What Do We Owe Each Other? Securing Systemic Dependencies and Beyond


Posted on in Podcasts

 

Recognizing that the security of our interconnected world is as interdependent and fragile as a Jenga puzzle, how do we ensure that the entire system doesn’t fall apart when a single block is pulled? What do we ow each other, and how do we work together to ensure those organizations—be they non-profits, NGOs, or public schools and institutions—have the resources they need to be resilient in the face of a cyberattack? In this podcast, we’ll examine the security poverty line and our systemic dependencies and explore what we owe each other in order to ensure a more secure world.


Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the world talks security.


Kacy Zurkus:
Hello Listeners, and welcome to this edition of our RSAC 365 podcast series. Thank you so much for tuning in and happy holiday season to you all. Today we're exploring security through a more altruistic lens. To borrow from president John F. Kennedy, we are not asking what security can do for us, but what we can do for security. I'm Kacy Zurkus, content strategist at RSA Conference, and today I'm joined by Dr. Kelley Misata, founder and CEO of Sightline Security. Kelley's also a member of our RSA Conference program committee for our open source tools track, and we're happy to have her join us today. Here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, like and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now I'd like to ask Kelley to take a moment to introduce herself before we dive into today's topic. Kelley?


Dr. Kelley Misata:
Hi Kacy, I'm so excited to be here. Thank you very much for inviting me to your podcast. I'm Dr. Kelley Misata, I am founder and CEO of Sightline Security. I'm also known as a chief trailblazer because of the work that we're doing, helping nonprofits assess cybersecurity and bring in best practices into their organization. I'm also president and executive director of the open information security foundation. We build an open source security technology called Suricata.


Kacy Zurkus:
Well, we are excited to have you, and Kelley as I mentioned, you're a member of our program committee, and I recall a few months ago when we had our trends conversation with the entire group, many of the members of our program committee identified the theme of altruism as a trend that was coming through in many of the submissions that they read. And it really was incredible that it was across all tracks. It wasn't just, "Oh, in this track we saw this." It was really across all the submissions.


Kacy Zurkus:
So can you talk a little bit about this question of, what do we owe each other, as it relates to the interconnected world that we're working to protect, and maybe even a little bit about how you've seen that sort of come a little bit more to the fore, and sort of what that looks like.


Dr. Kelley Misata:
You know, I have to say Kacy, during the program committee call, when we were talking about this and it was being revealed, I have to say, I wanted to leap out of my chair and just scream with delight.


Kacy Zurkus:
Of course.


Dr. Kelley Misata:
You know, I think for a lot of years, security in sort of the giving back sense, and how do we take care of the entire ecosystem and the communities at large, and the companies at large, it's always been sort of a task feeling too big to tackle.


Dr. Kelley Misata:
And the fact that as a field, that we're starting to say, we need to broaden the net to bring every organization in, to bring in more people into the field, and actually realize that by doing that, we're making ourselves all more secure. It's not like if I get to sit in my own house and lock all my doors, that I'm perfectly secure all by myself. It's everyone that we're connected to. And I just love the fact that as an industry and as the conversations are evolving, we're realizing this. Unfortunately, I think that's also coming from the fact that many of the attack vectors are happening in spaces that we weren't ready for. And we've talked about critical infrastructures, and we're talking about public sector, and we're talking about nonprofits, and it's really incredible to start seeing that.


Dr. Kelley Misata:
So I think, the evolution of the past two years and people just sort of reevaluating their own sort of place in the world, and what's important to them, that's been part of this equation, but I also think it's just been the evolution of our industry to say, "We need to cap that net much wider because we are all connected."


Kacy Zurkus:
Right. Right.


Dr. Kelley Misata:
And, I loved when I spoke with the advisory board about their predictions for 2022, Hugh Thompson, who's our program committee chair, used the interesting simile of saying that, "Our interconnected world is like a Jenga puzzle." Right? And I just love that image because you can re... It's very visual. You can see that... And we've all played Jenga, we know the delicacy with which we remove those blocks and try and reposition them and the fragility of that tower. And so, how do we ensure that the entire system doesn't fall apart when we remove a single block?


Kacy Zurkus:
Yeah. I think a big part of that is realizing that everybody needs to be evolved.


Dr. Kelley Misata:
We tend to sort of compartmentalize either people or types of organizations or sectors. And we say, "Okay, well, these guys have a lot of money and a lot of time and a lot of whatever. Oh, they can afford security. They can afford doing things the right way when it comes to information, data security." But then we have all these other folks, well they don't have enough money, or they don't have resources, or they don't have the skillset that we need them to have. So they are not going to be as secure. We're just going to keep them in the corner. Right? And I think we've operated in that sense, and now people are starting to step back and say, "Oh, sugar, okay. If we've got all of these organizations and all these people in our lives, and we're all connected, we can't put somebody in the corner." It's like, remember the movie with Patrick Swayze-


Kacy Zurkus:
Dirty Dancing?


