SAN FRANCISCO -- If one common thread held the 2019 RSA Conference together, it was that security depends on people, for better or for worse. More so than technology or policy, it's the people who get involved and benefit from cybersecurity that have the greatest influence on the industry and its success.
Despite the rapid growth of artificial intelligence and machine learning, Rohit Ghai, president of RSA, spoke about the need for both humans and machines in his opening keynote.
"Humans and machines together are more trustworthy than either individually," Ghai said, adding that both people and technology have weaknesses. People "suck at passwords" and handling large amounts of data, and artificial intelligence has inherent biases from data and lacks empathy and intuition, he said.
"Humans are great at dreaming and imagining the creative stuff," Ghai said. "While machines are great at answers, humans are far better at knowing what questions to ask -- the investigative stuff. In creative and investigative jobs, humans are far superior to machines -- jobs like cybersecurity."
Ghai and cybersecurity strategist Niloofar Razi Howe, who also spoke at the keynote, said they envision a future in which humans and machines work together to build better, stronger and more trustworthy security.
The security talent shortage
The talent shortage and skills gap in the security industry was discussed throughout the 2019 RSA Conference as something that will affect the human-machine partnership in the future. While plenty of work is being done on the machine side of the equation, a lot more needs to be done to fill the estimated 3 million job openings in the cybersecurity industry.
Ann Johnson, corporate vice president of the cybersecurity solutions group at Microsoft, discussed that figure during her keynote presentation, "The Power of People: Amplifying Our Human Capacity through Technology and Community."
While Johnson spoke about the initiatives Microsoft has developed or in which it has partnered with others -- such as Blackhoodie, a program spun off from BlueHat that is exclusively for women, and Microsoft Software & Systems Academy, which teaches military service members and veterans skills for careers in the technology industry -- she also spoke about the issues facing the security industry at large.
The talent shortage that plagues the industry requires companies to focus on hiring, training and retaining a diverse set of people. She noted the importance of looking for new recruiting avenues, as well as taking care of the staff that organizations already have.
At least 66% of security professionals look for work outside of the industry because of the immense stress of working in cybersecurity, Johnson said, adding that 50% are willing to take a lower paying job for less stress. Technologies such as artificial intelligence, machine learning, automation and the cloud can take some of the stress off of security professionals and help reduce burnout in the industry.
Security professional burnout was a serious topic in other sessions at the 2019 RSA Conference, as was filling the talent gaps through more diverse hiring.
Diverse and inclusive hiring
In a 2019 RSA Conference session called "Building -- and Keeping -- Your Cybersecurity Team with Nontraditional Staff," ISACA members discussed the "State of Cybersecurity 2019" study, which found that 15% of organizations have entirely male security teams.
Dr. Alissa AbdullahVice president and CISO, Xerox
Emily Heath, vice president and CISO of United Airlines, addressed minimizing the staffing shortage with diversity in her keynote presentation, "Security at 36,000 Feet!"
Heath champions hiring based on skills, not credentials, and said the staffing shortage is in part due to traditional thinking that qualified security professionals must have four-year degrees in computer science, as well as work experience in security and a handful of security certifications.
The reality, she said, is that people with an aptitude for cybersecurity can come from all backgrounds. By focusing on skills and passion rather than a resume, Heath has been able to create a cybersecurity team at United Airlines that is 46% female and 48% people of color. Leaders have to commit to leading with a diverse mindset, Heath said.
Dr. Alissa Abdullah, vice president and CISO of Xerox, echoed that sentiment during a panel discussion that also included Heath called "Diversity and Inclusion: Impacting Culture to Create a More Creative Environment."
"Diversity is a fact; inclusion is a choice," Abdullah said.
In her keynote speech, Heath also said security professionals are responsible for educating nonsecurity people on best practices and how to do things. It is up to the security industry to open up so everyone knows about it, not just security professionals. She also said that education will help solve a lot of the problems facing the industry. All-told at the 2019 RSA conference, it seems that people are the most important part of a successful security industry.