RSA Day 3: The security industry’s dark secret takes center stage

Thursday’s opening keynote addressed an issue that has become front and center for the security industry over the last year—mental health.

Last August at Black Hat was the first time a specific conference track had been dedicated to the infosec community to present on stress, burnout and mental health. Fortunately, that has carried over to RSA which featured a stimulating conversation between Josh Corman of I am the Cavalry and Christina Maslach, a Professor of Psychology (Emerita) and a Researcher at the Healthy Workplaces Center at the University of California, Berkeley.

As Maslach stated, Silicon Valley has always encouraged and rewarded burnout. In the ’90s during the dot-com boom, it was seen as a badge of honor to work for days on end and sleeping (when you could) underneath your desk. You would do this for a couple of years with the reward being some sick stock options.

Workforce shortage exacerbates burnout

The skills shortage in the cyber industry has been a common topic for years now and most vendors use it as a talking point by claiming their AI/ML infused products will augment this issue. This skills shortage has another effect though—increasing the chance of burnout.

As Maslach mentioned to Corman on-stage it’s hard not to react to every single little sound or vibration whether it comes from our phone or computer. However, that is just an everyday human problem, now think about this in the context of a security operations engineer.

Organizations typically use dozens of different tools on a daily basis—CSO reported in 2016 that the average company uses 75. I installed a Google Calendar extension into Slack this week and am overwhelmed just from those notifications, it’s hard to picture that x75.

Culture and managerial structure can be a differentiator

I particularly enjoyed Corman’s personal anecdotes from his infosec career and how different managerial structures and company culture can either help combat or unintentionally encourage burnout.

Companies should be mindful that certain managerial decisions or even reward systems can directly contribute to burnout. Organizations that ask all members for feedback on ways to treat each other better can help be proactive given our resources are people and as stated previously those are already in short supply.

Incident responders are the digital equivalent of first responders in the medical field. At times we have to hold secrets about our work which can add additional stress. Unfortunately, there are times when coworkers are showing signs of burnout and instead of empathy and compassion they are called weak and told they aren’t cut out for the industry.

Stay in your lane

It was refreshing to listen to Corman and Maslach given earlier drama this week as SOAR upstart, Swimlane, attempted a tone-deaf stunt that backfired as RSA banned the vendor from the conference at Moscone.

Swimlane staged a fake protest to promote its product which relies heavily on automation and positioned itself as helping combat analyst burnout and stress. (See a picture of the protest from Tom’s Guide security editor, Paul Wagenseil.)

To make matters worse, Swimlane issued a press release claiming it was wronged by RSA. Whatever buzz they hoped to generate at the show ended up rubbing many the wrong way.

I for one enjoyed my time with the adoptable puppies at the ThreatQuotient booth. This was a cuddlier and friendlier way to generate attention at a packed Moscone Center rather than playing the victim after poking light at mental health to promote a product.

Building a safe and inclusive infosec community

At the end of the day we’re going to get the culture we invest in and it’s important to work for an organization that encourages feedback and ideas from every member.

During a conversation with a data scientist colleague this week he remarked, “the greatest minds of our generation are trying to get people to click on ads.” This was top of mind as I took in Thursday’s keynote.

While it won’t happen overnight, hopefully raising the issue of mental health in our industry and fostering an inclusive and safe environment can counteract the very people who are trying to make us more glued to our screens.

RSA Day 2: Getting More Involved in the Cyber Issues that Matter

While yesterday’s RSA keynotes highlighted the need for increased trust and transparency in cybersecurity, today’s discussions were all centered around how to make those changes a reality – starting with getting individuals more involved in the issues that matter.

Calls for Comprehensive Legislation

Harvard Kennedy School’s Bruce Schneier kicked off the conversation by discussing how technologists can get more involved in impacting cybersecurity legislation. While the internet has developed exponentially since its creation, legislation surrounding it has not. Schneier stressed that this needs to be changed and it needs to start with people who understand the technologies dominating the security landscape on both sides of the battlefield.

