What the RSA 2019 Speaker Submissions Tell us About Security Trendlines

The RSA Conference in the U.S. has maintained its stance as one of the most popular events in security since its founding in 1991. In 2018, RSA welcomed approximately 50,000 attendees.

While many attendees have griped about how corporate the show floor has become, the keynotes and speaker presentations continue to draw some of the industry’s most forward-thinking leaders on a broad range of topics.

This year, representatives from the committee that selects RSA sessions hosted a podcast where they identified the most popular topics submitted for each track and what they predict to be the 2019 industry trends as a result. Highwire’s #CyberSquad listened in and summed up the key points, which we expect to closely mirror 2019 media trends. Read on for the skinny:

Hackers and Threats Track: DevSecOps to Become Mainstream

This year RSA added a new speaking track called Hackers and Threats to meet a more technical audience that’s focused on live demos and/or code dissection. There are two popular session topics for this track, the Internet of Things (IoT), as well as AI and ML. For IoT the focus is on how security teams can maintain security with the increasing amount of data coming in from multiple devices. For AI and ML, these sessions tie to tactical ways that businesses can leverage these capabilities while also breaking down how adversaries are working just as quickly to create techniques to subvert them. The main message throughout all the speaking sessions in this track is DevSecOps. This is a term the industry will see taking over headlines in the years to come as security teams prove how successful this approach is in ensuring agility, automation, and scalability.  

Emerging Threats Track: Ransomware Maintains Popularity Over Cryptojacking

Crytojacking took over headlines throughout 2018 as a newly publicized form of attack whereby a bad actor gains unauthorized access to someone’s computer to mine for cryptocurrency like bitcoin. However, recent research revealed that despite the attention, cryptojacking does not have a very high return on investment, with popular websites only making $119-340 per day. So, while cryptojacking will continue to be a focus in the media, due mainly to its newness and ties to organized crime, ransomware will maintain its popularity with cybercriminals and media focus on successful attacks because of its increasingly high earnings – a $2B industry in 2018.

Blockchain and Applied Crypto Track: Blockchain for Good

Blockchain has continuously been a buzzword in the security industry, although the conversations around it have started to shift from a magical unicorn to a tool that organizations are working to understand so they can leverage it for their own security practices. In the Blockchain and Applied Crypto track, leveraging blockchain for good prevailed as the most popular track topic. Moving into 2019, as more companies across industries learn how to create a blockchain system applicable to their security ecosystem, we’ll begin to see a rebranding of this technology toward protection for all.

Security Strategy and Architecture Track: Zero Trust in Third Parties

Organizations face one of their biggest challenges when securing their trust with third-party partners – the grey area between a trusted company employee and an obvious outsider threat. In this year’s Security Strategy and Architecture track, the majority of speaking sessions focus on dealing with this challenge and defining Zero Trust. In order to have a functioning and successful partnership, trust in the access granted to third parties needs to be authorized and access needs to be monitored. This will continue to be a topic of discussion throughout 2019 as companies look inward at their own third-party trust processes and ensure the proper access for all sensitive data they are storing.

Highwire’s cybersecurity practice will be at the RSA 2019 conference to catch up with our clients, speak with industry influencers on the showroom floor, and learn as much as possible about the latest trends to inform new ideas and storylines in 2019 and beyond.

Want to catch up at the show? Email secleads@highwirepr.com.

The Next 10: Making Your Mark in an Evolving Cybersecurity Comms Landscape

#HWCyberSquad leader Christine Elswick shares insights into creating future cyber leaders

A glowing light in cyberspace

Election hacking. Targeted attacks on our power grid systems. Ransomware debilitating global network infrastructure. Hundreds of millions of passwords stolen from businesses in one fell swoop. This is the reality we face in today’s cyber threat landscape.

The continued onslaught of cyberattacks has essentially made cybersecurity mainstream—and effective and transparent communication in the wake of such a crisis is now a critical skill for any business to have. This evolution has created an opportunity for leading vendors to educate the masses about the critical reality of today’s cyber world. If done right, security companies have the opportunity to become household names within the next 10 years.

But the growing market makes it difficult for a single company to stand out from the crowd. So how can a cybersecurity business differentiate itself, rebuild trust in the age of breach fatigue, and educate the world in the wake of cyber warfare?

In this blog, I’ll walk you through strategic recommendations that will elevate your thought leadership, strengthen relationships with the media that matter, and align with today’s headlines.

Rebuild Trust—We’ve witnessed the expansion of mainstream cybersecurity awareness in everyday society in recent years, as demonstrated through television shows such as Mr. Robot and blockbuster hits like Snowden and Ocean’s 8. As scary as it sounds, cyber interference in the real world has moved out of the realm of science fiction to everyday conversation. Look no further than this year’s midterm elections.

