Security

RSA 2020: How Cybersecurity Pros Can Boost Morale

It’s time they started boasting about their wins instead of just explaining their failures, says RSA President Rohit Ghai

Bob Keaveney

Bob is the managing editor of BizTech magazine.

Artificial intelligence will play a huge role in cybersecurity in coming years, as both threat actors and threatened organizations strive to deploy every weapon available in their never-ending war for control of networks. But human activity will continue to be the indispensable difference between successful and foiled hacks.

So argued Rohit Ghai, president of RSA Security, at the opening keynote of RSA 2020, one of the largest cybersecurity-focused events of the year, taking place the week of Feb. 24 in San Francisco. Speaking to the conference theme of “the human element” of security, Ghai told many of the roughly 40,000 assembled experts, analysts, technology companies, journalists and policymakers that in the end they won’t vanquish threat actors without rethinking their culture and focusing as much on people as on technology.“AI is clearly augmenting the attacker and the defender,” Ghai said. “But humans are absolutely here to stay in the story of cybersecurity.”

Cybersecurity Teams Are Burned Out, Fatigued

An RSA survey of IT professionals found that 76 percent believe that attacks will increase in 2020. That’s no surprise: Breach attempts have increased relentlessly every year since the birth of the internet. But what is worrisome, Ghai said, is the personal toll it’s taking on security teams, which in many organizations are stressed-out and exhausted.

Two out of five CISOs think they will be held personally liable for any breach that occurs in their organization and that it may cost them their jobs, according to RSA research. As a result, said Ghai, most CISOs say they rarely disconnect from their job.

“Business leaders worldwide are concerned about cyberattacks, constantly,” Ghai said. “End users aren’t tech-savvy enough and are being inundated with clever attacks, making life harder for burned-out security teams. The adversary has hacked our brains.”

The Narrative on Cybersecurity Must Change

To change things, cybersecurity professionals need to “reclaim the narrative, reorganize our defense, rethink our culture,” Ghai said. For starters, they should start reporting more openly about their own wins and on hackers’ failures. As it stands, cybersecurity only enters the public realm when there’s a breach; one never hears about occasions when potential hacks are thwarted, because organizations don’t want to discuss their tactics or invite additional attacks.

But they should reconsider that philosophy — they should even crow a little when they foil a hacker’s ultimate objective even when they fail to stop the breach, Ghai said.

“We don’t have to win for the hackers to lose,” he said. “It cost the city of Atlanta $1 million to restore services after a major hack, but they took a courageous stand not to pay off the hackers. That’s not a win for them, but the hackers lost.”

Second, the IT industry should remember that end users aren’t the only ones whose security practices need improvement; the creators of software and applications often write code that’s vulnerable to attack. Finally, Ghai argued, organizations need to build cultures that make security everyone’s responsibility, not just that of the cyberdefense team. That includes the rest of the IT department, business leaders and other risk managers, who today have an interest in cybersecurity but “are largely observers” rather than actors.

“We’ll certainly use technology to protect technology and recruit machines to fight the good fight, but in the end this will always be a human story,” he said. “Ours will never be a world without breaches, but it will be one where those breaches will not get in the way of human progress.”

Keep this page bookmarked for articles and videos from RSA 2020, and join the conversation on Twitter @BizTechMagazine.

RSA Conference