RSAC 2021 Keynote: Telling Hard Truths to Impact Change in Cybersecurity

In Cybersecurity

RSAC 2021 Keynote: Telling Hard Truths to Impact Change in Cybersecurity - read the full article about Cybersecurity 2021, Cybersecurity and Network security and pen testing from RSA Conference on Qualified.One
RSA Conference
Youtube Blogger

(sign whooshing) (uplifting fanfare) - [Announcer] Welcome to our keynote conversation for RSA Conference 2021.

Please welcome Angela Weinman, Head of Global Governance Risk and Compliance for VMware, and Jimmy Sanders, Information Security for Netflix.

- Hello and welcome.

Its great to be here with you today, and to be joined by Jimmy to cover some hard truths.

Both of us have a passion for driving change in security, and being just a little bit disruptive.

- (snickers) Just a little bit disruptive.

Oh, thats a little understatement, Angela.

It is an honor to be here alongside you.

I remember the often used quote, "May you live in interesting times." Im sure our colleagues watching this can agree that weve all experienced dynamic revelations.

Angela and I dont presume to have the answers, but we have some ideas.

Thus, the hard truth should not be a surprise.

Were here together in support of the idea of empowering one another, and maybe some of you.

Our shared goals are not to patronize you, but to hopefully motivate you to embrace emerging ideas to make things better in cybersecurity.

Angela and I, I feel as though were partnering together on this ambitious journey.

- Agreed, and with that in mind together, were gonna cover three hard truths about security, with suggestions on how to address these more effectively, in light of the past year shared experience.

Theres a lot to cover, but our overall goal is to increase security resilience going forward.

Lets jump right in.

Jimmy, can you please take us to the first hard truth? - Yes, hard truth number one is that the security risk picture is out of focus.

This is directly linked to greater resilience, since if we cant accurately determine risk, it becomes difficult to rapidly recover from impacts.

We have to acknowledge this, considering the last year that weve all experienced.

Angela, what are your thoughts? - Well, if we dont get this one right, were initiating projects, were investing resources, using the wrong priorities.

Its essential, that risk drives what we do, because security is after all, one big risk management program.

So whats the hard truth here? Were not managing our risks well enough.

This reflects directly at the business level, of course.

In a study we just did with MIT recently, less than half of top executives said, they were happy with how their resiliency risk plans were executed last year.

- Less than half? Thats not even a passing grade.

- (chuckles) Exactly, so whats the observation here? Its that our desire as security professionals, to be accurate can cause us to be too conservative when predicting risks, and impacts, and necessary treatment.

Maybe we should be zooming out.

Trying a wide angle lens instead.

Thinking in terms of a spectrum of impact, rather than a narrowly defined scenario.

As an example with the pandemic, it wasnt enough to plan for critical staff working from an alternate location, or from home for a period of time.

- I could not agree more.

Thats the crazy thing.

Many of us focus our plans for who is critical.

And as it turns out, last year that meant everybody in your organization.

- Looking back, virtually no one anticipated things correctly.

Turns out the business need was for almost everyone to be remote for a year or two, not a few folks for a month or two.

If wed look back a hundred years to the 1918 flu, and used a spectrum of impact to help consider more of the edge cases, it might have helped.

It turns out those who could pivot fastest, last year were the ones who had the broadest plans, or who could mitigate by being the furthest along their digital transformation journey.

- So Angela, if there is a struggle currently today, with the credibility that we have in the way our companies view our current risk strategy, how can we handle presenting broader and bolder risk views? - Well, the best way is not to struggle, to make decisions alone, but lay it all out.

Present the spectrum views to your CISO, risk committee, executives, your audit committee, the board, wherever you normally do your readouts.

Let the business drive agreement on where on the spectrum predicted impact should go, just as similar dialogues drive risk posture decisions today.

So Jimmy, apart from the pandemic.

Wow, did I just say that sentence? Its kind of an odd one, but what else did we see over the past year that shows us that the risk picture is out of focus? - Focus is a matter of deciding what things youre not going to do.

And what weve seen, is weve been protecting our security environment like pieces on a checkers board, where every piece is valued the same.