It’s clear that cybersecurity is no longer only for the most technically gifted; it has directly reached the lives of ordinary people. The growth of IoT devices like smart voice assistants or connected door locks means we can’t ignore the threat of cybercriminals to our everyday lives. Further, with Big Tech in the hot seat for its misuse of data, it’s an opportune time for security companies to rebuild trust within the enterprise and beyond.

Security companies need to reach executives outside of the security world now more than ever to raise awareness of what is at stake. We cannot afford to let cybersecurity be a problem only for enterprise security teams alone to deal with. This means that cybersecurity communications cannot be limited to trade and industry publications, but must also reach broader audiences.

Integrate Your Comms—One part media relations, three parts press release, and a dash of analyst engagement. Years ago, this was the recipe for PR success. Today, organizations must take an integrated approach to communications. Leveraging digital strategies such as social engagement and influencer marketing alongside ”traditional” thought leadership is vital to amplifying a company’s vision and cutting through the industry noise.

On the influencer side of things, journalists writing longer-lead feature stories for publications like The Wall Street Journal and New York Times are increasingly seeking non-vendor sources, looking to prestigious academic institutions, think tanks, current and former government officials and in the case of WSJ Pro Cybersecurity, CISOs at non-tech Fortune 500 companies for perspective. Aligning with these influencers will help strengthen your company’s reputation through thought leadership.

When it comes to social engagement, it’s critical that you establish an authentic voice that aligns with your brand across all channels and leverage this medium to extend the life of your content. In the fast-moving, volatile world that is cybersecurity, speed is also critical. You must be able to move quickly and nimbly to get your company’s voice heard.

Get Creative with Telling Your Story—It’s no secret: the industry is crowded. Just two minutes on the RSA or Black Hat show floor or a look at the latest VC investment headlines will tell you that.

Never has PR been more critical to help the real leaders stand out. But it’s important that companies challenge themselves to be creative with campaigns to break away from the pack. This means showing that the company is more than just a product. It means that thought leadership should be supported by identifying independent thinkers with deliberate, experience-tested philosophies. It means discussing real-world examples (even if anonymized!) of how your technology actually makes an impact and stops cyber attacks in real-time across Fortune 500 businesses. These examples tell a story that pulls the reader in.

Don’t Forget the Fundamentals.

  • The importance of a cyber playbook—There are only two types of companies left in the U.S.: those that have been hacked, and those that don’t know they’ve been hacked. With this in mind, companies must have a crisis plan that will guide them through worst case scenarios. Highwire recommends going as far as involving third parties (who will theoretically support the business in a time of crisis) and reporters as part of the course.
  • Rapid response: Unless a spokesperson has direct knowledge of the incident or previous experience that makes him/her an expert on the particular topic, do not ambulance chance—it only undermines their credibility and frustrates reporters. As public understanding of cybersecurity grows, so too will the demand for thoughtful, nuanced reporting on these incidents. The experts who reporters will turn to the most for their thought leadership are the ones who can offer unique insights and help people understand the real impact, without spreading FUD.
  • Increasing importance of strategic events—A way for executives to talk about real issues and interact with like-minded peers, events have become a crucial medium for the industry. The cybersecurity community is a tight-knit group so building on those relationships in person is essential to becoming a respected voice in the industry. In recent years, high profile events such as WSJ.D Live, MIT EmTech and Collision have created dedicated cybersecurity tracks. CNBC and Bloomberg are other top-tier publications placing a heavy emphasis in cybersecurity across their global events, and newer conferences continue to emerge, such as the third annual Aspen Cyber Summit—held for the first time on the West Coast last week. At RSA 2018, Alex Stamos and others launched OURSA to discuss issues not tackled at the larger mainstage conference—diversity & inclusion, privacy & security implications, and ethics of emerging technologies. Watch out for the #HWCyberSquad’s upcoming blog on security events that are becoming strategic opportunities to build relationships and showcase research.
  • Aligning the business to key trends—Tying your business to key trends—both security and non-security related—will be important to elevating the brand and creating a connection to a broader audience. In the next 10 years, topics that will likely to continue to be front and center in the news include: all things artificial intelligence and human intelligence; AI-based attacks; data privacy and GDPR; diversity and inclusion; nation-state security and cyber warfare; the economic impact of security on a global scale; IoT and smart cities; consolidation across the security market; quantum computing and much more.

The internet has become a crowded, labyrinthian place to conduct business and share information. There are hundreds of cybersecurity startups emerging every month, each claiming to have the silver bullet to addressing the cyber crisis, and legacy players snatching up smaller ones in order to acquire next-generation capabilities to remain relevant. But intelligent communications is our map to show us the way forward and create an opportunity for the cyber leaders of the future to make their mark.

The true leaders will emerge through compelling storytelling that showcases their impact to a broader audience. The age of cyber war is just beginning and it will create lasting change on the world and the cybersecurity industry over the next 10 years. But one thing is certain: communications will be a critical piece of the puzzle in establishing credibility and trust in these uncertain times.

Behind the Scenes with Black Hat Comms Lead

Logo of the Black Hat conference

It’s nearly time for Black Hat USA and given RSA was so late in the year, it seems to have snuck up on everyone quicker than ever.

