The 2019 RSA Conference theme celebrates our successes and urges us to continue improving the security of our digital world.
In last year's opening keynote I also celebrated our successes with Cybersecurity Silver Linings. I challenged us to double down on those silver linings...to get better. In this year's opening keynote, co-presenter Niloofar Razi Howe and I told the story of a great future for all of us in the Bio-Digital Era. We talked through the difficulties we overcame (the Trust Crisis) to arrive at this bright new era...this better time and place. Celebrating our successes.
While the keynote took us on a fictional journey, there are many key truths in the story. There are actions we can take now to help bring about our better digital world – our Bio-Digital era where we win with Trust.
Humanity has transitioned through four distinct eras: Agricultural; Industrial; Internet; and Digital.
Each era brought its own flavor of disruptions and organizations have had to adapt to win. During the agricultural era, it was all about quality. Scale became important in the Industrial Era, followed by Speed in the Internet period. The Digital era brought billions of people online with tens of billions of connected devices running on multiple clouds connecting everyone to everything, and Experience is the winning formula. In the not too distant future, we will enter a new era where digital technology will truly be everywhere; even inside us. To win in this brave new world we must have trust. Trust in our technology. Trust in our industry.
We find ourselves in a perplexing paradox of trusting complete strangers. We invite them into our cars, our homes, and our businesses using platforms like AirBnB, Uber, Turo, TaskRabbit, LendingClub and KickStarter. These platforms form the basis for a trust network between individuals. But as this peer-to-peer trust between individuals rises, trust in institutions and organizations is plummeting.
Interference in democratic elections around the world are causing people to lose faith in their political and social institutions. In order to sow widespread chaos and discord, individuals are becoming the target of nation-state attacks and their influence campaigns.
Americans are struggling to maintain belief in democracy as an ideal form of government.
The constant dissemination and amplification of fake and biased news, combined with the prevalence of deep fakes littering cyberspace, is causing individuals to lose faith in the independence and veracity of news sources as the line between fact, opinion and misinformation blurs.
The rapid rise of social media platforms drove such political polarization that fact-based rational discourse will all but disappeared from the public domain – in turn, causing individuals to question if their governments will or can solve our most important societal problems.
As a community of security and risk professionals we can stop the Trust Crisis before it takes further hold. To do so, we must have an epiphany.
We should continue to worry about the threat landscape.
But what we should really do is...Begin to obsess about the trust landscape.
Risk and Trust Coexist
Restoring trust in the digital world is not about eliminating risk, but about understanding, prioritizing and managing it.
We must learn to manage risk to our political and social institutions, not by eliminating bad actors but by teaching information literacy so that our citizens can no longer be targeted, manipulated and misled.
We must learn to manage risk from social media platforms, from fake and biased news sources, and to discern deep fakes when they appear. Not by undoing the first amendment, but by sharing information so that people understand the actors and motives behind these polarizing voices and make better choices about how they consume information.
We must learn to manage cyber risk to our businesses. Not by locking down our networks, but by ensuring reliability and resiliency through risk management.
As the concept of the perimeter evaporates, along with the ability to keep things in or out of the network, we must manage risk. Not only by understanding the likelihood of a potential loss event, but more importantly, by understanding the business impact of these events to take a risk orientation and protect what matters most. Risk practitioners need to recognize cyber risk and digital risk as the largest facet of risk going forward. The domains of cybersecurity and risk management are converging and making each other better.
An organization's digital risk is more a function of its ecosystem than its own digital footprint. In the digital world, 3rd through Nth party risk is far greater than first party risk. It's like when you trust your home to your teenage kids, it's the friends of their friends you should worry about the most.
Owning, managing and reporting on Risk must simply become our new normal.
Humans are not trustworthy in certain areas. We suck at remembering passwords. We struggle with processing vast amounts of data. And yes, some of us still click on dancing cat videos.
AI is getting exponentially better than humans at most tasks. While riding a supercharged Moore's law AI is becoming the lightning rod of mistrust with technology because it displaces jobs and suffers from biases inherent in the data fueling it.
AI, in fields like medicine and law, is hampered because it lacks empathy and concerns around ethics. In the field of cybersecurity, it's not designed to work in adversarial environments.
Then there is "the explainability challenge". Machines are super human at getting to better and faster answers, but they cannot explain how they got those answers. Would you trust a robot doctor telling you that you need brain surgery? Even if you knew that it was probably right? "Trust me!" – the machine said. But it is so hard to.
So who do you trust? The human who can be manipulated with emotion? Or the machine that can be manipulated with data and is vulnerable to cyber-attacks? Do we even need trust?
Applying pair programming, an early software engineering idea from the early days of software engineering, we can pair humans and machines together for better outcomes.
Embracing pair programming here can lead to an age of augmentation, where we can place more trust on human and machine together than on either individually.
But we must remember that our adversaries are doing the same.
In the SOC, digital twins work together to save trust and fight the adversary on the other side. – also a human paired with a machine. It is a battle between Twins vs. Twins. One set working to erode trust.
The other fighting relentlessly to preserve it.
Chain of Trust
An organization's reputation is the most valuable currency that matters when things go wrong and will determine how and whether it survives a serious misstep.
Reputation works like a distributed ledger recording deposits and withdrawals. You make a deposit when you do the right thing, especially when it's the hard right. You make a withdrawal with every wrong choice, especially when it's an easy wrong.
Whether or not there is a run on your Reputation Bank during a crisis depends entirely on your perceived trustworthiness. Trust does not require perfection. Trust requires transparency, accountability, honesty and reliability.
We share breach and attacker information within closed networks of trusted peers, but do not celebrate our successes enough. We are not making enough deposits in the Reputation bank
As the Digital Era unfolds we must learn the value of sharing information, sharing attacker techniques, and disclosing breaches.
Information living in walled silos must become useless.
These three key ideas will lead us to a world worth fighting for. A world where we unshackle innovation; allowing it to move at the speed of thought and drive incredible economic and humanistic gains.
By effectively managing digital risk, we will be able to embrace new waves of technology and use it to make our businesses efficient, our transactions trusted and secure, and our workers productive – resulting in a new world.
A trust enabled world.
# # #
Learn more by watching RSA's 2019 RSA Conference Keynote, The Trust Landscape, featuring RSA President, Rohit Ghai, and Security Strategists, Niloofar Razi Howe.Video Courtesy of RSA Conference.