April 26, 2018 By Kevin Beaver 3 min read

Like last year, many of the discussions that took place at RSAC 2018 centered around the human element of security, including the cybersecurity skills gap, security automation and artificial intelligence (AI). It seems like the more mature security programs supposedly become, the more challenging it is to keep up with security.

Juniper Networks CEO Rami Rahim asserted in his keynote that the internet offers criminals an unfair advantage. The internet eliminates the constraints of time, distance and identity, and its speed and ubiquity facilitate attacks that can strike from anywhere in the world without warning. Rahim wrapped up his speech by urging organizations to implement security automation and to focus on developing the next generation of security professionals, which were common themes at this year’s RSA Conference.

The People Problem in Security

The human element is still an impediment to progress in security. Rahim’s insights struck a chord with me because these are things I’ve been preaching for years. Security has advanced, technically speaking, but we clearly don’t have a grasp of what truly needs to be done to minimize business risks.

Does that mean that automation will fix all our security challenges? I think not, but it can surely help. Furthermore, will taking our training and education efforts to the next level really have an impact? It’s good to stay up with the latest and greatest in our field, but I don’t think training can fill in as many gaps as some people hope.

RSAC 2018 featured many more conversations around human-related topics. In fact, the theme of this year’s Innovation Sandbox was “Taking Humans Out of the Security Equation.” Clearly, the conference organizers are onto something: People represent a significant part of the security problem.

How can we address this issue? With any business challenge, it’s critical to define what the people problem really is. It’s not just end users making bad security choices, such as clicking malicious links and opening infected file attachments. It also has to do with IT and security professionals who are distracted or struggle to the see the bigger picture.

I see many people, both users and security professionals, making decisions based on their own agendas without considering the greater good of the business. Much of this negative behavior can be attributed to honest mistakes and subconscious biases rather that deliberate malfeasance. This often stems from a lack of security leadership and poor organizational culture.

Busyness Is Not Always Good for Business

The RSA Conference also highlighted AI, blockchain, threat intelligence platforms and a plethora of other solutions that security professionals have at their disposal. I’d venture to guess that vendors have poured millions, perhaps billions, of dollars into developing security technologies, and many signs suggest that organizations are buying them.

Security budgets are increasing, and the strong attendance at RSAC is a great indicator of the health of the industry. So if money is being spent, actions are being taken and security teams are staying busy, it would stand to reason that enterprise networks are secure — right?

Knowing what I know, who I know and what I see, organizations have a long way to go when it comes to improving enterprise security. Until these human challenges are acknowledged, they will cause security problems that no level of investment in technology can resolve.

Security leaders should aim to address the vital few areas of security that have tangible payoffs, rather than get lost in the weeds of more trivial areas. Many business leaders erroneously interpret busyness as success. I’ve seen some companies go so far as to create their own network complexity.

Taking a Page Out of the RSAC 2018 Playbook

Organizations should take a page out of the RSAC playbook and eliminate people from the security equation whenever possible. Of course, the toothpaste is out of the tube, so to speak — IT and security positions are already in place, and users have been presented with business workflows that involve security decision-making.

So what can businesses do to reduce human error? There’s not a convenient solution available today. However, minimizing human involvement should be a priority for IT, security and business leaders. Whether it affects standards, architectures or processes, the human element is a huge part of the security problem. Organizations need to tame it sooner rather than later.

learn more about AI and Security Automation: Watch IBM Security General Manager Marc Van Zadelhoff’s RSAC Keynote

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today