But no fear, Highwire’s Cyber Squad is on top of it—this year, we interviewed Kimberly Samra, PR Manager for Black Hat and lead for UBM’s technology portfolio, to get a pulse on what the hottest trends at the show will be and how attendees and PR practitioners alike can make the most of their time at the conference this year.

See below for information ranging from themes that will attract a lot of attention at the show—including election security, critical infrastructure and privacy—and tips for how to break through to reporters and tell your story. We hope this information helps you make the most of your time at Black Hat. If you’re heading down and want to meet up with the Highwire Cyber Squad, please email us at secleads@highwirepr.com.

Now, back to our scheduled programming to get the inside scoop from Kimberly Samra, PR manager for Black Hat:

Q) How has PR at Black Hat changed?

The PR landscape has certainly expanded with the growth of the security industry. While we still see the usual big-time security reporters covering the event, coverage is shifting across multiple verticals as the industry transitions and becomes such an essential part of our everyday lives. As discussed in Black Hat’s new research report, “Where Cybersecurity Stands” security has quickly become mainstream, touching everything from politics to international relations, commerce, money and human relations—it really has a hand in everything these days.

So as PR folks ramp up for the event, they should tailor their outreach strategies thinking beyond items specific to security and ensure their pitches demonstrate how people and consumers are affected on a grander scale.

Q) Have you seen a shift in Black Hat audience? More CIOs and technology buyers?

As the event grows we definitely see a wider range of professionals attending. While the Briefings program is at the core of what we offer to our audience, we’ve seen our Business Hall expand to welcome top vendors in the industry interested in sharing their latest and greatest tools and how they’re pushing security innovation forward through advanced research. Our Black Hat CISO Summit has also grown as more executives are making security a top priority.

Black Hat as a whole really brings together every aspect of the industry and is a hub for all things security. It’s the must-attend security event of the year and we’re happy to continue adding to our offerings and the content media is exposed to so they can report critical insights to the public.

Q) What are the top trends you expect to see at the show this year?

Of course we always see a lot of attention around big-name vendors, mobile, IoT, payment systems, critical infrastructure, etc. However, not surprisingly, we’ve seen a lot of buzz around voting technology and privacy. As folks look toward the upcoming elections and draw from all the controversy around the 2016 U.S. presidential race, they’re looking to security experts to answer questions about how vulnerabilities found in voting technology could affect outcomes and any other potential issues that could unknowingly change the course of political history.  

Privacy on the other hand is a vast issue that remains top of mind for people on many levels—from those working in government, the enterprise level and everyday citizens. We’ve all seen headlines pertaining to the Facebook investigation, the global effects of GDPR, and continued reports of security breaches. It’s no secret that people are questioning their privacy and how their data is being used. It’s a widespread topic and the research being done within the security industry is pertinent to learning more and making moves toward protection.

Q) Is there anything new happening at the show?

Yes! We’re really excited about a number of new offerings this year, specifically the expansion of our community programs. Black Hat has taken strategic steps over the years to ensure our program expands and continues to welcome and serve a wider audience. A few years back we began work around inclusivity through dedicated diversity programs. We’re proud that these programs have continued to grow and that we’re now able tap into programming specific to the needs of the community on a much larger scale.

On the Briefings side, we’ll see content coming from the new Community Track, which was developed to provide a forum for discussion on relevant issues currently impacting the InfoSec community. These talks will dive into important topics including careers, legal issues, inclusion, diversity, attribution, substance abuse, mental health, burnout, security awareness, work-life balance and more. We’ll also be holding Community Workshops which have been made to encourage collaboration among the Black Hat community; attendees will be exposed to everything from personal digital resilience to mentorship and career-building strategies.

And of course, we’ll see the return of our scholarship program and our work with non-profit partners, two items we’re really passionate about as we engage with and encourage the next generation of security professionals and give back to the community we service.

Q) What advice can you offer for companies looking to prepare to pitch reporters at Black Hat?

Companies should keep in mind the scale of Black Hat as well as the happenings throughout the week—remember, it’s called “Hacker Summer Camp” for a reason. Do your homework and tailor what you’re trying to pitch specifically to the reporter you’re reaching out to—a pitch that’s only specific to a security product announcement won’t always do the trick.

Questions you should ask yourself: Are you familiar with the headlines out there right now? Does your content pertain to big topics like privacy, critical infrastructure or maybe companies a certain journalist regularly writes about? Think of yourself as a valuable source rather than someone trying to simply sell a reporter on a story.

Also, make it easy on them! There is so much going on leading up to the event and especially onsite, you don’t want your news to get swept up in the hustle bustle especially if press have to decipher your message and how it applies to a potential big story. Take a step back, focus on what the big takeaway is, and figure out the headline—if you were a reporter, how would you envision the story? It’s like delivering a ready-made gift.

