Security

RSA 2021: It’s Time to Rethink Cyber Resilience

At a moment of greatly increased threats, resilience means more than bouncing back from a fall.

Bob is the managing editor of BizTech magazine.

As businesses have worked to respond to the cybersecurity challenges spurred by the COVID-19 pandemic, the word “resilience” has moved from business buzzword to near cliché. Opening the international security conference RSA 2021, RSA CEO Rohit Ghai sought to define resilience more clearly in order to help organizations set a list of priorities for achieving it.

“Ultimately, being resilient isn’t good enough,” he said. “We must be good at being resilient. Resilience isn’t just about getting up when you fall. To be good at it, we must fall less often, withstand the fall better and rise up stronger every time.”

To fall less often, organizations need to stop trying to avoid uncertainty and start embracing chaos in order to understand it and respond to it. Ghai cited Netflix’s famous Chaos Monkey. Developed by Netflix in 2011, Chaos Monkey is a tool designed to test the resilience of the video streaming service’s IT infrastructure by randomly disabling computers in Netflix’s production network as a means of gauging how remaining systems respond to the outage.

“By building in chaos, this tool accounted for a common type of failure and ensured survival without any customer impact,” Ghai said. “In fact, simulating chaos worked so well it inspired the creation of the Netflix ‘simian army,’ a collection of tools to help Netflix be ready for any disruption, including the Latency Monkey and the Security Monkey.”

Thanks in part to its decision to lean into chaos, Netflix ensures that its systems are down only about 30 seconds a week, Ghai said.

“How do you secure chaos? You can’t. You don’t,” he said. “You focus on resilience by embracing chaos. How? First, expect the unexpected. Trust no one, and compartmentalize failures.”

Organizations Must Assess Vulnerabilities More Often

RSA 2020, held in February of that year, was one of the last major technology events to take place in person. This year’s event, which continues through May 20, was delayed in hopes that it could go on in person, but was ultimately shifted to a digital format. Speakers will focus on how organizations succeeded in securing remote work environments at a time when ransomware attacks and phishing exploits aimed at employees spiked dramatically, as well as on how they should secure hybrid work environments as employees return to some in-person work and the key security trends of a post-pandemic world.

To fail less often, organizations must use frequent assessments to gain visibility into their vulnerabilities. When they gain that visibility, they should employ threat intelligence to understand their industries’ likeliest antagonists, including their tactics, Ghai said. Deploying zero-trust security environments — which Ghai described as a “mindset, not just an architecture” — is no longer aspirational but imperative in a work-from-anywhere world. Proper zero-trust environments include multifactor authentication, microsegmentation and the limitation of trust to what is “absolutely required.”

The Internet of Things and complex supply chains are broadening attack surfaces. “By some estimates, we are connecting 127 devices to the internet every second, but it’s not just connected devices, it’s connected organizations and the private data flowing through this value chain,” he said. “The average company shares private information with 583 third parties, yet only one-third of organizations maintain a comprehensive inventory of these parties. There are too many dominoes stacked too tightly together — and, look, we can’t ensure that each domino stays upright; instead, we have to space them further apart.”

That means deploying risk assessments via third parties to limit supply chain attacks and employing AI-powered engines that help organizations analyze incidents and prioritize responses.

Better Security Requires a More Diverse Digital Workforce

The pandemic has produced fresh challenges for security teams while making most of the old ones bigger, said Cisco Systems CEO Chuck Robbins, who spoke as part of the conference’s first-day keynote. “We know that we’re now dealing with a very expanded threat surface,” he said. “Every individual is carrying an average of four devices, and this just creates more opportunities for breaches.”

If cybercrime were a country, it would have the third-largest economy in the world, after the U.S. and China, Robbins said, with $6 trillion in global damage caused annually. Consequently, organizations must rethink their entire security architecture with an eye toward vastly more distributed networks that lack perimeters and that include significantly more remote work for the long term.

Perhaps the greatest single security challenge organizations face is a dearth of qualified talent. There only 2.8 million cybersecurity professionals working in the industry worldwide, yet there are more than 4 million unfilled cybersecurity jobs right now, Robbins said.

“We have more unfilled opportunities than we have trained professionals in the world,” he said. “We have to train people, we have reskill people, we have to continue to develop the existing talent. We have to make it easier for people to get into cybersecurity and we have to look at untapped sources of talent.”

Women for example, represent just 24 percent of cybersecurity professionals, even though they represent a majority of new entrants into the larger workforce, he said.

“We must be inclusive to grow our community and find diverse talent,” Robbins said. “It’s a collective priority for us.”

Keep this page bookmarked for articles and videos from the event, and follow us on Twitter @BizTechMagazine and the official conference Twitter feed, @RSAConference.

Getty Images/Gordenkoff