RSAC 2022 Session Wrap Up Series: Security Strategy & Architecture

Posted on by RSAC Editorial Team

In this six-part blog series, the RSAC editorial team highlights the six buzz topics featured at RSAC 2022. Each blog will highlight one of the most popular topics and trends seen within related sessions. Our fourth topic is security strategy & architecture.

Transforming Security through Design
J. Wolfgang Goerlich, Duo Advisory CISO at Cisco Secure

Coming in hot with some important numbers, Goerlich drops that 90% of breaches are caused by people. Most industrial accidents are caused by human errors. Estimates range from 75% to 95%. How are so many people incompetent? They aren’t. It’s a design problem!

Constrained users are creative, and creative users are dangerous. Security depends on how well the needs of people are met by the affordance of the security controls. If they don’t meet, people will creatively satisfy their own needs with their own affordances. Good security gets out of the way of users while getting in the way of adversaries.

The roadmap depends on where we are. Before: using the design approach for security architecture and planning. During: using the design approach as a part of an active security initiative. After: using the design approach to troubleshoot and address security problems is an ongoing business era.

What Actually Works in Security?
Wade Baker, Partner and Co-Founder at Cyentia Institute
Wendy Nather, Head of Advisory CISOs at Cisco

What does it take to actually make security work? Baker and Nather broke down the results from surveying industry professionals, and the answer is people, process, and tech—all of those are needed to make it work.

Is it better to insource or outscore SecOps? 75% of inhouse report success, while 89% who outsource reported success. Those who mix are least happy at just 56%. One interesting caveat is that internal teams work nearly twice as fast in terms of response (6.2 days on average vs. 13.3 days on average).

Does cyber threat intel raise our intelligence? Those who don’t use it feel good. Those who use it extensively feel good about it, but using some threat intelligence yielded the worst results in terms of satisfaction. It’s all or nothing. Ignorance is bliss, perhaps, in this instance.

BCDR performs best when run by security. You are not going to be successful until you are covering 80% of your systems and assets, Nather concluded.



Read all of the series:

RSAC 2022 Session Wrap Up Series: Analytics, Intelligence & Response

RSAC 2022 Session Wrap Up Series: Cloud Security & CloudSecOps

RSAC 2022 Session Wrap Up Series: Security Strategy & Architecture

RSAC 2022 Session Wrap Up Series: Risk Management & Governance

RSAC 2022 Session Wrap Up Series: Hackers & Threats

RSAC 2022 Session Wrap Up Series: Zero Trust

RSAC Editorial Team

Editorial, RSA Conference

Human Element RSAC Insights Risk Management & Governance Security Strategy & Architecture

incident response security architecture threat management business continuity & disaster recovery risk management security awareness security education security services controls governance risk & compliance professional development & workforce compliance management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs