When Amit Yoran took the stage for his keynote address at this week's RSA Conference in San Francisco, most of the thousands of attendees in the audience probably expected to hear about how a new generation of security technologies would help companies get a leg up on the growing array of threats they face today.
What they didn't expect was to be told that the greatest weapons in their security arsenals were their own day-to-day actions.
"You are how you behave," was a refrain Yoran, president of RSA, offered more than once during his talk.
To nail the point home, he told a story from his youth that clearly carried the message that unintended actions can bring dire consequences.
"I distinctly remember it was my intention to clean the yard with my brothers," said Yoran. "But somehow we ended up lighting the yard on fire."
He then shared a couple of statistics that painted the picture even more clearly. One of these stats, from an RSA survey, indicated that 90 percent of security professionals are not satisfied with the state of security. Meanwhile, Gartner estimates that 60 percent of IT security budgets are spent on incident response.
Yoran insists those two findings are intertwined. Simply put, Yoran believes the industry is spending way too much time on incident response, and not enough on preventing attacks from happening in the first place. And while he acknowledged that technologies enabling comprehensive visibility of an enterprise represent a "basic building block" of security, he also suggested that technology is not the answer.
"There is no actual magic that will save us," said Yoran. "Our problem isn't a technology problem. Adversaries aren't beating us with better tech. They're beating us because they're being more creative, more patient, more persistent."
And the staggering pace at which successful attacks threaten assets as varied as intellectual property and consumer data has desensitized corporate security leaders. Large-scale breaches at companies like Target, Sony and Ashley Madison have shaken the confidence of consumers while security execs have reacted as if they expected such breaches.
"Did any of these events really surprise us?" Yoran asked. "If so, we haven't been paying attention."
So what's the best course of action? According to Yoran, companies must leverage their security analysts—who he called "creative, patient and problem-solving"—by setting them loose to "hunt" down potential attackers.
Of course, that requires talented analysts, something most organizations say they have a tough time finding. Yoran dismissed such claims.
"Let me tell you the same thing I tell my children: Stop whining," he said. "If you don't have hunters, grow them. Train and equip people to become hunters. Give them tools to fuel their curiosity."
Yoran's thinking is quite simple: The old methods aren't working against a universe of attackers that isn't reined in by the kinds of limitations security professionals face. By injecting more curiosity and creativity into their efforts, organizations can even the playing field.
"Our opponents aren't playing the same game, and they certainly aren't following the same rules," said Yoran. "In real life, who's sitting across our game board? Likely creative human beings who are changing the rules."
So when Yoran says "you are what you behave," the hidden message is a straightforward one: Security pros need to think and act more like the attackers they're battling if they want to have any chance of ensuring their employers don't join Target, Sony and Ashley Madison on the list of victims.