SAN FRANCISCO – I’ve been attending RSA for more than a decade now. Every time I go, I’m taken aback by the fact that most everything said the previous year gets said once again the following year. Sometimes things are rebranded or expressed in a different way, but more often than not, nothing changes much.
The major reason behind that is something that remains true from what I have personally witnessed in more than two decades of practicing security: We do not know how to measure success. More importantly, very few people define what success even means. That opens us up to wide-open spaces for incentivizing rhetoric over results.
As an industry, we often recycle, as opposed to innovate. Once again, many of the vendors are talking about zero-trust. It’s a re-brand of a concept we were talking about in the 1990s, namely the principle of least privilege. Yet here we are again, talking about the same rudimentary concept as if it were new. We have to face that it’s hard to manage access and we really haven’t found a good way to do it yet.
The broader economic ecosystem has been clearly unsatisfied with the results of what cyber security protection has done so far. Instead of solving some of these basic problems, we often throw new technology at them in the hopes that somehow these new technologies will magically solve the problem.
Take the hype around generative AI.
More than a few vendors are promoting their use of this technology as a way of improving security automation. However, these tools don’t just operate themselves and perform magic. If we can’t do the job manually, automation of failure will just result in faster failure at greater scale. AI and ML systems only work when there’s a human in the mix, making intelligent decisions about training data and features and delivering the last mile of analysis that the systems do not yet know how to do.
As an example, I had ChatGPT write a one-day summary of the RSA conference. The difference between the ChatGPT article and this article is that the automated one does not have critical analysis or commentary. Both are essential.
I’m also concerned about how much we as an industry convey hopelessness. More than a few booths promote the idea of managed security, and that companies must outsource all of this basic work to a myriad of vendors. The presumption: those customers have no hope of securing it themselves. I see very few people talking about how we can transform the overall technology and security landscape so that these companies can stay ahead of the risk, instead of responding to the last breach.
On a final note, I have a bone to pick with SANS. I have to manage a large team and hire new resources in workforce development. I’m am a big fan of SANS, but workforce development needs to be more than simply sending my employees to a conference once a year. Companies need a systematic program to develop the next generation of talent – and that requires much more than just learning course cyber security skills. I think this needs much more focus. Personally, that takes a lot of my time as I’m trying to develop my team and upskill them to the level that I need them to perform at.
So while there’s a lot of rehash at this event – and the AI hype machine is in hyperdrive – there are still some bright spots of innovation that attendees should look for.
John Bambenek, principal threat hunter, Netenrich