He touched on current cybersecurity regulations like the EU’s implementation of GDPR, Australia’s implementation of legislation that enables law enforcement to access encrypted data upon request, and how the U.S. can start getting more involved in the conversation. The takeaway? If we want technology to continue to grow and expand in a way that is going to be beneficial, we have to get it under control. And the best way to ensure its longevity is by getting the people who know it best more involved.

Power to the People

Microsoft’s Corporate VP of the Cybersecurity Solutions Group, Ann Johnson, also used her time to discuss the more human aspects of the industry – namely noting how expanding the cyber workforce and increasing its diversity will be the best way to propel the technology behind it. She emphasized that work in cybersecurity can be the most rewarding, yet the most taxing. This could explain both the exceptionally high stress rate among industry professionals and the three million job openings still vacant within cybersecurity organizations.

Johnson encouraged organizations to prioritize a diverse workforce and to foster more positive atmospheres. She discussed how these steps can boost employee retention and provide variety in organizational approaches to issues. She also noted that more diverse teams make better decisions 87% of the time. Johnson highlighted how work in technology and cybersecurity, in particular, is beginning to change. As today’s tools become more capable of alleviating some of the responsibility formerly held by human counterparts, professionals are starting to explore new avenues in the field. “Tech is amplifying our human capacity to separate the humans from the noise,” Johnson said.

Combining Tech and Human Intelligence

Facebook’s Head of Cyber Security, Nathaniel Gleicher, and Twitter’s VP of Trust and Safety, Del Harvey, also discussed the necessary partnership between tech and human responsibility, which together allows platforms to better differentiate between human and non-human interference and determine next steps accordingly. They each discussed some of the sensitivities that both platforms face when regulating user content, most notably how to differentiate technical interference with legitimate content so as not to violate users’ first amendment rights. But both individuals noted that as technology continues to advance, the lines between technology and legislation continue to blur.

Overall, day two of RSA highlighted the incredible contrast between just how far technology and cybersecurity have come, and how much farther the industry and legislation behind it must advance in order to keep it as reliable and benevolent as possible. But if today’s speakers emphasized anything, it was that change is never quite as far away as it seems –  in fact, it is already taking place and it is starting with security technologists like you and me.

RSA Day 1: Takeaways from the #HWCyberSquad

Last year we saw major data breaches monopolize the headlines, while privacy issues became top policy discussion items. 2018 was the year that trust was lost.

The 2019 RSA Conference theme “better” was broken down in this morning’s opening keynotes with the idea of trust in mind as the security community comes together to grapple with these major issues. The keynotes outlined three steps in order to achieve better trust in the future.  

Risk and Trust can Coexist

The first step in building trust within security is recognizing that risk and trust can coexist. Software has increasingly integrated into all aspects of our lives, and with that, data consumption has also increased, creating a high cyber risk environment.

By focusing on risk management and recognizing its prevalence, security teams will begin to gain that trust back. We are seeing this addressed by technologies being created with risk management integrations. New technologies are now ensuring some form of risk management or mitigation options. Along with these integrations, policies are also starting to emerge to support risk management and ultimately ensure trust in a high-risk landscape.

Man and Machine Need to Work Together

The second step is recognizing that if people work closely with machines we will produce the most trusted security. When AI was first introduced to the security world, many people worried that machines would take over jobs, because they could quickly and efficiently resolve issues or questions. However, we found that although machines could get to an answer quicker than any human, they could not explain how they got there. This broke down the trust in the machine’s ability to verify the security it was providing.

We now know that the best way to build trust in security is for human and machine to work closely together. The technology can then accurately and quickly resolve the issues that the security teams identify and ask it to address.

Creating a Chain of Trust

The final step is to build a chain of trust. Having security teams work and communicate together will be the best way to achieve the most trusted results. In the past, security teams worked in the background and only shared insight and data with a closed group of peers. However, this culture has already seen a major shift. There have even been infosec sharing companies created with the sole purpose of sharing insight and data to help others better protect and secure data.

Businesses are learning from this and evolving the chain of trust to also reach consumers by keeping them informed of what data they have collected on each person and what it is being used for.

Moving into 2019, the security industry is already taking major steps forward in regaining trust in what they’re capable of to achieve a better future.

Check back tomorrow for the next blog in this series live from RSA.