Dr. Kelley Misata:
Oh don't, Dirty Dancing! Don't put Baby in the corner!


Kacy Zurkus:
Right.


Dr. Kelley Misata:
This is really what we're talking about, is that we have to bring everyone out on the dance floor to be able to do this well. And it doesn't mean that everybody has to do it the same way, because security really can be appropriate for the type of organization or for the person, if you want to get it down to that level. But we don't have to do it all the same way, but we all need to be doing it. And that's, what's so critical about that Jenga model that yeah, they stack so beautifully and so strongly because they're stacked together, not separately.


Kacy Zurkus:
Right, right, right.


Kacy Zurkus:
And you know, you do mention these sectors that are highly targeted because they are the more vulnerable. Right? The nonprofit NGOs. My big passion is protecting public schools, probably because I have young kids that are in schools and education institutions, but what are these smaller organizations or even really, maybe not, they're not small, but they're just budget constrained organizations.


Kacy Zurkus:
What do they need to be resilient in the face of a cyber attack?


Dr. Kelley Misata:
You know, I think for a lot of them, it's about being aware and having a plan, even if the plan isn't perfect, or even if you're not sure what it's going to look like if it were to happen, or when it will happen to you, but not having that awareness at all, I think is the greatest need, which is why helping these organizations and helping these actual individuals in many cases, understand that cybersecurity doesn't have to be mysterious. You know, we're not unicorns out there. We're just regular people who see the world through different eyes. And if we help these organizations sort of understand how they can also see what we see, by building the conversation around language that matters to them and that resonates with them to start, and by being patient. I think many of us in the security space are so impatient because we see the criticality of it, that we forget that it's more important to have someone do something in the right direction, than not to do anything at all.


Dr. Kelley Misata:
And at Sightline some of the things that we really profess to our members is, do one thing, because that's elevating that awareness and you're taking action. I don't care if you do 10 things, just do one thing.


Kacy Zurkus:
Right, right. It's interesting. I was having a conversation this morning with my husband who is much more patient than I, and we were talking about our 10 year old daughter and he was explaining to me, well, "She comes at it this way, and the instructions that she's given are coming from this direction." And it's not, you know to your point of explaining things so that they make sense. And I think the issue is never that people don't want to be secure, it's just the approach, the avenue that they're coming at it from is just a different direction from where other people might be coming from.


Kacy Zurkus:
And so building that common language so that we can all understand each other and get on the same page, is really important. One thing that's also important is the time of year that we're having this conversation. Right? I was so excited when I was able to look at our planning and look at December and I thought, oh my gosh, that would be a great time to have this conversation with Kelley, because it's about altruism. It's the holiday season, there's lots of fundraising going on, but in some respects, it also puts a lot of these nonprofits or NGOs... It puts a target on their back. So when we combine that with us all being distracted during this holiday season, how can we help nonprofits stay vigilant and safe without overreaching?


Dr. Kelley Misata:
That's a great question. And it's funny because I think particularly this year, when we're sort of coming out of this weird space of being isolated from people and the festivities and all this wonderful energy that we have during the holiday season, we're coming out of it, after over a year, people are so hungry for it that it's like, okay, it's like having children. I mean, my children are older and you want to tell everybody, "Calm down, let's just not overreact here," because we all create that so much.


Dr. Kelley Misata:
So recognizing that, that's where people are coming from, nonprofits as well as their donors, is the first order of business because what we are suggesting to our members to actually convey to their donors, who might be some of the people listening to this podcast is, be aware that nonprofits are putting up the big giant flag saying, "We're taking in lots of money right now, and by the way, we're at our holiday parties. Please, come attack us because everything is not being watched." And I think for a lot of these organizations, just sort of putting a couple of little checks and balances in this month, is what we're advising this to.


Dr. Kelley Misata:
One is, check in with your IT provider and say, "Hey, just to let you know, we're going to be at our holiday party for this evening," or that evening, or "We're going to be doing a big community event over the course of a few days, these are the days," or "We're going to close our offices over a few days." Check in with your service providers. The other thing is to let your donors, and the other key stakeholders, know when you are going to be offline, or when you're going to be taking a little time off, because you want them to know, "Hey, if you get a message from us during this time,"... Many, many companies are taking that week between Christmas and new year's off. "If you get a message from us during that time, it may not be from us."