We must broaden our views, and prioritize environments, so we ensure that not all environments are protected and viewed the same.

In chess speak, we must see the entire board.

We must ensure we build resilience into our environments where the taking of a symbolic pawn, or even a rook doesnt mean its game over, or a total disaster for our entire environment.

So lets zoom out as Angela was saying, and see the entire board.

- Thanks, Jimmy.

Great analogy.

Theres so much more we could cover on the risk front, but lets leave this one here, with the suggestion to shift our risk perspective, and zoom out.

That leads to our second takeaway.

We have to throw out some of our old ways of doing things because second hard truth, legacy security practices are slowing us down.

This is a big one.

We might ruffle some feathers here, Jimmy.

So where should we start? - And so ruffling feathers is something that Im very comfortable with, because I spend my time railing against legacy security practices, and the lack of diverse voices within our security community.

Witnessing the rise and fall of companies, products, and best business practices throughout my career, it is an imprinted, a deep belief within my psyche.

That belief is that we, the collective we, must create an environment where the best ideas win.

And what happens is this improves our security posture overall.

These diverse thoughts stem from allowing competing ideas and viewpoints to be voiced without the fear of ridicule and condemnation.

My current company, they do a great job, an amazing job, at diversity and inclusion.

We work toward the goals of freedom and responsibility.

That is a great starting point.

But diversity and inclusion is not about any one person or company.

What I am championing are the many intelligent minority voices that do not get heard within the security community.

People, get the diversity aspect.

Diversity is about getting various cultural groups and individuals a seat at the table.

Inclusion is about being intentional, and allowing every voice at the table to be heard.

- I love that, Jimmy.

Inclusion is about being intentional.

Such a great perspective, thank you.

Allowing all voices, in fact requiring all voices to be heard is tremendously empowering.

Its also a great tie back to our first hard truth about the risk picture.

We can get better risk management and inputs, if we have more points of view.

- My truth is that I realized my company and peers could not be great at security by sticking to outdated security practices.

Thus, what I started to do was continually reach out to various peers, and ask them questions, and to stand on the shoulders of thought leaders in our industry.

This pushed our team to start doing a proof of concept, of a tool, or a technique on a monthly basis.

What transpired from that, is our team developed a resilient and nimble mindset that does not get worried when change happens.

Change is just a matter of course.

Angela, similar to me, I know that this is an important topic for you.

What are the other ideas on this hard truth about legacy security practices do you have? - Well, lets shake the trees a little bit regarding security processes.

Driven by the need to be deemed mature, weve built, and often automated a lot of processes, layer upon layer, almost like a geological formation, hard and inflexible, weighing us down.

And not only us, the business units we work with day to day.

How many things exist, so that we can check a box with some long forgotten reason? Is everything were doing value add to our security posture? If not, why are we doing it? Again, more support for thought diversity here too.

- I love that idea of thought diversity, because its often the employees in new positions that provide a new perspective on what might be redundant work.

They can question without having been involved in the history, or ingrained into the thinking of this is how we like to do it.

- Yes, new team members are great at this.

Also, someone on rotation from another group, or anyone frankly, whos had a long break.

Theres so much opportunity to throw things out.

Lets just go ahead, get them out of there, maybe replace with something better.

Even with compliance, continue to question, and throw out things that have changed.

Cross questions off questionnaires, make them shorter.

Everything should be open to be legitimately challenged, and potentially thrown out.

- Well, but for many of those, those are fighting words, Angela.

And so my question to you is what do you think about how we decide what to throw out? - Its going to depend on what were looking at for sure.

But as long as we actively map efforts back to cyber hygiene fundamentals and business goals, and find the areas of concentration, are they, what wed expect? We can validate these decisions.

Also, its going to take a bit of negotiation with those around us, but going to be well worth it.

Its not just a good idea to throw things out.

Its a survival tactic, in order to scale and to move faster.

Lets constantly challenge the how, as well as the why, and to be brave.

Theres plenty of security work to do, be bold.

Throw things out.

Lastly, we have to be willing to reach out.

Jimmy, please bring us home with the third and last of our hard truths.

