mainstream, cybersecurity is moving faster than ever to protect it and leverage it.
Magic of Sterling Teamwork
In order to win the long game everyone must chip in. Malcolm Gladwell defined a weak link sport as one where you cannot win unless the entire team contributes. Cybersecurity is a weak link sport. To win we need collaboration between folks in the boat - security and risk teams, but also folks outside the boat - business stakeholders, policy makers and regulators, universities, IT leadership and users.
Governments, policy makers and regulators are definitely chipping in.
Between improvements across all five elements of the cybersecurity agenda – seen in The Global Cybersecurity Index – and the focus on global regulation on data management and data privacy with the EU GDPR and the US Cloud Act, the public sector is part of the team.
Business stakeholders are more engaged.
According to the 2016–2017 National Association of Corporate Directors Survey, cybersecurity is on the board agenda much more regularly and when boards are asking the questions if things are good or bad, getting better or worse, we are leveraging cyber risk quantification tools to provide objective answers.
Universities worldwide are doing phenomenal work in developing cybersecurity talent.
As an example in Singapore working with Economic Development Board, we created and executed the RSA’s Academic Alliance Program, where we collaborated with some of Singapore’s leading institutes of higher learning. Under the program, undergraduates from Temasek Polytechnic (TP) get to experience hands-on working in a real Security Operations Center and monitor real networks.
IT is playing a significant role in reducing the attack surface by taking a least privilege model, designing security into the infrastructure.
We get to see this at close quarters being part of Dell Technologies which is focused on infrastructure. In particular, we seen rising mindshare and adoption of technologies like micro-segmentation that instrument security into the data center and client virtualization layers. There is immense power in security that is designed-in vs. bolted-on. These systems understand the intended state of multi-tier applications in a multi-cloud world and can detect anomalies more efficiently. Companies like VMWare are turning the security model on its head by focusing on ensuring good rather than chasing after bad. We also see significant innovation in DevSecOps by moving security upstream into the very heart of the software development process.
A strong security posture requires an entire team of people with different capabilities, perspectives, and backgrounds -- diversity is key. If you are not able to attract diversity in gender, race, national origin, religion, orientation, and ideology, you will struggle to get security right.
The Clouds are Still There
Just go look at the earnings for many public companies and you will see them explicitly cite cyberattacks as impacting their financial results that leads to very personal accountability. There will be no sacred cows. Cybersecurity incidents now put everyone’s career at stake – from the Chairperson of the board to the CEO on down.
Incidents at Equifax, Yahoo, and most recently Facebook, are reminders that we live in an interlinked world. We all have our respective Cambridge Analyticas. What is at stake is trust in our ability to handle consumer and other data.
We live in a world where data and technology are viewed as the fuel for our digital journey. We also live in a world where trust in data and tech is tenuous. There is a very very fine line between techlove and techlash.
We wanted a seat at the table and we got it. We have been building momentum and trust. It takes a lifetime to build trust but only a moment to lose it.
As much as we worry about avoiding individual breaches in our respective organizations our collective risk is that we fail to avoid a breach of trust in technology itself.
I started this by talking about security headlines. It’s simply the nature of our work that our biggest wins will never be front-page news. When we execute on the silver linings, we don’t make headlines. In fact, we stop the bad ones.
But our work is not, nor has it ever been about our own headlines. It’s about protecting people and tech in an increasingly digital world. It’s about enabling the digital adventurers so they can make headlines. And in the past year, we’ve seen some truly inspiring headlines:
- Our world now has machine vision apps for the visually impaired, VR that enables surgeons to practice complex operations, and AI that can detect whether a 911 caller is having a heart attack.
- We have startups using the Internet to help people access clean water, microloans, and renewable energy around the globe. We have a power plant – coming online this year – that will burn fossil fuels without producing greenhouse gases.
- And looking to the next generation, we have twice as many girls and nearly three times as many minority students in high school AP Computer Science classes as in 2016.
Whether these adventurers get their organizations to their digital destination is up to us. It is our burden and privilege to keep them in the perfect zone of digital risk on their journey.
So let’s come together and honestly discuss what works and what doesn’t. Let’s learn to fuel up our minds and let’s share our silver linings to fuel up our spirits. Let’s ignite conversations to build the next generation of security technologies, people, and companies.
It’s time to double down on the silver linings.