Some RSA Conference veterans may remember 2014, when the event kicked off its opening keynote session with William Shatner, aka Star Trek’s Captain Kirk, singing a version of Lucy in the Sky With Diamonds with cybersecurity-themed lyrics. It was a charming moment designed to recognize how security professionals were marshaling innovative technologies to fight the good fight.
Six years later, conference organizers turned to one of Shatner’s Star Trek co-stars, George Takei, who took the stage Tuesday morning with a distinctly different message.
While Takei also recognized the important job cybersecurity pros are doing, there was a notable difference: he didn’t refer to any technology. Rather, he stressed the importance of the human element in battling cybercrime. Specifically, he stressed that the industry needed to marshal all the things that make each of us unique — genetic disposition, environment, life experience, gender, race, brain chemistry — to effectively tackle its mission.
“Some of you are hunters; you seek out facts. Others are gatherers, collecting and sharing intelligence with others. And there are those who think differently, the outliers and dreamers. Together, you protect our world from destructive attacks. In your industry, homogeneity spells disaster,” Takei said. “Diversity allows us to find solutions to problems that would have eluded us.”
It was a perfect way to establish the human element theme of this year’s RSA Conference, a theme that worked its way into several keynotes throughout the week. Perhaps no one sunk his teeth into this with the gusto that RSA President Rohit Ghai did.
Ghai wove his comments around the idea that human stories — not facts, which machines are expert at spitting out — are what makes the world go round, and that the cybersecurity industry needs to change its story from one centered around technology to one that recognizes the central role human beings play.
“Facts help us understand the world as it is, but it’s stories that let us imagine the world as it can be,” Ghai said. “Stories have a profound impact on the way we feel and act. They move us.”
To illustrate, Ghai, mentioned how attackers used artificial intelligence last year to mimic the voice of a German holding company’s CEO in order to get an executive at a U.K energy firm the company owned to make a $243,000 transfer to a Hungarian supplier. In that case, the duped executive was operating from a story: He was absolutely convinced the familiar voice he heard was that of his boss, and it was that familiarity that brought his guard down.
It was just one example Ghai provided that showed how critical users’ stories are to successful cybersecurity — and how unappreciated those stories are.
“We have ignored the psychology of the defender,” he said.
Wendy Nather, head of advisory CISOs for Cisco unit Duo Security, suggested that a big part of cybersecurity’s new story is the fact that cloud computing has resulted in far flung technology assets that change the security paradigm.
“We are trying to secure with an unsustainable security model,” Nather said during her Tuesday keynote address. “It’s time to break it and put it back together.”
For starters, she said the industry needs to trade in its controlling enforcement approach with one built on collaboration, effectively opening up the security culture to everyone in an organization.
“There are lots of way to do this, and I know it makes people nervous,” she said. “Sometimes, users can make better security decisions than we can. We need to face this reality.”
Transitioning to a collaborative security model, Nather said, will enable business units to make security decisions, enabling them to be as agile as they want, and freeing security teams to focus on something other than trying to control user behavior.
For example, Nather held up a spoon and marveled at its combination of simplicity and effectiveness.
“Wouldn’t it be nice if we could design security that’s as easy to use and hard to get wrong as a spoon?” she asked. (To stress her point, she noted that there’s no such thing as spoon awareness training.)
A day later, Ann Johnson, corporate VP of Microsoft’s cybersecurity solutions group, highlighted ransomware attacks last year on Norwegian aluminum company Norsk Hydro and the Canadian territory of Nunavut. In both cases, the victim organizations refused to pay ransoms and instead successfully mitigated the damage, with employees rallying behind the effort.
The stories reminded Johnson as to why there are signs in parks asking people not to feed birds: offer them food, and they’ll be back in larger numbers. Ransomware attackers have the same instinct. If a company pays, more ransomware attacks are likely to follow.
In the Norsk Hydro and Nunavut attacks, Johnson said, “the attackers underestimated both victims. They underestimated their creativity, and they underestimated their passion.”
Which speaks directly to Nather’s call for more collaboration. The collaborative responses at both Norsk Hydro and Nunavut, with employees helping in recovery efforts, should send a powerful message to security leaders everywhere.
Said Johnson: “Investing in the human element will give your security an edge.”