Like last year, many of the discussions that took place at RSAC 2018 centered around the human element of security, including the cybersecurity skills gap, security automation and artificial intelligence (AI). It seems like the more mature security programs supposedly become, the more challenging it is to keep up with security.

Juniper Networks CEO Rami Rahim asserted in his keynote that the internet offers criminals an unfair advantage. The internet eliminates the constraints of time, distance and identity, and its speed and ubiquity facilitate attacks that can strike from anywhere in the world without warning. Rahim wrapped up his speech by urging organizations to implement security automation and to focus on developing the next generation of security professionals, which were common themes at this year’s RSA Conference.

The People Problem in Security

The human element is still an impediment to progress in security. Rahim’s insights struck a chord with me because these are things I’ve been preaching for years. Security has advanced, technically speaking, but we clearly don’t have a grasp of what truly needs to be done to minimize business risks.

Does that mean that automation will fix all our security challenges? I think not, but it can surely help. Furthermore, will taking our training and education efforts to the next level really have an impact? It’s good to stay up with the latest and greatest in our field, but I don’t think training can fill in as many gaps as some people hope.

RSAC 2018 featured many more conversations around human-related topics. In fact, the theme of this year’s Innovation Sandbox was “Taking Humans Out of the Security Equation.” Clearly, the conference organizers are onto something: People represent a significant part of the security problem.

How can we address this issue? With any business challenge, it’s critical to define what the people problem really is. It’s not just end users making bad security choices, such as clicking malicious links and opening infected file attachments. It also has to do with IT and security professionals who are distracted or struggle to the see the bigger picture.

I see many people, both users and security professionals, making decisions based on their own agendas without considering the greater good of the business. Much of this negative behavior can be attributed to honest mistakes and subconscious biases rather that deliberate malfeasance. This often stems from a lack of security leadership and poor organizational culture.

Busyness Is Not Always Good for Business

The RSA Conference also highlighted AI, blockchain, threat intelligence platforms and a plethora of other solutions that security professionals have at their disposal. I’d venture to guess that vendors have poured millions, perhaps billions, of dollars into developing security technologies, and many signs suggest that organizations are buying them.

Security budgets are increasing, and the strong attendance at RSAC is a great indicator of the health of the industry. So if money is being spent, actions are being taken and security teams are staying busy, it would stand to reason that enterprise networks are secure — right?

Knowing what I know, who I know and what I see, organizations have a long way to go when it comes to improving enterprise security. Until these human challenges are acknowledged, they will cause security problems that no level of investment in technology can resolve.

Security leaders should aim to address the vital few areas of security that have tangible payoffs, rather than get lost in the weeds of more trivial areas. Many business leaders erroneously interpret busyness as success. I’ve seen some companies go so far as to create their own network complexity.

Taking a Page Out of the RSAC 2018 Playbook

Organizations should take a page out of the RSAC playbook and eliminate people from the security equation whenever possible. Of course, the toothpaste is out of the tube, so to speak — IT and security positions are already in place, and users have been presented with business workflows that involve security decision-making.

So what can businesses do to reduce human error? There’s not a convenient solution available today. However, minimizing human involvement should be a priority for IT, security and business leaders. Whether it affects standards, architectures or processes, the human element is a huge part of the security problem. Organizations need to tame it sooner rather than later.

learn more about AI and Security Automation: Watch IBM Security General Manager Marc Van Zadelhoff’s RSAC Keynote

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read