In three short weeks, 45,000 info security professionals from around the globe will converge in San Francisco for the 12th annual RSAC. For those who are unable to attend or for anyone who is busy preparing for the event and wondering what the hot topics in cybersecurity, data, innovation and thought leadership will be, here’s a sneak peek at RSAC 2019 from yesterday’s Virtual Session: Annual Roundtable with RSA Conference 2019 Advisory Board.
The Advisory Board consists of Caroline Wong, Chief Security Strategist, Cobalt.io; Ed Skoudis, Instructor, SANS Institute; Kim L. Jones CISM, CISSP, Professor of Practice, Arizona State University; Laura Koetzle, Vice President, Group Director, Forrester Research and Todd Inskeep, Principal, Cyber Security Strategy, Booz Allen Hamilton. This esteemed group gathered virtually to prevent the Conference share their thoughts on a security challenges including DevSecOps, Cloud Security, Cyber’s War Paradigm Problem, Identity, Security Due Diligence and Threat Intelligence.
The advisory board discussed, dissected and debated hot topics in global cybersecurity. Their session – surely to dovetail with RSAC 2019 (themed “Better”) itself – cast a particular eye toward whether we are better prepared and better equipped to protect ourselves against bad actors, insider threats, nation-state attacks or plain, old poor security hygiene of end users.
Here are four key mega trends the Advisory Board addressed:
DevSecOps – What does implementation look like and how can the transition be more seamless?
Wong noted that it is much easier to be born into DevSecOps than to transition into it. She cited Nike’s successful transition from outsourced software development to an in-house approach and Nike’s belief that Dev Ops must be “fun, fast and fair.” DevSecOps must first be “stable, reliable and secure.” And it can be a challenge to implement given many corporate cultures of IT and security teams are often resistant to change, Wong said.
Skoudis noted that continual testing is key to successful DevSecOps, but Wong cautioned that “lots of false positives created in software development can be frustrating to developers.” She added that without proper guidance, continual testing is not effective.
Cloud Security – What lessons can it teach us about improved security?
Inskeep, the panel moderator, noted that cloud security is obviously not a new issue and RSAC wonders if it continues to warrant its own track. While it seems that “everyone is doing something on the cloud” some organizations still struggle with the how and when to move applications and processes to this environment.
Jones called out the lessons and opportunities of the cloud. “As a profession, we have to get over the fear of the cloud. We have not truly taken a look at the value prop of the cloud in terms of defending our networks and consider the ephemeral nature of the cloud. Have we truly looked at it? Can we expand and make it harder for the bad guy to get and maintain a foothold in our cloud environments? We need to think about the ‘lunatic fringe’, learn lessons from the cloud and make it harder for the bad guy and apply learnings back into the data centers. It is how we grow as security professionals.”
Cyber’s War Paradigm Problem – Are there better analogies than war to use when talking about security?
The group discussed whether the “cyber war” terminology relative to cybersecurity is always appropriate and how it can be harmful to efforts around attracting talent to the industry.
Skoudis noted that “… sometimes some of the things we see in cyberspace can be analogous to war. When you have nation states attacking banks that involves international relations and can be associated with some form of war. The analogy has its uses, but it can break down in certain places. Other analogies when not talking about nation states might be criminality or law enforcement and the policing of certain acts. Or a security guard trying to protect and environment. Trotting out the term cyber war all the time does not ways work and might even turn of certain people.”
Jones agreed – “I think we forget the positive and helpful and protective nature of what we do. When people ask me why I became a CISO, I try to put cybersecurity in the context of helping people and I get up every single day to prevent bad things from happening to innocent people.” Jones added that while there is a usefulness for the the war time rallying cry, it is also contributing to the issue of the lack of talent entering the cybersecurity profession.
Threat Intelligence – We share information about threats, but not real intelligence. How would real threat intelligence change the industry?
There has been an intense focus on compromise and tactics, but it is a lot of post-attack information, Inskeep said.
When asked how threat intelligence is changing, Jones emphasized the need to discern between threat intelligence and threat information. “Threat intelligence is predictive, it is not what the threat is capable of, but rather, what are the six things that an attacker is looking at now? How is he going to attack? What is the next vector do we need to be most concerned about? It is not just about what they (cyber attackers) are doing but what they are going to do. This is threat intelligence and this is where the real value is delivered. Threat intelligence allows you to get ahead of the bad guy and stay ahead of him, do appropriate risk prioritization and truly provide value to the organization. We need to see more threat intelligence out there and less threat information.”
What critical cybersecurity topics are on your mind?
Senior members of Matter’s cybersecurity team will be at RSAC 2019 to meet with clients, staff press meetings, speak with industry influencers, and dig in even deeper on the latest trends and security threats and opportunities for 2019 and beyond.
We’d love to chat. Want to catch up at RSAC? Get in touch at at firstname.lastname@example.org.