When we think about security, we often go to frameworks and categories, trying to arrange security into neat buckets like the aisles of a grocery store. Let’s put all the endpoint protection way in the back like dairy so we can make people walk past all the treats (deception, training, metrics, policies) for the stuff they have to have.
In the real world, products, technology stacks and security programs are more complex. Whether we try to focus on people, processes and technology or Identify, Detect, Protect, Respond, Recover, the frameworks just don’t help us cover security in a comprehensive way. Similarly, RSA Conference tries to cover security pretty well with our system of tracks, categorizing a range of security program needs from cryptography to policy, architecture to hacking and everything in between. Maybe that’s why being a CISO is so hard—the space is so big.
Regardless, every year, we have a series of proposals that don’t fit neatly into our tracks and categories. These end up in our Security Mashup Track, and the most intriguing, out-of-the-ordinary proposals get considered here. While the committee sausage-making continues, we want to share three diverse examples that best illustrate the range of thinking your peers in the industry have to get creative with their submissions.
We always see a lot of war analogies in cybersecurity activities. But we need new paradigms because this business is about much more than just war and has more strategic components, as we’ve seen in the past several years with disinformation. So is cybersecurity more like:
- Parenting – spare the rod, spoil the hacker?
- Professional-level poker – reading bluffs and tells?
- Healthcare/Data care – who’s your primary data care encryptionist?
- Narco trafficking cartels – should you be holding your keyboard sideways?
Speaking of which, Cisco, Microsoft, Apple, Google, Intel, Amazon and a few others are giant security-adjacent firms but generate a lot of their revenue outside of cyber. Who’s poised to become the first $10B dedicated cybersecurity company? Does that matter? Maybe the VCs and startups they work with need an ISAC to deal with the special issues of startups and their investors. Are there more new ISACs needed?
New Methods of Messaging
Switching gears, we’ve all heard vendors arrive to tell us what we already know about the threat landscape and the FUD their products save us from. Is there a better way to market cybersecurity to professionals, and if there is, why aren’t more companies using it?
So maybe instead, we should listen to a couple of people who’ve been around security for 20–30 years talk about what’s wrong with our industry and how we should start to fix it? Hear some good war stories (again with that analogy) or hear examples about how I saved $50 and my company’s critical IT systems. Or maybe hear about making split-second decisions in the heat of an incident moment—only to realize that someone made a bad decision. Could we learn from those bad decisions? Could we fix things with automation? And maybe hear about how someone has really automated their security and implemented PAAC (that’s policy as a code) in their environment.
Addressing the Issue of Security Poverty
So, think about a couple of big ideas—education and non-profits. Are we doing enough to educate everyone about core cybersecurity issues, so there’s a level of civic awareness and engagement in basic hygiene spread more broadly? October is Cybersecurity Awareness Month, and we can barely dig deeper with the general public than picking better passwords and maybe signing up for MFA. There’s certainly room to do more, but is there an appetite to take that on and a willingness to accept messages?
Maybe instead, we can be more tangible and offer some of our time and effort to non-profit companies that serve so many vital functions yet often struggle for resources that can provide great cybersecurity capabilities for their organizations. Whether it’s Doctors Without Borders, American Red Cross or a local services company for the homeless, many non-profits struggle to get the minimal resources their security needs to operate. Maybe more of us should be volunteering some time to help.
Finally, there is an increasing number of non-profits helping connect the individuals, teams, vendors, enterprises and other elements of the information and cybersecurity ecosystem. What works well, and what do we need to improve about the way non-profit security-related companies engage the ecosystem to improve security for the whole?
Summarizing, as you begin thinking about RSA Conference in February, think about the many, many different topics that might enrich your career, our community and the security ecosystem. Remember: “Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.”
— Ferris Bueller, Ferris Bueller’s Day Off