SAN FRANCISCO – Today, cybersecurity is portrayed in the media and by businesses as an ongoing complex conflict between defenders and cybercriminals, with heightened noise around hyper-technical proof-of-concept attacks, or nation state threats. But, the reality is starkly different, said Rohit Ghai, president of RSA, speaking on Tuesday at the RSA Conference.
The security industry needs to branch out beyond its historically “narrow culture” and change how it is perceived by the rest of the world. The narrative around cybersecurity needs to instead emphasize the human players behind cybersecurity, including the IT teams working in companies, the cybercriminals who are launching cyberattacks, the businesses who are working with security teams – and, importantly, the end users who are often the true victims.
“We are only as good as the story we leave behind,” he said. “The story we want is a business story of cyber resilience, not a technical story of cyber ping pong. The struggle that we often see in these types of stories engenders pity and fear, but it’s not one of the defender, but one of the protected.”
[For all Threatpost’s RSA Conference 2020 coverage, please visit our special coverage section, available here.]
Often, hackers are portrayed as “technical sorcerers” while defenders are “hapless techies focused on zero-day vulnerabilities and only the most advanced threat vectors,” Ghai said. In reality, that’s not true, he said.
Cybercriminals are not always sophisticated, and in fact, more script kiddies exist than technically savvy hackers, said Ghai. The difference is that cybercriminals are more organized and create tools and exploit kits that allow less sophisticated actors to become well equipped in launching attacks.
Meanwhile, defenders are often grappling with burnout stemming from an industry plagued by a talent gap, complexity and noise. Instead of preventing sophisticated attacks, defenders are more often spending their time trying to block against ordinary phishing and business email compromise (BEC) scams, said Ghai.
To hit back against this difference with reality, the security landscape needs to change the narrative of its story, he said. “We need to reclaim our narrative, reorganize our defense, and rethink our culture.”
Ghai asserts that the cybersecurity landscape needs to better engage the media and share not just losses, but also wins. While the city of Atlanta‘s 2018 ransomware attack was widely covered in the media, what didn’t hit the headlines as much were the small “wins” in how the city dealt with the attack. For instance, the city did not pay the $51,000 ransom payment – a loss for the cybercriminals – and also created a robust business continuity plan for its future, which Ghai called an eventual win.
The industry also needs to hold IT and device manufacturers accountable to better security – something that it has already started with the introduction of regulatory efforts. With the proliferation the Internet of Things, for instance, security is too often left in the dust – opening end users up to concerning security and privacy threats.
Most importantly, he said the cybersecurity industry needs to shift from a “culture of elitism to one of inclusion” by looking for defenders that are outside of the tech community. For instance, IT teams in industrial companies are also finding themselves increasingly dealing with operational technology teams in an effort to better secure industrial control systems.
Ghai said that business leaders and risk officers are now also interested in the story of cybersecurity – and in fact, more than 76 percent say cyber risk will increase in 2020 – but they remain on the sidelines. Instead, board and risk officers need to be the actors in the story, “the ‘zero-th’ line of defense, he called it.
Wendy Nather, head of advisory CISOs at Cisco, agreed, saying that the security space needs to shift its relationship with other industries. “We have to open up our security culture to everybody,” she said on Tuesday. “Security needs to be basic knowledge and freely available. We can’t shoehorn people into our narrow society culture.”
At the end of the day, security is a story that needs to include special attention to human characters, said Ghai. “Our story has global mindshare now – but we have lost control of the narrative,” he said. “We need to find the story of our industry playing its part.”
For all Threatpost’s RSA Conference 2020 coverage, please visit our special coverage section, available here.