5 things we learned about the state of cybersecurity from Structure Security 2016

The first annual Structure Security conference took place in San Francisco in September. Here are the top takeaways.

Image: iStockphoto/KrulUA

The future of cybersecurity is difficult to predict. Attack surfaces change all the time, and attackers are constantly coming up with new ways to steal data and disrupt systems. However, in the chaos of it all, some patterns emerge.

At the 2016 Structure Security conference, which took place from September 27-28 in San Francisco, security experts and vendors came together to discuss emerging trends and best practices. Here are some of the biggest takeaways from the event.

SEE: Information security policy template (Tech Pro Research)

1. People are the problem

The overwhelming theme of the current cybersecurity landscape is that people are, indeed, the problem. In addition to the insider security threats that employees pose at an organization, security posture can be weakened by the difficulty of finding new security employees.

The first issue isn't new, but that doesn't take away from how big of a problem it really is. One talk, titled "Why Your Greatest Asset Is Your Weakest Link," spoke to the paradox of a great employee actually being a security risk as well due to poor security hygiene.

Secondly, there aren't enough security employees to go around. One expert I spoke with claimed that the security industry has a "negative unemployment problem." To help alleviate some of the burden placed on businesses, some organizations are turning to automation to supplement the work of their security analysts.

2. IoT is an issue

Depending on who you ask, there's going to be between 20-50 billion connected devices by the year 2020. The security implications of these devices are far-reaching, affecting both businesses and consumers alike.

On the consumer side, Intel Security's Scott Montgomery called the coming security challenges in IoT a tsunami. The issue, he said, is that manufacturers will keep producing internet-connected devices, but there aren't enough standards in place to keep everything as safe as it should be. Also, users are too willing to trade their privacy for the convenience of these devices, without understanding the risks.

Industrial IoT has its own unique challenges, and the threats posed can often deal with physical damage or risk to human safety. According to Tom Le, executive director of cyber at GE Digital Wurldtech, the problem is that there is an additional layer of operational technology (OT) assets that needs to be taken into account and properly secured as well.

3. The rise of the machines

Machine learning and artificial intelligence (AI) are coming to security products, but the responses are mixed. Some, such as Cylance CEO Stuart McClure, believe the inclusion of these technologies is the next step for cybersecurity. At Structure Security, he went as far as to say that these technologies would "save the entire security industry."

However, others felt that the technologies were too new and unrefined to add any real value. According to a spokesperson, CloudPassage CTO Carson Sweet, who spoke at the event, believes that using "AI for security is BS." The main concerns of folks in this camp are false positives and the inability of the AI to properly act against threats.

4. Openness can be secure

Often, the concept of open source software is regarded as non-secure, due to the fact that anyone can access the source code. However, open technologies can be secure because of their transparency, and provide a less expensive option for businesses looking to secure their assets.

Balancing openness with security is precisely the challenge faced by Google's Android. At Structure Security, Google's head of security for Android, Adrian Ludwig, explained the steps Google has taken to secure Android, and called for more transparency in the smartphone supply chain, especially at the chip level. Another panel discussion, featuring employees from Facebook, Slack, Uber, and Pandora alluded to a future where open source security is inevitable.

5. Lessons from the government

Despite the many advances that have been made in cybersecurity in the private sector, there are some lessons that can be learned from the public sector. For starters, FBI CISO Arlette Hart explained some of the FBI's security strategy at Structure Security, including firewalls, botnets, and intrusion detection.

In the physical world, the secret service is another interesting model that cybersecurity firms can learn from. In his talk, "What the Secret Service Can Teach Us about Cybersecurity," Illumio's Nathaniel Gleicher explained how the Secret Service's approach to protecting the president could help businesses better secure their data centers.

Also see