RSA’s 2016 Message: Don’t Stop Believin’

This year’s RSA Conference seems to have found its way into mainstream press and non-technical publications, benefitting from the additional PR due to the ongoing Apple-FBI dispute.  After hearing several keynote sessions and attending a range of diverse panels covering policy, data science, the dark web, and endpoints, there was nevertheless a few common themes that emerged across these broad topics. In many regards, the themes are not so much an emphasis on the latest technologies, but rather are pleas to alter the status quo, and pursue progress in three extremely complex but essential areas given the incredibly hard mission at hand for those in the security industry. The themes – or rather pleas – cross the realm of technical, policy, and organizational aspects of the security industry.

Prevention is Still Imperative: ‘Assume breach’ has become an omnipresent, fall back position for many in security. Given the high-profile breaches and increasing sophistication of adversary techniques and campaigns, the probabilistic odds are in favor of the adversary who only has to be right once, while defenses must stop everything. Like most things, the pendulum swings back and forth, and this is the year of detection and response. Obviously, those are important, but it is equally important that we don’t acquiesce to the adversaries and give up on prevention and making it harder for the bad guys. At a minimum, a renewed emphasis on prevention as part of a larger strategy can help funnel down the breadth of attacks, limiting what gets through, informing and making it easier for the detection and response capabilities. Although it is an extremely difficult problem set, mitigating exploits and pursuing prevention remains essential to limiting the capabilities of attackers.

Privacy & National Security Can Co-Exist: Just as ‘assume breach’ has become commonplace, so has the notion that there must be a privacy/national security trade-off. This too should not remain acceptable, and the need to protect both was reiterated by government representatives in keynote talks and as panel participants. In fact, the Federal Government is on a major public relations campaign at RSA. Despite dialogue of a growing divide between Silicon Valley and Washington, DC – epitomized in the ongoing dispute between Apple and the FBI – audiences this year seem more welcoming than in previous years to the outreach. Moreover, the outreach is palpable and from multiple organizations, including Attorney General Loretta Lynch, Cyber Command Commander and NSA Director Admiral Michael Rogers, and Secretary of Defense Ashton Carter. As Carter noted, the only way to get to a good solution is by working together. But it isn’t just talk, as Carter was able to point to many concrete examples of areas for collaboration, including today’s announcement of the formation of the Defense Innovation Advisory Board, with Eric Schmidt as the chair. Lynch similarly noted examples of successful collaboration, including collaboration with the private sector against the “Gameover Zeus” Botnet. In addition to the emphasis on collaboration, the commoditization of data similarly permeated the talks. Data security is a national security imperative – not a trade-off – and requires collaboration and innovation between the communities.

Greater Workforce Inclusion is Possible: Finally, the cybersecurity talent shortage is discussed not only as a given, but is generally assumed to only get worse in the years ahead. However, what remains lost in this dialogue is the industry’s growing gender gap problem. In fact, calling it a gap is a vast understatement with women comprising just 10% of the workforce. Hopefully, necessity will drive change within the industry, which has little chance of addressing the talent shortage when leaving out half the population. Part of this challenge is the industry’s image problem, perpetuated by Hollywood, but it is much larger than that. For instance, there is yet again a striking lack of women on most of the panels at RSA or interviewed by the press. Only when technical women gain great visibility will other women realize the vast opportunities available to them in this industry. While there certainly are longer-term solutions to address the pipeline challenge, near-term solutions exist and must be pursued to attract women to the industry.

Each of these three areas falls in the realm of ‘wicked problems’, and reflects a status quo ripe for change and innovation. Technically, given the threat landscape, the odds are against comprehensive prevention, but it doesn’t mean we should throw in the towel. Organizationally, it’s time to break down the artificial divisions between Silicon Valley and DC and refuse to settle for a trade-off between privacy and national security. Finally, the numbers are increasingly bleak for gender diversity in the industry, but it is of paramount importance that this changes. We cannot simply accept the status quo in each of these areas, but rather a concerted effort must be made to innovate technically, organizationally, and culturally to help progress the industry and our security.