Part one of this blog mini-series looked at the first five trends. Now we take a look at trends six through ten.
This is another topic that’s been explored in past submissions but seemed to hit a crescendo this year: organizations, and individuals/departments within organizations, “talking past” each other. The terms “bi-lingual” and “lost in translation” were used in more than a few submissions, as submitters explored the different “languages” spoken within organizations, and even between organizations as “threats” are described, and therefore consumed and reacted to, differently (see #5). When misunderstandings and language barriers are overcome, a stronger cybersecurity program can be achieved across the whole of organizations, success that several enterprises described in submissions. This communication challenge is a meta-trend of what’s come to be expected of the CISO and underscores the evolving nature of the role. The “non-communicative technical specialist” of days gone by must now speak in the language of the board, legal, privacy, rank & file, and the list goes on. Communications is clearly a must have skill, and pressure is greater than ever in this area that just a few years ago was merely a tactical technical IT function.
7. The Amazing, Inspiring World of DevSecOps
DevSecOps appears to be an amazingly healthy, thriving community, full of diverse practitioners who’ve realized tremendous business benefits. As measured by our submissions, the gender diversity in particular in this space is inspiring; this is clearly a corner of our industry that is batting well above the 11% female workforce stat generally attributed to cybersecurity. We had a significant uptick in submissions from organizations eager to share best practices, lessons learned, and approaches they’ve taken integrating disruptive and transformational DevSecOps approaches within their organizations (some even utilizing the NIST CSF—see #5) as they race to secure their cloud platforms at scale (see #2). Many submissions explored the human side of this transformational shift (see #8), documenting necessary cultural shifts associated with a DevSecOps mindset and the unique leadership skill set necessary to assure people don’t get lost in the drive to automation. Submissions documented the role of the developer as a true partner in security—no longer passing off code to another part of the organization, but rather integrating security principles throughout the entire software lifecycle and delivery pipeline, a role that has been accelerated with cloud-native deployments. So, yeah, it’s DevSecOps; “Security” has firmly established itself right in the middle of Development and Operations….with exciting results being realized, and significant implications for our industry, when security is firmly embedded in the process from end-to-end.
8. We’re Still Human After All
Despite the promise of automation and artificial intelligence (and this trend is deliberately in front of the next one), humans still matter. A lot. Submissions this year explored what it means to be human, in terms of psychological exploitability and social engineering (and not just around elections!), unconscious bias in writing code because of “inherent human weakness” (said “human weakness”, though, transfers to AI because—you got it!—we teach the computers what to think through the training data sets we expose them to….so at the end of the day…..we still have to deal with this human factor, and it’s important we do it right because AI can amplify bias), and within the construct of the team. The humans that comprise our workforce are very important to us—how to find and train the right team is a journey that many wanted to share with their peers. From cyber ranges to exploration of “non-traditional” work pools, with prospects who lend unique perspectives and skills to the overall fabric of the team, the “people” factor, and staffing our cybersecurity teams properly, is of great interest. And by valuing this diversity across our teams, which helps us understand different perspectives and behaviors, we are able to achieve better security, build better products, and ultimately achieve better business outcomes. The human factor was of such great interest to our community that this year, in addition to our focused Human Element track, we’ve added a uniquely curated Monday seminar that features cutting edge academic research in this space and technologists working on wide ranging solutions to best position humans to succeed. Also on Monday, we will be including a half day talent seminar as well as a robust half day mentoring forum.
9. Artificial intelligence
Artificial intelligence is still a silver bullet and Kool Aid poster child in the 2019 submissions (sharing the stage with “Zero Trust”), though we saw its application and consideration expand beyond just a discussion around the SOC and threat hunting, including software development, application security, and cloud deployments. We also saw more enterprises talking about it and referencing their use and results in tangible, measurable terms, vs. vendors just sprinkling it about like fairy dust in their submissions. There were many submissions that talked to the use of artificial intelligence with offensive as well as defensive goals, not just using it to identify anomalies but also to respond at machine speed and evolving from a rule-based systems approach. There were also cautionary tales, reminding that “revolutions” need to be understood, definitions and goals need to be clear, and limitations must be acknowledged, or we risk unintended consequences. “Unsupervised deep learning” (because just “machine learning” is so 2018!)….has promise—and peril!—potential. Artificial Intelligence & Machine Learning has a dedicated ½ track and also look for content elsewhere across many tracks.
10. Enterprise voice!
Perhaps the most exciting trend, which has been referenced above, is the voice of the enterprise users that came through prominently in the 2019 submissions and will be reflected across our program. Vendors and consultants have valuable perspectives, but it’s that magical moment when promise flows into actual stories from the trenches that we know something real has happened. There was a significant uptick in enterprise-proposed submissions this year, which bodes well for a community that learns so much through unbridled sharing of experience, best practices, hard lessons learned, and breakthroughs realized. We also heard from our CISO audience, interested in engaging with the larger security community (see #5) about their experiences, but also valuing those closed, quiet and safe conversations with their direct peers. We have offered the Monday ESAF (Executive Security Action Forum) program for a small group of F1000 CISOs for the last 15 years, growing a strong, tight environment where tremendous learnings are shared. Building on this success, this year we are introducing the CISO Boot Camp program, with content developed by and for CISOs, to further this enterprise-focused sharing of experience in a Chatham House Rule setting for a limited number of participants.
Ten is never enough to cover everything we see in the submissions. We saw a landslide of cryptojacking attacks sessions. 5G was woven throughout many discussions. An uptick of quantum-focused sessions (have we reached critical mass? Jury is still out!). More and more military terms have seeped in to how we talk about cybersecurity: “left of boom”; “cumulative deterrence”, “maneuver warfare”, “patrolling”, “center of gravity”, “black swan”, and “counterinsurgency”….to name just a few. And “blind spots”—lots and lots—and lots!—of blind spots. Seems to be a favorite marketing term this year! Thank you to those who participated in the call for speakers process and especially to our Program Committee who carefully reviewed every submission and thought hard about the program selected. Some of them will be sharing their insights as well from their review process, adding additional color to the trend review process.