Information security professionals need to be more open to adaptation and embrace emerging ideas to enhance overall cyber-resiliency, according to expert speakers during an opening keynote on day 1 of the virtual RSAC Conference 2021.
Jimmy Sanders, information security, Netflix DVD, and Angela Weinman, head of global governance, risk and compliance, VMware, set out three “hard truths” about the sector, and how these negative practices can be addressed.
1. The Security Risk Picture is Out of Focus
This is a major issue, “because if you can’t accurately determine risk, it becomes difficult to rapidly recover from impacts,” explained Sanders.
Weinman noted that the industry is not currently "managing the risk well enough,” and she cited a recent VMWare study with MIT, which showed that under half (46%) of top executives stated they were happy with how their resiliency risk plans were executed last year.
Weinman said this was as a result of security professionals being “too conservative when predicting risk impacts and necessary treatment,” emanating from their desire to be accurate. She added this was highlighted by the shift to remote working during COVID-19, where planning for critical staff to be working from home for a period of time was not enough – it needed to be for all employees.
The solution to this, according to both speakers, is to “zoom out” and look at a spectrum of impact, rather than a narrowly defined scenario. Sanders explained: “We must broaden our views and prioritize environments so we ensure that not all environments are protected and viewed the same.”
2. Legacy Security Practices Are Slowing Us Down
The two speakers highlighted that traditional, and often uneccessary practices are commonplace in the sector, which is holding back progress. This is borne out of a lack of diverse voices in cybersecurity, according to Sanders. He argued that in order for fresh perspectives to be brought on security practices, ideas need to “be voiced without the fear of ridicule and condemnation.”
He added that there are currently “many intelligent minority voices that do not get heard within the security community.” This requires being intentional about allowing different viewpoints to be heard, particularly from women and ethnic minorities.
Weinman pointed out that this leads back to the first hard truth surrounding the security risk picture, as “we can get a better risk management picture if we have more points of view.”
Another aspect to this issue is the growing use of automation in security processes, which have led to a tick box culture. “Is everything we’re doing adding to our security posture? If not, why are we doing it?” asked Weinman. Again, diversity of thought is critical in this respect, to provide a fresh perspective on outdated practices, and question why things are being done, linking back to cyber-hygiene and the goals of the business.
3. Security is Not a Solo Sport
Sanders emphasized that no matter how good a security professional may be, resiliency cannot be achieved without collaboration across the sector. He described the need for a “snowball effect,” where great ideas build upon each other. “We, the security community, need to ensure that the best security practices are accessible to everyone.”
This requires organizations putting aside rivalries to “share knowledge and effective techniques to achieve what a single company can’t,” in the view of Sanders.
Weinman noted that it is “a common misconception that because of what we do, we must work in individual secrecy.” She advised security professionals to join a study group, working alongside people from other vendors.
Sanders, who leads the emerging technology group for ISSA International, added: “the most rapid growth in mini security practices happens when they start sharing what went right, but also what went wrong.”
Wrapping up the session, Sanders commented: “The ultimate lesson that I want you to take home is that we need each other now more than ever in these exciting times.”