The walk-up music for the post-lunch keynote speaker sounded familiar, but it took me a minute before I figured it out: It was the Hot Dog Song from Disney Jr.’s Mickey Mouse Clubhouse. It may have been the most unique walk-up music I heard at any of the cybersecurity conferences I attended last year, but I was staying at a Disney resort, so maybe it wasn’t that unusual.
But it was also representative of a central theme from many of the security keynote speeches I attended in 2019: the unexpected.
I expected to hear talks from the likes of Brian Krebs and Bruce Schneier, two of the most respected cybersecurity experts in the business today — both of whom spoke at cybersecurity conferences I attended in 2019. But comedian Tina Fey or former NBA star Shaquille O’Neal? Why on earth were they giving security keynote speeches?
It turns out that, while the list of speakers was wide-ranging, almost all of them had a similar message: We are overwhelmed by threats that could take down our institutions if they go unanswered.
Cybersecurity Is Like Improv Comedy
Tina Fey’s keynote address closed the 2019 RSA Conference, and it was unusual for two reasons. First, the huge conference room was filled with women, which was certainly not the case for any other talk I attended that week. Second, the closest the speaker came to discussing security was when she, portraying Sarah Palin, announced that she could see Russia from her house, throwing back to the now-famous SNL skit. I expected the talk to be funny (and it was), but I didn’t expect her to be so perceptive about how to address information security threats.
Comedians who master improvisation can handle the unexpected. Improv actors take their cues from the audience, and their job is to make information funny. They don’t know what’s coming, so they have to react and react well or risk getting booed off the stage. Improv clubs want successful comedians; otherwise, their customers will go elsewhere for entertainment.
In this way, cybersecurity is like improv comedy. You might have an idea about what your greatest challenges may be, but you don’t know for sure when they will arise, and they could manifest in the form of an attack. In these situations, you have to react well or risk a data breach or some other cybersecurity incident. If you can’t withstand an unexpected attack, your customers will go elsewhere.
Tina Fey’s message was echoed by both captain Chelsey “Sully” Sullenberger and retired Navy Admiral William McRaven at the (ISC)2 Security Congress. While neither speaker focused their speech on cybersecurity issues, both talked about the need to be prepared for the unexpected. Sullenberger and his co-pilot spent years training for any type of situation, which is why they were able to land safely in the Hudson River when disaster struck. They had never done it before, but they knew the drill.
Likewise, the training McRaven endured to become a Navy Seal might have seemed outrageous at the time, but all the spot inspections and punishments taught him to react without worry in dangerous situations. Hopefully, the security professionals in the audience walked out of those sessions with the same message I got: It isn’t just a matter of being able to react to a cyber incident; it’s also preparing yourself ahead of time with firm policies, simulation drills and pen testing so that, when the time comes, you can react with confidence rather than panic.
Protect Yourself From Weaponized Data
Many of the speakers at the nine conferences I attended last year represented the military and/or the government, and their security keynote speeches often focused on national security issues. Election security came up a lot, as did another important point: Your corporate data is your company’s gold. It’s your most valuable asset, which is why cybercriminals want it and why organizations need to protect it.
But as former Secretaries of State Colin Powell and Madeleine Albright warned from the keynote stage, stolen data making its way to the dark web isn’t all we have to worry about. Cybercriminals and other bad actors are weaponizing data more frequently and using legitimate information against us.
Businessman and investor Roger McNamee gave similar warnings, and he reminded the audience that we all play a role in data weaponization when we use social media. We don’t do enough to take care of our own data, he cautioned, and big tech companies aren’t always doing enough to keep that data from being used in nefarious ways. The issue is bigger than whether we are doing enough to prevent data breaches — at one conference, Brian Krebs walked the audience through a timeline of data breach evolution, so again, it comes back to being prepared for the unexpected.
A key point of focus for cybersecurity professionals must be the steps we are taking to understand the worth of the data that’s available. Ask yourself: Do you have adequate security for your gold mine? Even if you answer yes, the situation could undoubtedly be better, as several speakers advised.
Expect the Unexpected
Shaq’s words of wisdom for his security audience? At the very least, show up and do the best job you can. We might be overwhelmed by threats, but we have to keep doing our best to provide the right security tools and controls for our organizations.
Comedians, basketball stars and airline pilots might not be who you expect to see advertised as keynote speakers at a cybersecurity conference. It’s unexpected. But so are the security challenges organizations face every day. What I learned from all of these speakers is to keep an open mind about cybersecurity, because just like you don’t know when or how you’ll be attacked, you never know when you will get sound security advice from unexpected sources.