And start now! Don’t wait to get your news out to registered media. Remember, their schedules are packed onsite so you need to get on their radars now so they can make time for you.

See here for an interview with Black Hat communications director from 2016 for a look back at trends over the years.

Learn more about Highwire’s security practice here or reach out to us at secleads@highwirepr.com to continue the conversation. We’ll be at the conference, so we’re looking forward to meeting you on the show floor to hear your story!

Know Your CyberEnemy: Thoughts from the Highwire PR RSA Cybersecurity Panel

Conferences are a time to share information and discuss big challenges. That is always easier when you can bring some of the smartest people in the industry together in a single room. Fortunately, the breadth of clients we work with in the cybersecurity industry means that we speak to many of them on a regular basis. Each of them have a diverse perspective and approach to the security problems facing organizations today.

This year we hosted the second annual Highwire PR RSA Cybersecurity Panel series to bring our cybersecurity clients together to share their thoughts on what is driving defender and attacker agendas. We partnered with WSJ Pro Cybersecurity to host a series of panels discussing major trends this year in the security space. A special thanks to our panel moderator, Patrick Coughlin Co-founder & COO, TruSTAR.

Every conversation about cybersecurity focuses on trends in either the offensive techniques of attackers or the new tactics of defenders. With such a broad panel of experts, our discussions were able to inspire interesting perspectives on both.

What are the bad guys up to?

Cybersecurity is as much a human issue as it is a technical one, because unlike many technical problems there is an active intelligent adversary behind every attack looking for deliberate holes. But why do they turn to hacking?

One answer is because it is so easy. According to several of our experts, it’s only getting easier.

“The barrier to entry is very low. If you have the ability to search on Google, you can find the tools you need and have the ability to become an attacker,” said Dave Lewis, Global Security Advocate at Akamai.

And Endgame Chief Social Scientist, Andrea Little Limbago, pointed to three recent self-propagating worms—WannaCry, NotPetya and BadRabbit—that all stemmed from a single exploit leak. “Hackers can leverage what’s already put out there in the open source and leapfrog ahead. The lack of resources required to have an outsized impact is really phenomenal.”

The easy availability of these exploits mean that hackers do not even need to be on the cutting edge of technology to do significant damage. Jeremiah Grossman, CEO of BitDiscovery said “I haven’t seen the bad guys use AI, frankly because they don’t have to. The hacks are so easy. The number of systems they can compromise is so vast.”

These factors make it all too easy for new hackers to get started, and for experienced hackers to level up. “[Attackers] are way ahead! Not just in terms of technology but also in social engineering,” said Simon Thorpe, Director of Product & Account Security, Twilio “A zero day just pops and you are inundated.”

Unfortunately, it doesn’t take much for a hacker to breach an organization.

“The sad truth is the bad guys are getting in through low hanging fruit, such as not patching,” Justin Fier, Director for Cyber Intelligence and Analysis at Darktrace. “I run into a lot of teams that say ‘Until I get a major breach, I’m not going to do anything about it.’”

Bad patching processes are one thing, but the move to the cloud opens up another realm of possibilities for hackers. The urgency to move to the cloud can lead to IT teams making configuration mistakes in their rush to adopt new infrastructure.

“That’s why you see breaches with people moving into the cloud quickly with their S3 Buckets opened up, cryptominers installed,” said Sumedh Thakar, Chief Product Officer at Qualys. “People find about these cryptominers in their environment after they get the bill. I joke that the incident response team is finance.”

The expanding attack space of the digital world, driven not only by cloud adoption, but also by the shear number of new devices.

“If you look at my home, there are probably 80 different addressable devices,” Brad Bell, CIO of Infoblox. “You may not have direct interaction with them now, but they do represent a potential threat vector.”

“I set up a commercial firewall at home and ran traffic analysis for three months. At the end of three months, I found that 8% of my traffic was going to China,” added Jackson Shaw, Vice President of Product Management at One Identity. “I’m not ordering chinese food from that far away. It’s not just a threat at work but also in our homes.”

What do we do about it?

The situation may seem dire, but by leveraging these insights about what drives hackers, the cybersecurity industry has some hope of gaining the upper hand.

Casey Ellis, founder and CTO of Bugcrowd, noted the importance of focusing on the basics, like regular patching, saying “One of the challenges I see in how products are being taken out to market is a focus on APT, which to me is the equivalent of trying to cure cancer while we forget to wash our hands when we leave the restroom.”

Cyber hygiene is important, but perhaps even more important is to identify the advantages we have. When asked about the asymetrics advantage hackers appear to have, Chris Wysopal, CTO of CA Veracode pointed to enterprise detection systems. While breaching a system may be easy, “if you set up your detection correctly, the hacker only needs to make one false move and not look like a regular employee on the network.”

The other advantage defenders have is the vast amount of information we have about hacker activities. Sharing threat intelligence on information exchanges allows cyber defenders to gain a broader picture of what is happening around them and respond to new threats more effectively.

