As a cybersecurity practitioner, I love being in San Francisco during the annual RSA Conference. Each year, I walk away with a fresh perspective on how the industry is taking shape and new insights from industry peers and colleagues. This year was no different. I was honored not only to participate in several sessions, but also to attend as a listener.
Here are my top 6 takeaways from RSAC Week 2020 with a focus on this year’s theme: The Human Element.
#1: Automation fails to identify certain vulnerabilities, and business context should always be included in vulnerability management
My colleague Vanessa Sauter, Security Strategy Analyst at Cobalt, presented at BSides SF on Human or Machine? The Voight-Kampff Test for Discovering Vulnerabilities. Vanessa examined the differences between human-found and machine-found vulnerabilities.
The important element that was brought up is that neither machines nor humans alone win at finding vulnerabilities. It’s about applying a combination of both automation and human expertise. Only humans can understand workflows and use context to identify flaws, but machines can help with automating repeatable and reproducible vulnerabilities — thus saving time and energy on low-hanging fruit.
I was thrilled to learn more about specific cases where machines have an advantage, and where humans do. Fundamentally, a firm grasp of system architecture and networking protocols allows humans to think big picture. With strong contextual awareness, humans can deploy both automation and system knowledge to find more serious issues, like business logic flaws.
#2: Allies in cybersecurity are extremely important
Over the past several years, I have seen the industry make strides to promote diversity and inclusion in cybersecurity. This year I attended Ally of the Year Awards 2020 Celebration, an event hosted by a non-profit organization striving to make substantive differences for women in technology. I caught up with amazing folks driving diversity in the industry, including my friends Nathan Chung, Kavya Pearlman, Tyelisa Shields, and Karen Worstell.
It’s extremely important to connect with others in infosec to help advance equality. I thoroughly enjoy being a part of events like this that help recognize people who are making a difference in the security space.
#3: Strengthening the engineering and security relationship is key for successfully getting issues fixed
This year during RSAC, Cobalt hosted its first in-person conference, the Shift AppSec Summit. One of the sessions, Fixing Vulnerabilities at Speed: Where Security & Engineering Intersect, brought leaders from both security and engineering to discuss fixing vulnerabilities at speed so that an organization can scale securely. The group spoke honestly about the tension between security and engineering, why it’s there, and what solutions we can adopt. They dove into using shared metrics, understanding the other team’s perspectives, exploring security as a quality assurance issue, and advising attendees on how to embed a pro-security culture. In general, I appreciated the group’s straightforward yet empathic way of tackling this prevalent issue between security and engineering.
#4: Don’t make assumptions on what security topics people want to learn about
I joined Kris Lahiri and Vanessa Sauter in a discussion around the human element and DevSecOps at RSAC’s Broadcast Alley. We observed that over the years, we’ve seen a lot of advancements in technology and tooling. Yet at the end of the day, security comes down to its people. It’s a collaborative effort. For this collaboration to be effective and positive, I believe that it’s important to make assumptions. Don’t make assumptions on what people want to be involved in or what security topics they want to learn about. Engage with folks early and often, in an empathetic way.
I’ve noticed that security leaders are more curious than ever and came to RSAC 2020 with a desire to listen and learn.
#5: Make security more lovable
During Cobalt’s Shift AppSec Summit, I also had the opportunity to speak on a panel with an amazing group of security leaders around the topic of Security Love Languages: How to Win Friends and Influence People. In this session, we discussed how to communicate security to different internal and external customers. We discussed nurturing empathic and supportive relationships, reassuring the organization through structured processes, and fostering a psychologically safe place to have open and honest conversations around security.
My main takeaway from our conversation is that, as an industry, we need to do a better job of making security more lovable. Security should be delightful, friendly, easy to use, and overall something that people want to engage with.
#6: The security industry needs to take back the narrative and amplify its voice
I found this year’s keynote by Rohit Ghai, President of RSA, to be one of the best in recent RSA history. Storytelling brings meaning to our lives. It is a part of what makes us human. In his presentation, Rohit explored the evolution of the security story and examined how mainstream media has warped it into a narrative we no longer control.
Rohit urged the security industry to take back the narrative and amplify its voice. “Preparing for the worst doesn’t prepare you for the most likely.” Rohit stated. “We need a business story of cyber resilience, not a technical story of cyber ping pong.” We need to bring business leaders and IT off the sidelines. To change our story, we need to reclaim our narrative, rethink our culture, and reorganize our culture.
It was great catching up with the amazing individuals in this industry and listening to them share valuable insights. What’s your biggest takeaway from this year’s conference? Tell us in comments!
Interested in learning more about Cobalt.io’s Pentest as a Service offering? Schedule a demo today!