- Certainly, the last hard truth is very relevant to the past year.

The last hard truth is that security is not a solo sport.

Its been a tough year and lets be honest, being able to talk to each other has helped us, especially me, get through it.

You may be a super security person at your current technology company.

Whatever stage you are in your current career cycle, we, the security community, we need your ideas.

We need your effort.

We need your collaboration.

I think of the term snowball effect, because of all the great ideas build upon each other.

We, the security community needs to ensure that the best security practices are accessible to everyone.

Similar again to great chess players.

All the moves of all the great chess players, in the great matches were out in the public for masters, and beginners like to study from.

Instead of chess terms, I view us as heroes.

We are the heroes protecting our companies and employees from the threats that we face on a day-to-day basis.

However, a single entity cant curb the overall rise in security breaches, regardless of how amazing their individual security structure may be.

But together, us, the security superhero group, sharing knowledge and effective techniques, can achieve what a single company cant.

And that is, achieve greater security resilience.

With that, I wanna pass to my partner, and superhero Angela, for her ideas.

- (laughing) Thanks, Jimmy.

This one is close to my heart, literally, because relationships and connections are table stakes for success in security.

This applies at all stages of having a career in security.

It can be a common misconception, but because of what we do, we must work in individual secrecy.

It doesnt need to be lonely to tread a new path.

Of course we have to stay within whats legally allowed, but its as if we never graduate from security school.

Its always good to join a study group.

Personally, I wouldnt be anywhere near as successful without the help of others.

I still vividly remember the first help I got from reaching out to a vendor, very early in my career.

It was an eye-opener.

- Angela, I wholeheartedly agree.

My journey started out as I was the only security person at my company, where I would threaten my company that if we didnt buy this tool, or buy this silver bullet item, we wouldnt pass an audit.

But what ended up happening was my rapid learning curve occurred, once I started joining organizations, and I worked on my professional network.

And what I see currently is that the most rapid growth in many security practices happens, when they start sharing what went right, but also what went wrong.

I lead the emerging technology group for ISSA International, and our charter is to explore, document, and distribute information to the security community.

We wanna do that so that we can illuminate leading edge, and effective security practices and controls.

I welcome you to join this expedition that were going on, or find other like-minded groups that are readily available to join.

- There were so many options, sometimes too many options.

Back to our earlier takeaway, maybe keep some, throw others out, make our own new groups.

Security is such a great community, and supports reaching out.

We just have to be willing to give, as well as to take along the way, and be prepared for the fact the answer will sometimes be no, and thats okay too.

Back to our community.

Theres a concept called community resilience, where a community works together with creativity and flexibility to solve problems.

This sounds just like us, reaching out to drive greater resilience overall.

Well weve certainly reached out to each other today.

Thanks, Jimmy.

Any final thoughts? - Ive had such an amazing experience that I know that Angela and I will be continuing this conversation offline.

I encourage you to reach out to me with any questions, or anything, because for us working together, we can make security better.

Personally, Im excited about the current and future generation of visionary security leaders that are driving the industry with their amazing ideas.

The technology community has shown amazing resilience in these trying times.

We hope that all of you are as optimistic is Angela and I, because together weve looked at these hard truths, and taken actions to make things better.

We understand that shared accountability, increased diversity, as well as embracing innovative, scientifically effective techniques will allow us together, to impact amazing progress, and change within our industry.

However, the ultimate lesson that I want you to take home with this, is that we need each other now, more than ever in these exciting times.

- To wrap things up, there are three takeaways from today.

How do we become more resilient? Weve got to zoom out, throw out, and reach out.

To zoom out, try a wide angle lens for viewing risks and the spectrum of impact.

Throw out those old ways of doing things, and reach out.

Were more resilient and better at security when we leverage our relationships and collective knowledge.

Jimmy, it was a real pleasure working through these truths with you.

Thanks everyone for joining us, and to moving forward and being more resilient together.

Please stay safe, and enjoy the rest of the conference.

- Hi, Mom.


RSA Conference: RSAC 2021 Keynote: Telling Hard Truths to Impact Change in Cybersecurity - Cybersecurity