April 26, 2018 By Kevin Beaver 3 min read

Like last year, many of the discussions that took place at RSAC 2018 centered around the human element of security, including the cybersecurity skills gap, security automation and artificial intelligence (AI). It seems like the more mature security programs supposedly become, the more challenging it is to keep up with security.

Juniper Networks CEO Rami Rahim asserted in his keynote that the internet offers criminals an unfair advantage. The internet eliminates the constraints of time, distance and identity, and its speed and ubiquity facilitate attacks that can strike from anywhere in the world without warning. Rahim wrapped up his speech by urging organizations to implement security automation and to focus on developing the next generation of security professionals, which were common themes at this year’s RSA Conference.

The People Problem in Security

The human element is still an impediment to progress in security. Rahim’s insights struck a chord with me because these are things I’ve been preaching for years. Security has advanced, technically speaking, but we clearly don’t have a grasp of what truly needs to be done to minimize business risks.

Does that mean that automation will fix all our security challenges? I think not, but it can surely help. Furthermore, will taking our training and education efforts to the next level really have an impact? It’s good to stay up with the latest and greatest in our field, but I don’t think training can fill in as many gaps as some people hope.

RSAC 2018 featured many more conversations around human-related topics. In fact, the theme of this year’s Innovation Sandbox was “Taking Humans Out of the Security Equation.” Clearly, the conference organizers are onto something: People represent a significant part of the security problem.

How can we address this issue? With any business challenge, it’s critical to define what the people problem really is. It’s not just end users making bad security choices, such as clicking malicious links and opening infected file attachments. It also has to do with IT and security professionals who are distracted or struggle to the see the bigger picture.

I see many people, both users and security professionals, making decisions based on their own agendas without considering the greater good of the business. Much of this negative behavior can be attributed to honest mistakes and subconscious biases rather that deliberate malfeasance. This often stems from a lack of security leadership and poor organizational culture.

Busyness Is Not Always Good for Business

The RSA Conference also highlighted AI, blockchain, threat intelligence platforms and a plethora of other solutions that security professionals have at their disposal. I’d venture to guess that vendors have poured millions, perhaps billions, of dollars into developing security technologies, and many signs suggest that organizations are buying them.

Security budgets are increasing, and the strong attendance at RSAC is a great indicator of the health of the industry. So if money is being spent, actions are being taken and security teams are staying busy, it would stand to reason that enterprise networks are secure — right?

Knowing what I know, who I know and what I see, organizations have a long way to go when it comes to improving enterprise security. Until these human challenges are acknowledged, they will cause security problems that no level of investment in technology can resolve.

Security leaders should aim to address the vital few areas of security that have tangible payoffs, rather than get lost in the weeds of more trivial areas. Many business leaders erroneously interpret busyness as success. I’ve seen some companies go so far as to create their own network complexity.

Taking a Page Out of the RSAC 2018 Playbook

Organizations should take a page out of the RSAC playbook and eliminate people from the security equation whenever possible. Of course, the toothpaste is out of the tube, so to speak — IT and security positions are already in place, and users have been presented with business workflows that involve security decision-making.

So what can businesses do to reduce human error? There’s not a convenient solution available today. However, minimizing human involvement should be a priority for IT, security and business leaders. Whether it affects standards, architectures or processes, the human element is a huge part of the security problem. Organizations need to tame it sooner rather than later.

learn more about AI and Security Automation: Watch IBM Security General Manager Marc Van Zadelhoff’s RSAC Keynote

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today