“Organizations are discovering that it is helpful to them to enter into these exchanges,” said Karl Sigler, Threat Intelligence Manager at Trustwave. “I think that any single organization has such a microscopic view of the security ecosystem as a whole. Once you start sharing information suddenly your whole perception changes.”

But of course, while the adversarial side is not purely driven by technical issues, neither is the defender side.

“What I feel is missing the most is the education of the end-user at the very beginning. People are not aware of the threats they could be facing,” said Filip Chytry, Threat Intelligence Director at Avast.

And Scott Register, VP of Security at Keysight added, “When I’m on Facebook and I see those little questions, like ‘What’s your stripper name?’ the questions you answered to get that—your pet, the street you grew up on—how often is that also a security question.”

One step to solving this problem is to demystify the cybersecurity space, according to Michael Daniel, President and CEO of Cyber Threat Alliance. By involving people with other backgrounds in the cybersecurity space, they will bring their unique perspectives with them to help solve the problems we’re facing and bring their understanding of cybersecurity back to their peers.

“We need to diversify our understanding of the security workforce. We need more economists who understand incentives. We need more lawyers who are cyber-smart,” said Daniel. “We need a lot more of the other disciplines to bake cybersecurity into them so that you have a broader understanding.”

Knowledge is power. And in the cybersecurity world, knowledge is also protection. Gathering the smartest minds in the cybersecurity space to discuss what is driving hackers to make the choices they make reveals a lot about what cybersecurity defenders need to watch next.

You can watch the whole panel series on the Highwire PR YouTube Channel here.

Lessons from RSA 2018: Amplifying Key Messages at Industry Conferences

Another RSA has come and gone. Sales and communications teams across the security industry can finally take a moment to slow down and celebrate a job well done. At least until they need to start preparing for Black Hat.

Year after year, the conference has gotten bigger. This year, there were 50,000 security professionals, executives, and vendors in San Francisco milling about the show. And yet for all of the ballooning attendance, the media landscape at the show has changed drastically from years past.

The growth of the show has made many reporters skittish, with many top-tier reporters deciding not to attend this year after citing the increasing corporate nature of the show. This is not a problem confined to RSA, but one that affects every growing conference.

But there are still plenty of opportunities to amplify key messages during these shows. Here are a few ways to make your communications activities at big conferences successful.

Get Friendly with Reporters

If you don’t know the reporters in your space well ahead of the show, getting them to make time for you during the show will be difficult. Their time is limited as they need to balance catching up with old contacts, meeting up-and-coming influencers, taking in key learnings from the show overall, and writing stories.

To make sure you are one of the people on their list, make sure you know what they are interested in before the show. One key reporter at a new tech publication noted that his job often gets him caught up in the day-to-day happenings of the security space, meaning that these conferences are good times for him to get a sense for the bigger picture. Another reporter at an influential security trade publication noted that his plan this year was to explore one topic in-depth that he decided close to the show.

On the other hand, some reporters are only driven by newsworthy events. Don’t be afraid to set up times to chat with them in the weeks before the show to discuss key points from talks or announcements that will go live during the show. Many reporters write pieces in advance to publish that week before their schedule fills up.

Knowing what drives reporters’ agendas at the show is not something that you can guess the week before the conference and hope to have a full schedule. Instead, get to know them as people and strive to understand how you can help them get what they need.

Leverage Social

It’s also important to remember that conferences are great grounds for strong content across social platforms. Not only are a lot of people focused on the same topic at the same time—even narrowed down to a few hashtags—but since many attendees are less focused on work, they have more attention to focus on social media.

Make sure to use the strong images from the show as content to help make individual posts more visually appealing. Tagging relevant people, such as speakers at the show, employees partners or visitors, can also boost engagement by making a human connection and expanding the audience of viewers.

Always make sure to leverage any news coming out around the conference to generate more content, especially if it has lasting impact beyond the conference. People attend these conferences for insights they can use, so they are even more likely to engage with social activity with direct impact on their roles.

Explore Content Alternatives

As the media landscape changes, many publications are looking for alternative ways to make ends meet. Many more publications are open to working with vendors to create sponsored content that relates back to their key messages. With the right planning and promotion strategy, sponsored content can have nearly as big an impact as earned media.

Strong sponsored content highlights the expertise of your spokespeople by discussing major industry trends and sharing thought-provoking opinions, just as they would in earned media. The advantage is that you have more control over what happens to the content after publication. In addition to appearing on the publication website, these pieces can be shared on social media, syndicated to corporate blogs, and reused ahead of the next conference.

These relationships can also do double duty in a few different ways. If you conduct these interviews at your show booth and film them, they can act as part of your conference programming, drawing more visitors or potential leads out of the show. These are also strong opportunities to get face time with these reporters so they get to know you and your company better for their future coverage needs.

Crowded conferences are just a fact of life in the communications field. More attendees mean more potential sales leads, but also more competition for mind time. Vendor communications teams have their work cut out for them, but there are still plenty of opportunities to break through the noise and tell a good story.

