It’s Not About the Machines: Cybersecurity is a Human Problem
Themes from the show floor of RSA 2018
The annual Cryptographer’s Panel spent the first 10 minutes of their discussion at the opening Keynote yesterday deriding blockchain, the trendiest technology of the year. Quantum computing and machine learning are also banner bearers for technical innovation in cybersecurity.
At the same time, however, experts around RSA have shunned the idea that technology is the answer to cybersecurity. The theme of the show—“Now Matters”—calls for the defender community to take action to prepare themselves for a better and more secure tomorrow. RSA president Rohit Ghal called “the death of the silver bullet fantasy” a major win for cybersecurity. Meanwhile McAfee CEO Christopher Young called for a culture shift across organizations to realize that cybersecurity is everyone’s responsibility.
This theme has echoed across the rest of the conference as well.
Technology Does Not Make Security
Panelists have addressed blockchain in nearly every session, either bringing it up themselves or responding to questions from the audience.
In a panel about building trust in an insecure world, Adam Ross, a manager at GmbH, noted that blockchain does not build trust. It is merely a means to store data, and does little to guarantee that the information it stores can be trusted.
In the same vein, machine learning technology is a valuable supplement to human cybersecurity teams, which are understaffed with skilled workers. But machine learning processes are highly corruptible if not properly secured.
Even encryption, an almost automatic part of privacy and security processes by now, only works if there is a deliberate decision.
“It’s easier to say I can’t than I won’t,” said Moxie Marlinspike, founder of Signal.
Organizations that have taken custody of our data are under constant pressure to divulge that information to governments. If they care to protect our data, they need to build their systems in a way that no one can access it, not even themselves.
The Importance of a Sound Strategy
While technical solutions are an important part of security, it’s how they are used that makes security. In the past, there has been a culture of treating security as an afterthought. Now, the question of how to use that technology is a question that has been the subject of many panels across the show.
While the answer is far from simple, two essential parts of it are building a sound business case for cybersecurity and focusing on outcomes. What this accomplishes is up-leveling the conversation around cybersecurity issues so that executives don’t feel lost in the technical quagmire of the day-to-day operations. It also opens to door to understanding what is important in this task.
Theresa Payton, CEO and President, Fortalice Solutions and former White House CIO, noted in a panel the importance of prioritization. Limited resources mean that no organization can protect all of its data equally well. Deciding what is important and starting a conversation about what a cybersecurity program should do lead to the beginning of a plan.
We will always need innovation in cybersecurity to keep ahead of the hackers that threaten our digital landscape. Tools, platforms and techniques that make it easier to identify and stop hacker activity will always help, but many of the innovations we need are in the processes we use to make our organizations secure. Remember that people are part of this too.