April 26, 2018 By Kevin Beaver 3 min read

Like last year, many of the discussions that took place at RSAC 2018 centered around the human element of security, including the cybersecurity skills gap, security automation and artificial intelligence (AI). It seems like the more mature security programs supposedly become, the more challenging it is to keep up with security.

Juniper Networks CEO Rami Rahim asserted in his keynote that the internet offers criminals an unfair advantage. The internet eliminates the constraints of time, distance and identity, and its speed and ubiquity facilitate attacks that can strike from anywhere in the world without warning. Rahim wrapped up his speech by urging organizations to implement security automation and to focus on developing the next generation of security professionals, which were common themes at this year’s RSA Conference.

The People Problem in Security

The human element is still an impediment to progress in security. Rahim’s insights struck a chord with me because these are things I’ve been preaching for years. Security has advanced, technically speaking, but we clearly don’t have a grasp of what truly needs to be done to minimize business risks.

Does that mean that automation will fix all our security challenges? I think not, but it can surely help. Furthermore, will taking our training and education efforts to the next level really have an impact? It’s good to stay up with the latest and greatest in our field, but I don’t think training can fill in as many gaps as some people hope.

RSAC 2018 featured many more conversations around human-related topics. In fact, the theme of this year’s Innovation Sandbox was “Taking Humans Out of the Security Equation.” Clearly, the conference organizers are onto something: People represent a significant part of the security problem.

How can we address this issue? With any business challenge, it’s critical to define what the people problem really is. It’s not just end users making bad security choices, such as clicking malicious links and opening infected file attachments. It also has to do with IT and security professionals who are distracted or struggle to the see the bigger picture.

I see many people, both users and security professionals, making decisions based on their own agendas without considering the greater good of the business. Much of this negative behavior can be attributed to honest mistakes and subconscious biases rather that deliberate malfeasance. This often stems from a lack of security leadership and poor organizational culture.

Busyness Is Not Always Good for Business

The RSA Conference also highlighted AI, blockchain, threat intelligence platforms and a plethora of other solutions that security professionals have at their disposal. I’d venture to guess that vendors have poured millions, perhaps billions, of dollars into developing security technologies, and many signs suggest that organizations are buying them.

Security budgets are increasing, and the strong attendance at RSAC is a great indicator of the health of the industry. So if money is being spent, actions are being taken and security teams are staying busy, it would stand to reason that enterprise networks are secure — right?

Knowing what I know, who I know and what I see, organizations have a long way to go when it comes to improving enterprise security. Until these human challenges are acknowledged, they will cause security problems that no level of investment in technology can resolve.

Security leaders should aim to address the vital few areas of security that have tangible payoffs, rather than get lost in the weeds of more trivial areas. Many business leaders erroneously interpret busyness as success. I’ve seen some companies go so far as to create their own network complexity.

Taking a Page Out of the RSAC 2018 Playbook

Organizations should take a page out of the RSAC playbook and eliminate people from the security equation whenever possible. Of course, the toothpaste is out of the tube, so to speak — IT and security positions are already in place, and users have been presented with business workflows that involve security decision-making.

So what can businesses do to reduce human error? There’s not a convenient solution available today. However, minimizing human involvement should be a priority for IT, security and business leaders. Whether it affects standards, architectures or processes, the human element is a huge part of the security problem. Organizations need to tame it sooner rather than later.

learn more about AI and Security Automation: Watch IBM Security General Manager Marc Van Zadelhoff’s RSAC Keynote

More from CISO

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today