What is the Biggest Problem in Cybersecurity Today?

Themes from the show floor of RSA 2018

Viability. Quite simply, the operating environments of organizations have gotten too complex for cybersecurity defenders.

The problem goes beyond not being able to see what is happening in organizational systems to not even understanding the full extent of those systems. Keeping up with the assets under their control and keeping them secure is a new challenge for the modern enterprise.

Asset Explosion

As organizations move to the cloud, their data moves to systems they don’t own. Employees frequently log into corporate accounts from personal devices. Add the growing number of IoT devices connected to corporate networks and the number of ways for organizations to lose control of their data spirals out of control.

This is not to say that responding to and stopping threats is not important, but before organizations can even begin to think about remediation, they have to know what is under attack. Theresa Payton, CEO and President of Fortalice Solutions and former White House CIO noted in a panel that the first step to securing an organization is understanding what assets are under its protection.

What You Don’t See

Two of the top five attacks from “The Five Most Dangerous New Attack Techniques” keynote presented by SANS researchers result from abuse of poor visibility. The first is data leaks from repositories and cloud storage, a growing issue that resulted in several breach disclosures over the last year. It is easy to forget that cloud buckets and GitHub repositories are part of an organization’s assets that can lead to poor configurations.

The other is the rise of cryptojacking. Malware that appropriates processing power to mine cryptocurrency for hackers can remain undetected for months by flying under the radar of systems administrators. Seeing rogue cryptomining activity may be trivial in owned data centers, but when they are outsourced to cloud providers, organizations need to actively search for this activity.

Asset discovery cannot be a static activity though. Data and devices shift so rapidly that organizations need a constant stream of information about the state of their assets so they can adjust their practices accordingly. Dan Schiappa of Sophos said in a talk that asset management and the policies they inform need to take on an almost evolutionary appearance as they adapt to the changing operational landscape.

It’s Not About the Machines: Cybersecurity is a Human Problem

Themes from the show floor of RSA 2018

The annual Cryptographer’s Panel spent the first 10 minutes of their discussion at the opening Keynote yesterday deriding blockchain, the trendiest technology of the year. Quantum computing and machine learning are also banner bearers for technical innovation in cybersecurity.

At the same time, however, experts around RSA have shunned the idea that technology is the answer to cybersecurity. The theme of the show—“Now Matters”—calls for the defender community to take action to prepare themselves for a better and more secure tomorrow. RSA president Rohit Ghal called “the death of the silver bullet fantasy” a major win for cybersecurity. Meanwhile McAfee CEO Christopher Young called for a culture shift across organizations to realize that cybersecurity is everyone’s responsibility.

This theme has echoed across the rest of the conference as well.

Technology Does Not Make Security

Panelists have addressed blockchain in nearly every session, either bringing it up themselves or responding to questions from the audience.

In a panel about building trust in an insecure world, Adam Ross, a manager at GmbH, noted that blockchain does not build trust. It is merely a means to store data, and does little to guarantee that the information it stores can be trusted.

In the same vein, machine learning technology is a valuable supplement to human cybersecurity teams, which are understaffed with skilled workers. But machine learning processes are highly corruptible if not properly secured.

Even encryption, an almost automatic part of privacy and security processes by now, only works if there is a deliberate decision.

“It’s easier to say I can’t than I won’t,” said Moxie Marlinspike, founder of Signal.

Organizations that have taken custody of our data are under constant pressure to divulge that information to governments. If they care to protect our data, they need to build their systems in a way that no one can access it, not even themselves.

The Importance of a Sound Strategy

While technical solutions are an important part of security, it’s how they are used that makes security. In the past, there has been a culture of treating security as an afterthought. Now, the question of how to use that technology is a question that has been the subject of many panels across the show.

While the answer is far from simple, two essential parts of it are building a sound business case for cybersecurity and focusing on outcomes. What this accomplishes is up-leveling the conversation around cybersecurity issues so that executives don’t feel lost in the technical quagmire of the day-to-day operations. It also opens to door to understanding what is important in this task.

Theresa Payton, CEO and President, Fortalice Solutions and former White House CIO, noted in a panel the importance of prioritization. Limited resources mean that no organization can protect all of its data equally well. Deciding what is important and starting a conversation about what a cybersecurity program should do lead to the beginning of a plan.

We will always need innovation in cybersecurity to keep ahead of the hackers that threaten our digital landscape. Tools, platforms and techniques that make it easier to identify and stop hacker activity will always help, but many of the innovations we need are in the processes we use to make our organizations secure. Remember that people are part of this too.

A Time for Optimism: Cybersecurity is Stronger than Ever

Highlights from the Opening Keynotes of RSA 2018

It’s easy to call 2017 a cybersecurity failure. WannaCry alone rocked the digital world to the core. But it was only made worse when we realized that the attack was perpetrated by governments, not individuals or criminal organizations.