Dr. Kelley Misata:
So by them just raising the awareness of their donors, raising the awareness of their staff and their volunteers, they're helping everybody sort of level set and say, "Oh gosh, I just got this weird email. It's Christmas Eve, I know that this organization's closed. I'm not going to respond. I'm not going to reply. I'm not going to click on it. I'm not going to do anything. I'll wait till Monday." Because that's what we want them to do, is raise that awareness, just make some mentions to the people closest to them, and enjoy the holidays. We don't want them to be like so bogged down and worried that they forget to enjoy things, but we want them to raise that level of awareness, particularly at this time of year.


Kacy Zurkus:
So, one question that I have that I think people might be thinking in the back of their minds when they stop to reflect on, where do we go from here, and even more so, what do we owe each other? This idea of altruism in security and extending aid to those who maybe need a little help, some businesses, and it's a reality for many of them, they are simply struggling to do the basics well for themselves. The idea of even stopping to think about another organization, security or lack thereof, is not within the realm of their day. Right?


Dr. Kelley Misata:
Right.


Kacy Zurkus:
The security is still seen as an obstacle and CFOs don't see the ROI on security investments. So how do we get organizations of all sizes, larger enterprises, to buy into this idea of working together to ensure security as a collective good?


Dr. Kelley Misata:
It's so funny. I just had this conversation with someone who's very well known in the security space, a couple of nights ago, and I felt like I got on my soapbox a little bit. So forgive me if I do it again here, but-


Kacy Zurkus:
Get up there girlfriend.


Dr. Kelley Misata:
All right. All right, here I go. Good to even wear my high heels. Okay. So here's where I'm coming from with it. And this really is because of the work that we do at Sightline and it's sort of my own personal feeling about it. We keep talking about cybersecurity like it's a special thing that's sitting on the side of everything else. Why is that? Why do we have to make it a special line item in the budget? Why do we have to have a special program around it? Cybersecurity needs to be woven into the functions of the businesses, just like anything else.


Dr. Kelley Misata:
When you talk about human resources, you should talk about, "How do we protect the information of our employees?" When you talk about finance, you should talk about, "How do we protect the information related to money, and to our investments, and to our investors?" The more that we keep cybersecurity as a special event, as a separate conversation, as something we do once a year as we do our own training, just around cybersecurity, the more that we separate it, the less people are going to understand how it leads into just everyday stuff, because we're using this technology every single day. We need to think about how we think about security every single day. So I think that there's a way to get there and at Sightline we really preach this a lot because it's the way that we found that many nonprofits step in and say, "Yes, we can do that because, oh, it's not a special project." Meaning you're not going to have to take time away from your mission.


Dr. Kelley Misata:
You can weave it into your budget. You can weave it into your business operations. By doing that, then there's context for why it's important, how it helps the business succeed, and it's not an add-on. Every time we add something on, you're telling that person, you have to take something else away. And that's what I think is absolutely key for us to evolve security in new and different ways. There's my soapbox. [crosstalk 00:17:07]


Kacy Zurkus:
I love it. I love it. Kelley, I want to thank you again for joining us today. We are so looking forward to seeing you at our RSA Conference 2022 live in February. Before we wrap up, do you have any parting words for our listeners?


Dr. Kelley Misata:
Yeah, I have two things I'd love to share with everybody. One is, I feel really blessed that I was invited to join the program committee, I believe this is my third year when they started the open source track.


Dr. Kelley Misata:
And as someone who's been in the open source community for almost 10 years now, the fact that RSA has created this track and we've found so many wonderful submissions, is just heartwarming. And I guess, selfishly, what I hope is that, that's going to open up the possibility for other conversations and other ways of thinking about security to come into the RSA Conference, such as nonprofits, public sector, and other really exciting things happening in the security space. We have such a dynamic, exciting field that we're in. There's so much that we can bring to the RSA Conference. And the last point is, I just want to let people know, have a wonderful holiday season, but be a little bit more vigilant around how you're contributing, donating to nonprofits. Make sure that the organization you want to give support to is really that organization. So just be a little bit mindful this year, so it protects you and it protects them.


Kacy Zurkus:
Absolutely, yeah. Kelley, thank you so much for joining us, such a pleasure to chat with you. Listeners, thank you for tuning in. To find products and solutions related to open source tools or protecting data in the supply chain, we invite you to visit RSAconference.com/marketplace. Here you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels, using the hashtag #RSAC and be sure to visit RSA Conference.com for new content posted year round. Thank you all so much. Happy holidays.


Participants
Dr. Kelley Misata

Founder and CEO / Senior Director of Open Source, Sightline Security / Corelight

Kacy Zurkus

Senior Content Manager, RSA Conference

Hackers & Threats Protecting Data & the Supply Chain Ecosystem

business continuity & disaster recovery critical infrastructure data lakes data loss prevention data security data sovereignty ethics governance risk & compliance incident response infrastructure security network security security awareness security education security services supply chain


Share With Your Community