The first live RSA Conference in three years wrapped up yesterday. The world has changed drastically since the last live event in 2020 – and security has changed as well. In 2019 we had no idea that companies were about to enter a warp-speed cloud transformation as their employees went remote and much of their business shifted to the cloud. As a result, cloud security has taken on new urgency, as well as identity and access management and zero-trust principles.
This year’s event, like every year, saw prominent security figures take the stage to encourage and inspire security practitioners, and many themes and big ideas stood out. In case you missed it, here’s our roundup of a few of them – the top takeaways we gathered from RSA 2022.
RSA CEO Rohit Ghai highlighted the disruptions in the physical world in the past few years, such as the pandemic and the war with Russia, which have rippled out to the cyber world. With the physical and cyber worlds constantly in flux, Ghai pointed out that although tech changes fast, humans don’t.
“The code we write, our technology, changes exponentially faster than our human genetic code,” Ghai said. “What remains relatively constant is us humans and how we think and act. To transform, we need to build solutions based on the one constant in cybersecurity…identity.”
Most cyber attacks occur due to compromised identity, and these same attacks can be blocked with multifactor authentication, Ghai said.
Cybersecurity has always focused on the CIA triad – confidentiality, integrity, and availability. But Ghai asserted that in a world where disinformation and misinformation create shock waves in our societies, the new frontier in cyber is the veracity of information. Hacked brains, he pointed out, are much more damaging than hacked systems.
“The best way to authenticate content is to authenticate the creator of it,” said Ghai. “The brightest signal regarding if a piece of information is true or not is the source of the information. Who created it, and what is the reputation of the creator? Identity to the rescue again.”
The traditional wisdom has been that an organization needs to worry about its security posture to avoid data breaches that will damage its reputation, operations and bottom line. But in their talk, Cisco security VPs Jeetu Patel and Shailaja Shankar broadened this scope, saying organizations owe it to one another to keep their security standards high.
“We are competing as holistic ecosystems, not as individual organizations,” said Patel, citing the example of a car manufacturer forced to halt production because of a security breach at one of its suppliers. In our modern, interconnected world, companies can be negatively impacted by security incidents at other companies.
Shankar explained the concept of the security poverty line, or the baseline level of minimum security posture that every company should maintain. Companies that don’t have enough budget, expertise or capability to support this baseline are falling below the security poverty line.
“If you are below the security poverty line, not only are you putting yourself at risk, but the entire ecosystem is at risk as well,” Shankar said. “If we don’t address the least prepared in the world for going out and protecting themselves, the most prepared will also suffer.”
With the use of artificial intelligence for analyzing large volumes of data and making decisions for various use cases, such as in detection systems, job candidate screening, and loan application screening, technologist Bruce Schneier predicts AIs will eventually start hacking the very systems they are enabling.
In his keynote, Schneier explained that hacking or exploiting system loopholes in a way the designer didn’t intend is as old as humanity. Humans are creative problem solvers and loophole exploiters.
“Even the best thought-out sets of rules will be incomplete or inconsistent. They will have ambiguities, things the designers haven’t thought of,” Schneier said. “As long as there are people who want to subvert the goals of a system, there will be hacks. And AIs are becoming hackers.”
AIs can be instructed to hack a system…or inadvertently and unintentionally hack a system as they are going about their business of learning, Schneier said. Without human constraints reining them in, such as ethics, lack of time, concern for reputation, or fear of punishment, AI hacking will be at a speed, scale and scope we have never experienced.
~ Bruce Schneier, Technologist
The glut of unfilled cybersecurity positions was a recurring theme at RSA 2022.
Vasu Jakkal, CVP, Microsoft Security, used her keynote to advocate the use of AI to scale expertise and knowledge to augment human expertise. She also urged more inclusivity in the industry to bring in diverse hires. Jakkal spoke in favor of eliminating infosec job requirements such as college degree and length of experience requirements; mobilizing community colleges to help grow and diversify the workforce; and changing the language of cyber to avoid dark, fear-based FUD.
“When we represent the world and reflect who the world is, we do better cybersecurity,” Jakkal said. “We must break the barriers to the defender community.”
To Bryan Palma, CEO at Trellix, the cybersecurity field can be a home for disaffected tech workers who have left social media companies hampered by disinformation and toxicity. Cybersecurity can offer them the sense of higher purpose and fulfillment they may have lost.
Palma also stressed the importance of nurturing an interest in cybersecurity in three distinct populations: K-12 students, college students and early-career professionals, and mid-career professionals looking to change fields.
“We are falling short when it comes to identifying talent with a two-year degree or no degree at all,” Palma said. “We overlook qualified candidates who lack the schooling but have earned certifications or have completed other vocational training. This bias is a huge mistake and restricts our talent pool.”
The future of security surfaced as another persistent theme. The implication behind several speakers’ words was that now, more than two years after the global pandemic shifted life and work as we know it, security is at a crossroads and it’s up to us to choose which way we want to go.
VMware SVP Tom Gillis spoke about going beyond perimeter and endpoint security to an approach of protecting applications from within. He argued for moving to a completely cloud operating model using a zero-trust approach.
“Now is the time to drive change,” Gillis said. “Now is the time to embrace the cloud operating model and not just cut and paste our old ways of working. Let’s move forward with a new way of instrumenting our workloads, protect them from within, and get ready for this next onslaught.”
Jakkal’s words: “The future of security truly belongs to all of us. We have to aspire to build a safer world for all, and it is up to us and our empowerment to create the future we aspire to.”
Ghai urged listeners to be proactive about transformation in security before a cyber pandemic catches us all off-guard. Ghai advocated identity-centric and information-centric thinking rather than infrastructure-centric.