RSA Day 3: How To Successfully Apply an Enterprise Cybersecurity Mindset to Other Industries
Welcome to the final RSAC 2020 daily recap. Today’s keynotes encapsulated how what we know, as security professionals, can be applied beyond the enterprise security industry and where we go from here.
To get caught up or refreshed on what happened during Day 1 and Day 2, please see Highwire’s additional blogs:
Securing Critical Infrastructure
Today’s keynotes kicked off with Dragos’ CEO and founder, Robert Lee’s deep dive into what enterprise security professionals need to understand about how to support the security of critical infrastructure. He noted that industrial security is vastly different from enterprise security, and applying the same software across the field can have negative implications.
In looking back at 2019, Lee noted that 55% of industrial control systems vulnerabilities had a patch but no alternative remediation. He mentioned that in the majority of these cases, simple recommendations would have made the vulnerabilities not hackable, but IT professionals are used to focusing on the patch. The hyper focus in enterprise security on endpoints “doesn’t really apply” to ICS. In fact, from Lee’s research, more than 50% of vulnerabilities are ‘useless’ and don’t deserve time wasted attempting to create a patch. You can read Dragos’ full 2019 year in review report here.
The most critical takeaway from Lee’s talk is that, from his research, 91% of clients had the opportunity to increase security in their environments but were blocked by vendors. His advice to OEMs as they leave the conference? “Your opportunity in 2020 is to figure out the barriers for your clients and help them figure out the easy hardenings” in their environments. He shared resources and next steps for OEMs here.
Hacking Your Life
Next, we heard from Bruce Schneier, a security technologist and lecturer at the Harvard Kennedy School, who discussed how “our expertise in security [can be transmitted] to other activities.” Case in point, security skills are becoming more broadly applicable.
A great example of how security terms and concepts can be applied to other areas of our lives? Junk food. It represents one instance of how a change in the threat model (the introduction of new food processes and chemicals) produced a new vulnerability (our cravings for sugar). But it’s not the only example of how security frameworks can be applied to other areas of our lives.
Schneier’s biggest examples were political. How is a tax code like computer code? Why is election spending hacking our democracy? His ideas are still in development but he mentioned he will likely further develop the framework through a book or essay soon.
The Triangle of Information Security
During Akamai CSO Andy Ellis’ talk, he compared his company to the “shopping mall of the internet,” laughingly dubbing himself their “Paul Blart” (mall cop). Ellis dove into the three pillars of information security: Integrity, Availability and Confidentiality.
While starting with the integrity of the system is the foundation of security, both the availability of the technology and protecting the confidentiality of its users are equally important.
Ellis ended his talk noting that while IoT and 5G are new challenges that will affect how we approach each of these pillars, new challenges also guarantee that the security industry will continue to expand, and that it will continue to be crucially and increasingly important to other industries.
The Future of Cybersecurity and the Future of Auto
In the final keynote of the morning, General Motors’ CEO and Chairwoman, Mary Barra discussed the future of transportation. She discussed how “there are virtually no industries today that are invulnerable to cyberattacks,” the automotive industry being no different.
For GM, eliminating car crashes, carbon emissions, and traffic in cities are the three priorities for the next 20 years. In order to do this, Barra knows cybersecurity is essential, mentioning that she believes safety and cybersecurity go hand-in-hand and “a company’s defenses are only as strong as [its] weakest link.”
To achieve this goal, GM has invested in the future of cybersecurity talent, connecting with 300,000 students and teachers nationally, calling back to a critical point: For us to invest in the future of cybersecurity, we need to focus on the talent gap and on filling IT positions with women and minorities, expanding our demographics.
Where Do We Go From Here?
As the conference wraps up, I’ll leave you with my biggest takeaway. While an enterprise mindset can be applied to other sectors, from industrial security to politics to automotive, to reach the next level, our knowledge of the information security triangle needs to spread to educate wider demographics. The future of cybersecurity requires more voices.
While I loved that at RSAC, and for the first time in my life, I didn’t have to wait in line for the women’s restroom, it was just another example of our need to continue to grow as a community. We’ve made leaps and bounds, but it doesn’t stop here.