From the Human Element and Frameworks to Secure Engineering, Privacy and More
Which cybersecurity topics are hot right now?
One excellent answer to that question comes via the upcoming RSA Conference 2020, set to run Feb. 24 to 28 in San Francisco. Organizers say they received 2,400 responses to their call for speakers, and they’ve helpfully reviewed them all to highlight overarching themes and trends.
“Keywords such as zero trust and serverless, Kubernetes, quantum, chaos engineering, bug bounties and endpoint decay (or resurgence, depending on who you ask!) abounded.”
Note that “Human Element” is the theme they’d already set for this year’s conference, meaning a number of submissions hit this angle hard. “An overwhelming number of submissions started with a focus on human impact as a means of offering insight on how to better leverage common frameworks, inform decision makers in risk management, mitigate new and emerging threats and build a productive, security-centric culture,” write Britta Glade, the RSA Conference’s director of content and curation, and Kacy Zurkus, content strategist, in a report (PDF).
With that in mind, here are the 10 themes they saw across the submissions:
- Human element: Numerous submissions – focused on “data, threats, risk, privacy, management and teams” – touched on the human dimension in security.
- Designing, developing and maintaining secure products: For the first time, organizers have added tracks dedicated to product security and open source tools, reflecting their receiving “more deep-dive technical submissions focused on secure product development than ever before,” covering topics ranging from user interface design and artificial intelligence to privacy and security operations centers.
- Convergence of IT and OT security: One of the challenges of IT and operational technology converging is that they come from “two very different cultures and supply chains,” thus driving the need for serious cultural changes if this required collaboration is to succeed.
- Secure engineering processes: As organizations continue to adopt DevSecOps, submissions focused on the increased requirement to involve not just risk management but also governance processes in their development operations.
- Intertwining of compliance and privacy … and privacy and everything: The EU’s General Data Protection Regulation has made privacy mainstream, and business discussions have continued to mature. “Where privacy once was a nice-to-have indication of ‘good corporate citizenship,’ it seems to now be trending as a core business and security conversation as organizations look to capture and protect user intent, not just because of regulatory compliance concerns, but also to provide business differentiation and positive user experience.”
- Threat intelligence and sharing: Intelligence sharing continues to be a cornerstone of a good “cyber defense,” but machine-based processes can’t cure every ill, especially where social engineering – of consumers or democracies – is at play. “We saw an increase in submissions that documented the inherent weaknesses and challenges of machines, with some deeply technical and wonderfully detailed submissions digging into the specifics and providing guidance and best practice considerations.”
- Frameworks, and frameworks upon frameworks: Frameworks and automation are hot. “We saw a rich number of submissions related to the MITRE ATT&CK framework, the NIST Cybersecurity Framework, Competing Security Culture Framework (CSCF) and the Factor Analysis of Information Risk (FAIR) Framework” as part of ongoing corporate drives to refine governance and risk management processes.
- Security awareness and training: The term “cyber range” – a virtual environment used for offensive security training – is hot, as are questions about human sustainability. “Some submissions addressed the moral and ethical issues of security awareness, while several highlighted the need for more attention on workplace stress and mental health, particularly for security practitioners.”
- Communication: The imperative for CSOs and CISOs to communicate up, down and across organizations is well known. But emerging areas such as “purple teaming” – mixing offense and defense – are also helping bolster security by ensuring groups with complementary skills increasingly work together.
- Professional and workforce development: “How to hire, train, retain and inspire talent” remains a key concern and necessity for the burgeoning cybersecurity industry. Indeed, will there ever be enough personnel to staff every open cybersecurity role?
As the organizers note, those themes are a very broad-based look at the submissions they received.
“These 10 trends just scratch the surface of the breadth and depth of the body of knowledge and experience that flowed through this year’s submissions,” they say. “Other keywords such as zero trust and serverless, Kubernetes, quantum, chaos engineering, bug bounties and endpoint decay (or resurgence, depending on who you ask!) abounded.”
The Human Element
The human element – having been designated this year’s RSA theme – unsurprisingly looms large. Arguably, of course, the human element remains the Achilles heel of so many information security systems, in that their success or failure is too often predicated on human input.
But of course the topic covers much more than that. “Submissions explored the use of software and platforms to exploit humans – intentionally and unintentionally – reflecting on privacy implications as well as potential opportunities to use machine learning, in a continued evolution of the man/machine relationship we’ve explored in these submission trends reviews over the years,” the organizers write.
There’s an increasing – arguably, overdue – focus too on mental health across the industry, and organizers say this year’s submissions reflected that trend (see: The Dark Side of Cybersecurity: Burnout).
“This year’s theme seemed to give submitters license to tackle the more sensitive challenges of human behavior, such as the potential downfall of toxic working environments, both to individuals and teams, and the risks to the security program that can stem from cybersecurity and engineering failing to leave their egos at the door,” the organizers write.
The focus on humans seems like a natural fit with so many current industry preoccupations. Compare that to some recent RSA themes featuring bland, motivational-sounding tag lines that wouldn’t look out of place on the cover of a U.S. high school yearbook: “Better” (2019), “Now Matters” (2018), “Power of Opportunity” (2017).
RSA Conference 2019 information panels
They succeeded an era of geekier-speak, including the mightily clunky “The Great Cipher Mightier Than the Sword” (2012) and “The Adventures of Alice & Bob” (2011).
These. in turn. followed themes that were much more focused on historical uses of – and treatises on – cryptography, featuring everyone from Mary Queen of Scots and Navaho “codetalkers,” to “Father of Western Cryptology” Leon Battista Alberti and British cryptography genius Alan Turing, with a side of carrier pigeons and the Mayans, among others.
Cybersecurity Importance Surges
The evolution in RSA themes arguably belies the increasing importance of the conference and the continuing surge in cybersecurity relevance. In 2008, the conference reported 17,000 attendees. Ten years later, that figure had grown to more than 42,000.
For 2020, the RSA Conference will feature hundreds of presentations and more than 50 keynote speakers, including U.S. Cybersecurity and Infrastructure Security Agency Director Chris Krebs and the magicians Penn & Teller. Attendance at the event is expected to top 45,000.
As those numbers suggest, however you approach the overarching themes of this year’s event, one clear takeaway is that cybersecurity seems more important than ever. As always, getting information security right involves not just technology, but also people, processes and systems. Everything from our businesses and healthcare systems to collective well-being and democracies are at stake.
Safeguarding all of that continues to be a daunting task. But as the preview of this year’s RSA themes and presentations makes clear, it’s often an exciting one, too.