Fast-Changing Security Landscape May Render This Year’s RSA Conference the “Most Human” Edition Ever

While mind-blowing technological innovations are being demonstrated and perspective-shifting strategies and philosophies shared in every corner of next week’s RSA Conference in San Francisco, it’s very possible that the gathering of more than 50,000 cybersecurity practitioners will be the most “human” in the nearly three-decade history of the event.

Let me explain.

As we all know, the cybersecurity business has changed. A lot. First, the long-standing emphasis on defending the perimeter fell to the wayside as the era of mainframes and client-server computing gave way to the highly distributed Internet age. Then the cloud and social networking arrived on the scene, further complicating matters by placing computing assets and data all over the place.

Now, with the Internet of Things increasing the number of endpoints exponentially and artificial intelligence changing the rules of engagement, the idea of protecting systems and the data residing in them has become near folly. Instead, cybersecurity has evolved into a game of cat and mouse in which it’s accepted that the bad actors will get in, and it’s more a matter of tracking them and limiting the damage when they do.

Meanwhile, just as the bad actors have seen so many new openings to exploit, employees have also been confronted by so many new ways to expose data and systems. Workers in every role, from store clerks and maintenance staffs to truckers and dock workers, are interacting with complicated technology back ends, accessing and updating data, and quite often opening up more gaping holes for bad actors to exploit.

Which brings me back to my sense that this will be a historically “human” RSA Conference. Not that the role of humans in security is a new topic. Numerous RSA Conference sessions have been devoted to topics such as insider threats, social engineering, and user behavior modification over the years. But never before have these topics carried the weight that they do now.

Consider that a McAfee study published nearly two years ago found that internal actors were responsible for 43 percent of all data loss, a figure that any CISO will undoubtedly tell you has risen since then. Half of those data losses, the report added, were accidental.

Fast forward to today, and a more recent report from threat detection vendor Dtex Systems found that nearly two-thirds of all insider attacks are due to careless behavior or human error.

The question is: How has this been allowed to reach such epidemic proportions?

In a guest column for CSO magazine last year, Jeff Capone, CEO of security startup SecureCircle and former CTO of Netgear, suggested that there is no getting around the security scourge that is human beings, regardless of where they sit along the security lifecycle.

“I recently saw an ad that read, ‘Security starts with people,’” Capone wrote to open of his piece. “After twenty years in security, I’ve learned that security problems typically start with people, and having them responsible for implementing it is usually a bad idea.”

Capone argued that human beings have an insatiable need to be efficient, and that doing things the fastest and easiest way is often at odds with security. And if this is the case among those implementing security, just imagine the impact of shortcuts taken by rank-and-file employees.

The only solution that would consistently eliminate this human fault, Capone wrote, would be removing people from security entirely, replacing all human decision making with automation and encrypting everything.

The problem with Capone’s position is that it simply is not going to happen—it’s too expensive, and too restrictive for most companies to consider. A paper published by Elsevier all the way back in 2012 offered a contrary approach, arguing that actually incorporating an understanding of human behavior into cybersecurity products and processes would lead to better technology.

As any security executive will tell you, there has been some progress on this front over the years since, but nowhere near enough.

Which brings us back to next week’s RSA Conference and why this theme of human impact is worth watching closely. It’s clearly something conference organizers had in mind as they put together sessions, as there are several high-profile opportunities for attendees to dive into the intersection of cybersecurity and human behavior.

It starts with an all-day seminar on Monday led by Dr. Lorrie Cranor, a professor at Carnegie Mellon University and director of the CyLab Usable Privacy and Security Laboratory. Joined by a lineup of thinkers from some of the nation’s most prestigious universities, Cranor will explore how security, privacy and human behavior intersect, and the threats and challenges that result.

For those who can’t make that seminar, they’ll have an opportunity for a Cliff’s Notes version of it on Tuesday, when Cranor brings a few of her co-panelists from the day before on stage to share highlights, and hopefully shed a little light on how organizations can work toward humans not being the primary attack vector they have to worry about.

But those who really want some hands-on methods with which to combat the human threat will want to check out two sessions Tuesday afternoon. The first one will feature Branden Williams, director of cybersecurity at Union Bank, who will provide some tactical guidance on how security pros can become “effective choice architects” able to nudge employees toward making more secure decisions.

For a more strategic viewpoint, Lance Spitzner of the SANS Institute will take the stage later in the day to coach cybersecurity executives on how to manage human risk through a mature awareness program that increases organizational understanding and habitual use of security best practices.

If all this serious discussion of human-generated vulnerability wears you down, we’re guessing that comedienne Tina Fey will offer up some less-ominous observations about human security foibles during her conversation Friday with RSA Conference Program Chair Hugh Thompson.

If nothing else, she’ll take your mind off all the items that your week at the Moscone Center will have piled onto your to-do list.

Until then, please travel safely, and see you all in San Francisco!

*** This is a Security Bloggers Network syndicated blog from RSAConference Blogs RSS Feed authored by Tony Kontzer. Read the original post at: