If, like our team, you were among the thousands of people who attended the RSA Conference in San Francisco, we hope you are almost fully recovered by now. RSA is a fantastic crossroad to network, catch up with peers, and learn a thing or two. Remarkably, each year of RSA’s coveted sessions offers a time capsule view of what was hot that year in the security industry. “PKI” and “commerce” were buzzword staples at RSA back at the dawn of online banking and shopping. Today, its more “cyber” and “risk” heard in the Moscone Center’s halls.
This year RSA felt a bit more sobering and a little less celebratory when talk turned to the industry’s fortunes and the struggles security professionals have when defending their systems from disruptive incidents. After a week of walking the halls, meeting with experts, talking shop at receptions – and little sleep – we walked away with a few strong impressions.
1.) Security professionals’ confidence in their total defenses is plummetingIt’s hard to be a defender when you lack confidence, and ISACA and RSA’s “State of Cybersecurity” survey offer some revealing numbers on this. The study polled security personnel in November and December of 2015. When asked “Are you comfortable with your cybersecurity/information security team’s ability to detect and respond to incidents?” only 31% of respondents said “Yes” and 42% said “Yes, but only for simple issues.”
Despite years of deploying ever more layers of security products, it is clear that defense-in-depth alone does not instill much confidence. Look for this to be a major theme the rest of the year. Stacking new technologies against threats has become a game of diminishing returns and now there is a far greater premium placed on proving how well these different layers work together, which brings us to observation #2.
2.) The cybersecurity field is slowly coming to grips with its talent shortage. For years we have heard there is a dearth of qualified security professionals, but only now is the true complexity of the problem coming to light. One dimension is that newly-minted security professionals need more than classroom smarts to succeed. The majority of ISACA / RSA respondents concluded that “less than 25%” of cybersecurity applicants are actually “qualified” upon hiring.
Interestingly, while there is a multitude of online, vendor-backed, certification-based and other training programs available, the greatest number of respondents (86%) said “on the job training” is how they plan to sharpen their team’s skills. “On the job” is a vague catch-all, but ideally this includes mentorship from senior team members and the benefits of regular exercises that test security teams’ ability to draw on the art and science required to view seemingly benign data and spot potential attacks in motion. With a massive pipeline of cyber talent nowhere in sight, expect doubling-down on your existing talent and finding ways to hone their skills to be a major theme.
3.) Threat intelligence isn’t a panacea. Several media accounts during RSA week called out that threat intelligence – which generated a lot of buzz at the conference last year – has not proven to be quite the “force multiplier” it was touted to be among many organizations. What we heard loud and clear at RSA is that context and personalization are a key ingredients missing in threat intelligence. For example, if a deluge of course-grain information flows into a security operations center, it risks compounding the existing information-overload challenges incident responders already face in keeping watch over their own data-generating systems.
Of course, end-users need to hold up their end of the threat intelligence bargain too. After all, it is hard to press intelligence providers for specificity if you have poor visibility into what your deployed defenses can or cannot defeat. This gets to the root of the “confidence” problem in Point #1: no matter how credible or remarkable data on the latest exploits, actors, or indicators of compromise are, responders will struggle to act on the intelligence if they are unsure how their current defenses would or could respond to the attack. This becomes an opportunity cost for defenders – it becomes the difference between moving on to the next alert versus tuning and configuring defenses to face the threat.
What did you make of RSA this year? Reach out on Twitter to chime in on the above or call out what caught your eye. We’re ready to submit papers, book flights and do it all again next year!