When RSA 2020 organizers chose “The Human Element” as this year’s theme, they were thinking of how security technology is only as good as the people who build, deploy and manage it.
The spread of COVID-19 -- which had infected more than 94,000 people around the world and killed 3,221 at this writing -- cast the theme in a light few could have imagined even a couple months ago.
In the month leading up to RSA, concern grew over whether the event would even happen after events like Mobile World Conference in Barcelona were canceled. Then IBM, AT&T and Verizon opted to cancel their RSA participation over
virus fears. The show proceeded as planned with all the usual tech displays, but COVID-19 concerns hung in the air like summer humidity.
Here are four takeaways based on my discussions with IANS clients and Faculty, contacts from the larger InfoSec community and from some of the sessions.
1. COVID-19 will preoccupy security teams for some time
From CISOs to lower-level security practitioners, people brought this up more than any other topic. Concerns extended to how security teams will continue functioning amid potential office closures, travel bans, supply-chain disruptions
and absences of infected personnel.
IANS Faculty Member George Gerchow returned from RSA and spent the weekend working on a pandemic disaster recovery/business continuity plan for his company and said many of his peers in Silicon Valley were doing the same.
“We (have to consider) policy around working from home, how long before someone can return to the office after getting sick, where to get COVID-19 test kits, international travel policy, and so on,” Gerchow said.
One CISO said the virus was as much a data security challenge as it was a DR/BC challenge.
“You have employees traveling the world with laptops that have sensitive information who risk getting stuck in place because of a quarantine,” he said. “If they’re in China, the longer they are stuck there,
the more likely the Chinese government is to review the contents of those devices. Your data is a sitting duck in a place with hostile wi-fi networks.”
While some took the threat seriously, others thought COVID-19 was overhyped, including IANS Faculty Member Tyler Shields, who noted, “Everyone was wiping their hands with hand sanitizer like a bunch of plotting criminal masterminds.”
COVID-19 preoccupation aside, RSA still focused intently on the latest security technology. The exhibit halls remained crowded with attendees browsing from one vendor booth to the next, looking for glimpses of innovation and expressing
skepticism of vendor messaging.
2. Heavy interest in artificial intelligence, but little trust
Many attendees mocked the hype around AI because they’re not convinced vendors fully know what they’re doing.
“The hype of and hope for AI/ML remains very high,” said IANS Faculty Member J Wolfgang Goerlich. “(Vendors say) it’ll solve everything from phishing to ransomware to incident response, but when you dig into
the models and peel back the marketing to reveal the actual use cases, it’s clearly overhyped.”
Legendary cryptographer Adi Shamir captured the skepticism in one session, saying: “We don’t understand why (deep learning and neural networks) work so well, and, and we don’t understand why they’re working
so terribly.”
Until we figure those things out, he warned of danger ahead – from how deep neural networks function in autonomous vehicles to how they are used to make life and death choices in medicine.
3. Security practitioners worry about supply-chain security – specifically Huawei’s role
A panel on supply-chain risks showed just how divided people are when it comes to companies and governments trusting infrastructure that includes Huawei’s 5G technology, which some worry could be used by the Chinese government
for spying and theft.
No one I talked to fully trusts Huawei. But they weren’t convinced that the full-on ban the Trump Administration has pushed for is necessary, either.
During the panel discussion, Katie Arrington, cyber information security officer of acquisitions at the Department of Defense, towed the administration line. “I don't want to be in a world where I wake up one morning and the
banks don't work, and traffic lights don't work and break down,” she said. “I want to make sure that control remains here, where I can touch you.”
Fellow panelist Bruce Schneier, security technologist, researcher and lecturer at Harvard Kennedy School, was unmoved.
“Tying national security to trade policy makes for impossible security trade-offs,” he said. “Either this is a national security issue, in which case there are things we do and don't do, or this is a trade issue,
in which case we negotiate on a variety of things. "It cannot be both."
4. Facial recognition is the object of growing mistrust
Several people expressed discomfort with the facial recognition privacy risks they keep hearing about in the news, with some cities and organizations banning it altogether. News that Clearview AI lost an entire database of faceprint-buying
clients in law enforcement only added to the unease.
Facial recognition has become so controversial that IANS has worked it into our 2020 curriculum. Clients have told us they need help separating sensational headlines from the realities of where biometrics may or may not be viable.
One forum session will recap the privacy and legal ramifications of facial recognition, explore biometrics use cases, including document validation, authentication and lie detection, and explore the full spectrum of tools worth
considering in the pursuit of password-less authentication.
Other topics
Other RSA topics this year included how to apply zero trust principles in an organization, nation-state attacks, defending against the ransomware attacks that have increasingly targeted government organizations and municipalities,
and how to use MITRE ATT&CK as a security Swiss Army knife and achieve automation in everything from IAM/PAM to threat ops.
The latter topic was of particular interest to IANS Faculty Member Mike Rothman.
“I think the concept of automation is overhyped, but the use of security automation is dramatically behind where it needs to be,” he said. “We’ll get there, once security folks get more comfortable figuring
out the use cases that make the most sense for the machines.”
What IANS was up to
This was a particularly busy RSA for IANS. We unveiled:
- A new Cloud Security Maturity Model (CSMM) and diagnostic tool we created with Securosis.
- A partnership with Cloud Security Alliance (CSA) to integrate the CSMM into their cloud security research program in addition to their certification and training initiatives.
- A new Mobile Strategy, and
- We sponsored the Disaster Recovery Breakfast.