Like last year, many of the discussions that took place at RSAC 2018 centered around the human element of security, including the cybersecurity skills gap, security automation and artificial intelligence (AI). It seems like the more mature security programs supposedly become, the more challenging it is to keep up with security.

Juniper Networks CEO Rami Rahim asserted in his keynote that the internet offers criminals an unfair advantage. The internet eliminates the constraints of time, distance and identity, and its speed and ubiquity facilitate attacks that can strike from anywhere in the world without warning. Rahim wrapped up his speech by urging organizations to implement security automation and to focus on developing the next generation of security professionals, which were common themes at this year’s RSA Conference.

The People Problem in Security

The human element is still an impediment to progress in security. Rahim’s insights struck a chord with me because these are things I’ve been preaching for years. Security has advanced, technically speaking, but we clearly don’t have a grasp of what truly needs to be done to minimize business risks.

Does that mean that automation will fix all our security challenges? I think not, but it can surely help. Furthermore, will taking our training and education efforts to the next level really have an impact? It’s good to stay up with the latest and greatest in our field, but I don’t think training can fill in as many gaps as some people hope.

RSAC 2018 featured many more conversations around human-related topics. In fact, the theme of this year’s Innovation Sandbox was “Taking Humans Out of the Security Equation.” Clearly, the conference organizers are onto something: People represent a significant part of the security problem.

How can we address this issue? With any business challenge, it’s critical to define what the people problem really is. It’s not just end users making bad security choices, such as clicking malicious links and opening infected file attachments. It also has to do with IT and security professionals who are distracted or struggle to the see the bigger picture.

I see many people, both users and security professionals, making decisions based on their own agendas without considering the greater good of the business. Much of this negative behavior can be attributed to honest mistakes and subconscious biases rather that deliberate malfeasance. This often stems from a lack of security leadership and poor organizational culture.

Busyness Is Not Always Good for Business

The RSA Conference also highlighted AI, blockchain, threat intelligence platforms and a plethora of other solutions that security professionals have at their disposal. I’d venture to guess that vendors have poured millions, perhaps billions, of dollars into developing security technologies, and many signs suggest that organizations are buying them.

Security budgets are increasing, and the strong attendance at RSAC is a great indicator of the health of the industry. So if money is being spent, actions are being taken and security teams are staying busy, it would stand to reason that enterprise networks are secure — right?

Knowing what I know, who I know and what I see, organizations have a long way to go when it comes to improving enterprise security. Until these human challenges are acknowledged, they will cause security problems that no level of investment in technology can resolve.

Security leaders should aim to address the vital few areas of security that have tangible payoffs, rather than get lost in the weeds of more trivial areas. Many business leaders erroneously interpret busyness as success. I’ve seen some companies go so far as to create their own network complexity.

Taking a Page Out of the RSAC 2018 Playbook

Organizations should take a page out of the RSAC playbook and eliminate people from the security equation whenever possible. Of course, the toothpaste is out of the tube, so to speak — IT and security positions are already in place, and users have been presented with business workflows that involve security decision-making.

So what can businesses do to reduce human error? There’s not a convenient solution available today. However, minimizing human involvement should be a priority for IT, security and business leaders. Whether it affects standards, architectures or processes, the human element is a huge part of the security problem. Organizations need to tame it sooner rather than later.

learn more about AI and Security Automation: Watch IBM Security General Manager Marc Van Zadelhoff’s RSAC Keynote

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…