SAN FRANCISCO -- In their own ways, all three RSAC keynote speakers pushed forward the narrative that the infosec community must focus on incremental cybersecurity improvements in order to enact real change.
Rohit Ghai, president of RSA, opened the 2018 RSA Conference (RSAC) with a number of sports metaphors, espousing the value of teamwork, small improvements and anticipation. Microsoft President Brad Smith focused on the human impact of cyberattacks and how infosec professionals will be the "first responders" in coming cyberwars. And McAfee CEO Chris Young warned about falling victim to cybersecurity fatigue that could hold back awareness from transitioning into action.
"There are 50,000 of us here, which is a great testament to the growing power of our community, and what we do with our time together matters more now than ever," Ghai said in his opening RSAC keynote. "Now matters, because it drives what's next. So, let's not talk about the hackers' advantages; they can do that in their own conference. Let's talk about our advantages. Instead of talking about the future of threats, let's talk about the future of security."
Ghai noted that it can be hard to celebrate the successes of the cybersecurity community because good security doesn't make headlines, but he laid out three "Cybersecurity Silver Linings" that can help infosec pros focus more on positive cybersecurity improvements.
"We need to pay attention not just to the technology of defense, but the psychology of defense. The spirit of the defender matters as much as the shield that she or he wields," Ghai said. "For years, we have motivated ourselves by the fear of what happens if we fail. What if we could inspire ourselves with the glory of what we enable when we are successful?"
Ghai's silver bullets -- ending the silver-bullet fantasy, the quicksilver law of cyberdefense and the magic of sterling teamwork -- advocated focusing more on incremental improvements, anticipating risk when adopting new technology, and enabling better cooperation and collaboration both within infosec and across business teams to improve security.
Ghai noted that the adoption of new tech has been speeding up, and with that comes the need to be much better about anticipating risk. "There is huge value in security that is built in, rather than bolted on," Ghai said.
Beyond fostering teamwork within security teams, Ghai said the importance of cybersecurity has been spreading to those outside of the infosec community.
"If necessity is the mother of invention, risk is the mother of insurance. So, the very, very best proof of all that cyber-risk is top of mind is the rise of cyberinsurance," Ghai said. "We are maturing in terms of quantifying cyber-risk with standards. Cyber-risk quantification is a hot field and an essential tool for business folks to decipher cybersecurity and understand it in terms of dollars and cents -- a language they understand."
Young said in his RSAC keynote that this increased teamwork needs to become top of mind for everyone in order to truly see cybersecurity improvements.
Chris YoungCEO, McAfee
"Despite a-breach-a-day headlines, we all have to agree cybersecurity has not yet reached a level of priority that it needs to reach for us to truly be able to manage the attack landscape that we face," Young said. "Cybersecurity is still a sidebar conversation in so many arenas," and when conversations do happen, "people talk past each other."
Young said cybersecurity awareness is there in enterprise C-suites, but those executives "don't yet know how to translate that awareness into action that permeates an entire organization." Young said it was the responsibility of infosec professionals to help execs understand, but he said the responsibility in improving cybersecurity affects everyone.
"Many people don't believe that cybersecurity is their job and their responsibility, but part of it is because we haven't yet taken up the cultural mantle as part of ours," Young said. "We must prioritize cybersecurity across different domains of society -- in the public sector, the private sector [and] for consumers -- if we are truly to drive progress in our industry."
Raising the awareness of cybersecurity and being able to translate that awareness to action is important because Young said we can't afford to "wait for a digital 9/11 to force us to change."
"How do we make security the new sustainability in corporate America so that it becomes part of the culture, part of how we think about what we do everywhere?" Young asked. "On Sept. 12, 2001, it wasn't a technical breakthrough or solution that changed air travel. Instead, every stakeholder -- because of the risk -- ultimately got on board, from world leaders to CEOs of airlines to the crew to all of us that travel. ... [We] decided that we're going to now be a part of the safe and secure air travel culture. We can't wait for that to happen in our industry."