We just returned from RSA Conference, and like every year, it did not disappoint in meeting its charter: “to be a driving force behind the world’s cybersecurity agenda… the place that provides a forum for innovation and partnership… as cybersecurity has become more relevant across all aspects of our daily lives.”
While there was much talk about automation, artificial intelligence and of course, technology, Rohit Ghai, president of RSA, emphasized in his keynote address a point that we, at NetSPI, support day in and day out — valuing the critical importance of people in this complicated and ever-evolving world of vulnerability management.
From the stage, Ghai asked the audience if humans in cybersecurity will matter once technology advances. He argued that, yes, the human element will always matter and what differentiates humans from machines is our ability to tell a story. “We, as cybersecurity professionals, need to change the story of cybersecurity and turn the narrative toward ‘cyber-resilience,’” Ghai said. Bob Keaveney, managing editor of BizTech concurs. He wrote, “Human activity will continue to be the indispensable difference between successful and foiled hacks.”
Considering the importance of the human touch in cybersecurity, we observed these three prevalent themes during RSA:
Takeaway 1: CISO Leadership Must Be in the Boardroom
We are confident that no organization wants to impede its infosec programs, yet as we pointed out in this blog post, many problems can be traced back to miscommunication and misunderstanding of a technical topic by people who do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your infosec program is critical — starting in the boardroom.
As the individual most responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, the Chief Information Security Officer (CISO) will serve as the bridge between the highly technical language inherent in infosec, vulnerability, and data security management programs to other C-suite executives and board members who are more financially, operationally or innovation focused.
Speaking of the human touch in cybersecurity, read this short case study about how Equifax faces a new day in cybersecurity by emphasizing cultural change as a solution.
Takeaway 2: Intelligence Sharing and Cyber Defense Go Hand in Hand
Infosec experts are creative thinkers. They are constantly coming up with new ways to “break things” in a dogged determination to stay ahead of the vulnerabilities their company may face from hackers and manage the remediation of potential (or actual) breaches.
At NetSPI, this new thinking manifests in our commitment to developing open-source tools that strengthen the infosec community. We publish our open source projects and write a blog specific to best practices and information sharing.
Fortunately, we aren’t alone in our belief in the importance of supporting the entire infosec community. In fact, BankInfoSecurity coined threat intelligence and sharing a top theme of the show. Further, when analyzing the abstracts from would-be speakers at RSA, event organizers noted, “We saw an increase in submissions that documented the inherent weaknesses and challenges of machines, with some deeply technical and wonderfully detailed submissions digging into the specifics and providing guidance and best practice considerations,” says Britta Glade, the RSA Conference’s director of content and curation.
Takeaway 3: Automation as a Tool, Not the Be All and End All
Automation has a clear role in helping organizations with pentesting for enterprise security management. In fact, as this BizTech article states, closing the cybersecurity skills gap is a perennial problem that automation may help solve. Our concern? Automation alone only exacerbates the plethora of information that CISOs are inundated with daily without, as RSA noted, “the human element – the experts who can turn those stacks of static reports into real-time accessible reporting as vulnerabilities are found.”
And we aren’t alone in this thinking. In its RSA coverage, CRN.com associate editor Michael Novison advocates for a more pragmatic approach to handling risk than traditional vulnerability management, one that would place both automation and remediation front and center. Unisys CTO Vishal Gupta concurs: “Being presented with a list of hundreds of thousands of problems doesn’t do a CISO much good given the amount of digital assets and software in an organization. Continuously telling businesses what’s wrong is more of a risk identification strategy than a risk mitigation strategy and doesn’t provide them with any better handle on the problem.”
Organizations with a mature security program understand that moving past just a point-in-time vulnerability management program to a continuous model delivers results around the clock, enabling infosec professionals the ability to manage vulnerabilities more easily and efficiently. In fact, the concept of continuous monitoring should be baked into the development process from the start. In its RSA coverage, TechBeacon notes that in the DevSecOps model, infrastructure as code allows continuous code and security scanning to handle infrastructure configurations, and that removes the security team from potentially blocking development with time-consuming tests.
In an interview with NCC Group’ Research Director Clint Gibler, TechBeacon writes that infrastructure as code is essential. “For developers, a key advance is the increasing use of infrastructure as code and continuous deployment. When networking and server configuration are part of the application configuration, the settings can be checked for weaknesses in the same way as other application components,” said Gibler. “You can run security checks on your infrastructure code before it is even deployed. And it makes it easy to avoid any drift over time, and get back to a pristine state.”
Continuous Pentesting Coupled with “the Human Element”
In the spirit of these three RSA takeaways, NetSPI introduced its new Penetration Testing as a Service (PTaaS) powered by the Resolve platform at the conference. PTaaS puts our customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, and orchestrate quicker remediation, with the added ability to perform always-on continuous testing. We believe that key to its success is the integration of our team of expert, deep-dive manual pentesting employees who use enhanced automation to uncover an organization’s vulnerabilities. We believe that while automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.
Want to read more about the future of cybersecurity? Read RSA’s 2020 trend report here.