RSA 2019 top takeaways: AI, diversity and the need for a new cybersecurity culture
SAN FRANCISCO — RSA 2019 kicked off here with bold plans for the future including unleashing new innovation to improve humanity, reclaiming the internet for social progress and improving efficiencies to eliminate famine and poverty — all of which, of course, are predicated on the foundational element of solid information security.
That was the grand and future-looking vision, of course, rather than what’s actually happening in the here-and-now.
I came away from the conference with a clear sense that infosec as an industry needs to embrace emerging technologies with a hearty dose of skepticism, diversify its workforce for existential reasons and, what’s more, create a new culture that both embraces a wider range of ideas and empowers security professionals to more effectively respond with in live crises, be those cyberattacks, natural disasters, or unforeseen incidents.
SANS Institute officials, for instance, outlined new attack vectors: DNSpionage, cloud-based personalized attacks, domain fronting, and more CPU flaws and offered advice about how to protect against those.
Many vendors showed off new technologies and artificial intelligence and machine learning, of course, were all the rage. Amid all the hype, however, some pointed questions arose. When we talk about AI for cybersecurity, what are we really talking about? Are we evaluating AI objectively enough relative to inherent bias? Since hackers and cybercriminals have access to the same AI and data as well-meaning entities, will the technology ultimately make us safer or endanger the world?
Obviously, those questions did not all get answered but it became clear that AI alone won’t secure all our data and the human element is even more important than technology. And that is both a major challenge today and a great opportunity to bolster security.
The challenge of the human element is that both IT and infosec are facing talent shortages. One estimate is a shortfall of 3 million information security professionals is coming across all sectors, including but not limited to healthcare.
At the same time, the security industry has a burnout problem that’s only going to get worse. Whereas in healthcare the word burnout evokes pictures of clinicians, nurses, doctors, the problem is also driving security pros into various states of exhaustion, cynicism and a perceived lack of self-efficacy that erodes an employee’s sense of their own value.
Burnout and the talent shortage are also opening up a need to diversify cybersecurity teams and not just for feel good sentiments but also for legitimate business reasons. One statistic presented during a keynote, if at all close to true, says a lot: Diverse teams make better decisions 87 percent of the time.
Survival is another. With so many open jobs, executives will essentially have to seek new ways to recruit and retain workers of diverse backgrounds. The diversity and inclusion discourse also took a twist to include not just individuals but ideas because often those come from surprising places and people.
Seeking ideas outside the information security team, naturally, will require an entirely fresh culture that includes new ways of thinking and operating by empowering people rather than inhibiting them with rigid protocols and policies that get in the way of making decisions in the chaotic midst of a cyberattack or data breach.
Such culture change will also take root outside the security team. Indeed, the need to secure IoT devices is giving rise to the need for IT, security and OT departments to work together in a distinct change from the infosec executives stepping in and mandating policies the rest of the organization must adhere to with no exceptions.
As I noted, RSA kicked off with a visionary glance at a better future based on strong security posture. While that future remains on the distant horizon, the starting point: Organizations across industries and including government must join forces because the cybersecurity threat is bigger than any company, health system or federal agency.
Healthcare IT News is a HIMSS Media publication.
Hottest news and views from the premier cybersecurity conference. See our full coverage right here.