But across the board, the speakers of the opening keynotes at RSA 2018 called for optimism. While there is still a lot of work to do and the job of cyber defenders is by no means done, these keynotes highlighted that the work they do every day is making a difference.

The Little Things Count

It may not look like it, but the cybersecurity progress that has been made over the last 30 years of RSA conferences is making the world safer.

“Joe, your brilliant deployment of multifactor authentication to stop a massive breach will never make the New York Times,” said RSA president Rohit Ghal.

That is the danger of cybersecurity. The only news is bad news. The best state of affairs is when there is nothing to report. The end of the keynote by McAfee CEO Christopher Young was a video whose mantra was “Nothing important happened today…except everything.”

“We need to shift our focus from becoming perfectly unhackable one day to being a little more secure every day,” said Ghal.

All the little things do add up. Every activity that makes us a little more secure is time well spent, because security is an ongoing battle. There is no silver bullet for security, and while the daily grind may feel like a thankless task, that is how we win.

Adapting to Change

Microsoft president Brad Smith spent much of his talk calling for governments to do more to defend us now that the battlefield has shifted to the cyber realm. We need to view attacks on machines as attacks on people.

“We need a new digital Geneva convention,” said Smith.

WannaCry, which exploited a vulnerability in Microsoft operating systems, had a global impact by shutting down key elements of our society that have come to depend on machines. In the U.K. 19,000 hospital appointments were cancelled because of WannaCry.

But cyber defenders have advantages over the hackers. When hackers find a creative way to breach companies, we can force them to be creative again by closing that vulnerability. Young pointed to the how the air travel industry became more secure over time by adding security measures when would-be attackers tried new techniques

By working together and sharing information we can make the increasingly connected world more secure. Ghal praised organization like the Cyber Threat Alliance and Smith pointed to a new coalition of security companies that have promised to prioritize security.

Turning Awareness into Action

If there is a good side to the “breach a day” cadence of stories coming out about cybersecurity, it is that awareness of cybersecurity issues is reaching board members and executives.

Ghal pointed to a statistic that 89 percent of board agenda have cybersecurity on the agenda at some point. It’s a step in the right direction, but there is more to do.

“The awareness is there, but there is a failure to turn that awareness to action,” said Young.

There needs to be a cultural shift in the approach to cybersecurity. In addition to the incremental progress of small gains, everyone needs to take responsibility for cybersecurity. There are signs of progress on that front across the industry with the adoption of DevSecOps, which pushes cybersecurity to the beginning of the development process.

The gains from baking in cybersecurity from the start cannot be matched by the “bolted-on” approach we’ve taken in the past.

Incremental success is a hard story to tell. It’s a lot easier to focus on the disasters of cybersecurity like WannaCry, but the truth is that there is a reason for optimism. For every attack that we hear about, there are hundreds or thousands that defenders stop dead in their tracks.

The hard work of cyber defenders may be a thankless task, but it’s working and it’s making a difference.


Check back tomorrow for the next blog in this series live from RSA where we’ll have insights from our panel of industry experts.

A Week at RSA 2017: Insights from Highwire’s CyberSquad

Nation-State Activity, AI and Market Consolidation All Top-of-Mind for Security

February stands out for African-American History Month, Valentine’s Day and President’s Day, but we cannot forget about the annual RSA Conference that takes place in San Francisco.

Every year, cybersecurity experts, aficionados, journalists, and Highwire’s very own #CyberSquad congregate in San Francisco for one of the premiere cybersecurity events of the year. This year’s show, the largest in the books, did not disappoint.

The conference was abuzz with talks on new offerings, partnerships and industry sentiment. The keynotes — ranging from Microsoft’s President to renowned astrophysicist Neil DeGrasse Tyson — were also especially enlightening. Additionally, Highwire was on the show floor interviewing attendees to get the pulse on show and industry trends. Thanks to all who participated, especially those who are typically doing the interviewing — I’m talking to my reporter friends out there. Special shoutout to Bradley Barth of SC Magazine, Fahmida Rashid of InfoWorld, Paul Roberts of The Security Ledger and Katherine Teitler of MIS Training Institute for taking time out of your busy schedules to help with our man on the street videos.

At a high level, the buzz from the conference floor and attendees alike focused on nation-state cybersecurity concerns, the hype around AI, the issue of false positives, visibility and the blurred perimeter. Also of note was the sentiment around market consolidation.

We also heard from seven of our own clients in a live podcast series conducted from our annual Highwire RSA happy hour. Special thank you to Sean Sposito and our friends at CSM Passcode for partnering with us on this great event. See here to learn more about the “Rise of the Chief Digital Transformation Officer and Six Other Key Takeaways” from industry experts.

Jesse Bil Justin 2 Chris Jer Ziv

Here’s more from our in-house security pro, Erik Martinez, on what Highwire’s CyberSquad learned at the 2017 RSA Conference:

Nation-State Cybersecurity

Many at the conference discussed the ostensibly growing involvement of nation-states in cybersecurity, both as attackers and targets. The recent nefarious activity and attacks in Europe and the U.S. thought to be instigated by Russian hacker being a catalyst for this train of thought. As a result, industry leaders are prepared to expect more espionage; information and influence operations; and the destruction or disabling of data and systems. Interestingly, the common belief is that these activities will increasingly happen in the shadows after the recent wave of public discussions on the matter. This can be expected to happen through hired non-state actors like organized criminal groups.

AI: The Bell of the Ball

Like in most technology-focused industries, cybersecurity is in love with AI and machine learning. The possibilities it offers the cybersecurity space are mouthwatering and nearly everyone is touting some version of it in their solutions. But perception around AI is still mixed. Many RSA-goers equated the buzz around AI to that which big data stirred up when it first came onto the scene — a tad premature.

This is not saying that AI technology is not helpful — it is — but it will require human judgment for the foreseeable future. AI technology can execute tasks faster and with fewer errors than humans but training is still necessary and intuition lacking.

Market Consolidation

There is a coming disruption in the market in the form of market consolidation and whoever remains will like have no other option but to play nice. In terms of disjointed solutions, Palo Alto Networks CEO Mark McLaughlin predicts  that “the measure of [the industry’s] success will be, instead of people saying, ‘I have twenty, thirty, forty vendors, and I have to figure out how to handle that,’ they’ll say, ‘I have four hundred vendors and I’m good with it.'” He argued that this happy state would come about as vendors developed “better ways of consuming their value proposition.” In other words, all the products will work effectively and with increased cooperation as the market consolidates.

This should not be cause for alarm, as the trend could provide exits via mergers and acquisitions. Not to mention that good outcomes are likely to result from general industry cooperation. Why work against each other, when working together can be much more beneficial.

If you were in attendance, share your story in the comments — we’d love to hear about your experience!

Also, we’re hiring! If you are a security or enterprise tech PR pro interested in joining our rapidly growing team, we’d love to hear from you. Please contact Nida Ilahi at nida@highwirepr.com.

The post was written by Christine Elswick who leads Highwire’s burgeoning security practice and Erik Martinez, our in-house security expert.

Client Experts on the Future of Security

IoT, AI, Offense and (Cyber)Insurance

We are in the midst of a thrilling time in which many of our technological aspirations, from autonomous cars to highly advanced computing devices that fit comfortably in our pockets, are a practical reality. But along with the enhanced capabilities offered to businesses and individuals, comes increased risk.

For instance, IoT technology has helped create devices reminiscent of HAL 9000—but, much like the film character, it can be subject to major flaws. Fortunately, direct physical harm hasn’t been caused yet, but 2017 will surely be the year that cybersecurity stops being a news novelty to becomes a well-understood norm by all. The year to come is the year “cybersecurity” becomes just “security,” for even those outside the industry.

Taking from our all-star security client lineup, here’s what our experts are expecting in the year to come.


Affecting Trust

The savviest attackers are moving away from just data theft to targeting data integrity. Longer standing, reputational damage is becoming more common, especially in cases where the involvement of a nation-state is suspected. We’ve already seen these kinds of attacks in M&A scenarios with the Yahoo breaches and during the presidential election.

This kind of attack will continue to gain traction, especially within industries that rely on public confidence like medical facilities and financial institutions. Governments may also fall victim to attacks to spur on distrust in national institutions and processes (e.g. alleged Russian involvement in the presidential election).

Cyber Insurance Matures

Amid the slew of unmanageable threats, organizations will likely continue to increasingly take advantage of cybersecurity insurance. As the underwriting market responds, we can expect the due diligence requirements for underwriting to bolster greater spending on security controls. As such, we can expect security product purchasing decisions to be driven by cyber-insurance companies.

Expect cyber-insurance organizations to develop short lists of vendors and products that must be deployed to be compliant for insurance. CSO/CISOs will be asked by CFOs for these products and purchases may be directed top down if they’re lacking. We can also expect more vendors to offer guarantees and/or their own insurance offerings.


Finally Sifting Through Troves of Data

Machine learning and AI have recently come to the forefront across industries for good reason. Human’s cannot parse and make sense of all the data being generated today. Human’s simply can’t scale, work as long or be as detailed oriented like a well crafted and intelligent program, so expect further investments in neural networks and smart technology.

A caveat is that machine learning and AI will also be used for nefarious purposes. Hackers often mimic the same models as their targets for unlawful tools and distribution, often protected by the anonymity of the dark web. Just like machine learning algorithms sift through threat alerts, criminals will start using it to parse the troves of data they steal. Moreover, smart strains for malware (e.g polymorphic and metamorphic) have already entered the scene, capable of intelligently evading detection and even changing is composition to do so.

What do you think we have in store for the year to come?

If you’d like to here more from our experts, join us at Highwire’s third annual RSA Happy Hour—this time in conjunction with the Christian Science Monitor’s security vertical, Passcode, which will conducting live podcast interviews with some our experts.