The cybersecurity industry has allowed the “mainstream media” to create an image of smart attackers overwhelming under-resourced infosec workers, complains the head of a leading firm.
RSA president Rohit Ghai made the claim in his keynote Tuesday officially opening the annual RSA Conference in San Francisco.
Leveraging the conference’s them of The Human Element, Ghai alleged the security industry has lost control over its “story” to unnamed publications who paint the fight with adversaries as a “technical conflict” organizers are losing.
The image painted publicly is that “a strong and well-organized force of cyber hackers use their technical prowess to wreak havoc on understaffed and burned-out security teams,” he said. “Users … are not technically savvy enough and are being manipulated with social engineering attacks, making the job of security professionals even harder.
“This story evokes pity for security team [and] fear from the hackers.”
Improvement, he said, “feels pretty far away.”
“While we have focused on preventing hacks on infrastructure, the adversary has hacked our brains and cranked up the contrast in our story … All hackers are technical sorcerers. All users are old gullible folks with technophobia, and we are hapless techies who solely focus on zero-day vulnerabilities and the most advanced threat vectors.”
But he also blamed the industry for allowing the media to depict infosec pros as “losers” since most stories people hear about are the ones about losses.
“We don’t share any wins, not because we don’t have any but because we fear it will divulge our security posture. Or perhaps make us complacent, or paint a target on our backs.”
Infosec pros don’t have to “win,” he added. Hit by a devastating ransomware attack last year, the city of Atlanta defeated its attackers by refusing to pay up, he argued.
Ghai did credit hackers with doing a good collaborating with each other and creating “an arsenal of cyberweapons that enable the technically less sophisticated to inflict a lot of harm.”
Many attacks are successful because of stolen credentials, he explained, not that hackers have the best technology.
“We continue to spend an inordinate amount of energy preparing for the most sophisticated threat vectors, while most incidents are due to very, very basic issues or unforced errors. Preparing for the worst does not prepare you for the likely,” he said.
Infosec pros don’t collaborate well with users, business, risk and IT teams, he added.
And while executives and boards may be more interested in cybersecurity than ever they remain on the sidelines, Ghai argued, instead of being part of the cybersecurity success story. They should be what he called the zero line of defence, setting the strategy and providing context to security operations so infosec pros can focus on the risks that matter most.
One investment company recently said it will not manage initial public offerings for companies with no gender diversity on the board, Ghai noted.
“I look forward to the day boards mandate cyber competency as a core capability in addition to the focus on diversity,” he said.
He went on say infosec pros should “stop being STEM snobs,” and to consider potential, when hiring, not just technical expertise.
He saved some of his harshest words for IT.
“For far too long we have failed to hold IT and software makers accountable and responsible for cyber hygiene and vulnerabilities,” he said, adding IT is more worried about “scripting and owning the story of digital transformation.”
Forget about hoping that market forces will punish software makers who don’t reduce their attack surface, he said.
“The story we want [of the security industry] is a business story of cyber resilience, not a technical story of cyber ping-pong.” It should be a story of the human experiences technology enables, said — not an “unhackable world but the magical humanistic outcomes of digital transformation despite hacks.”
We don’t have to convince the world infosec pros are successful, he added, just to get people to believe we can be.
The conference went on despite the withdrawals of a number of firms including Verizon, AT&T, IBM, six firms from China and an unnamed Canadian company. Some 40,000 are expected to attend the seminars and trade show.
The city of San Francisco declared a State of Emergency to begin preparations in case there is a coronavirus outbreak. As of Tuesday, there were no reported cases. The city stated that residents and visitors remain at low risk for becoming infected.
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA