The disruptions in the physical world have spilled over, creating “digital ripples” that require us to care about constants while we transform. That was one of the main messages by Rohit Ghai, CEO of RSA, during a keynote address at the RSA conference Monday.
Ghai noted that 2021 was the year of ransomware, supply chain attacks and disinformation attacks, and that we live in a hyperconnected world where physical and digital are now indistinguishable.
“Disruption is a tough but fair teacher in the Darwinian school of survival,’’ he said. “Disruptions shape transformations in three ways: They show us what does not change and is a constant; they crystallize what matters most, which are the imperatives; and they debunk wrongly held beliefs – the dogmas.”
We should care about constants even though we live in an ever-changing world because constants are the basis for scientific progress, Ghai said, citing the example of the mRNA vaccine that was developed and distributed when the pandemic hit.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Protecting humans with cybersecurity is a constant
Cybersecurity is constantly seeking to protect people’s ability to use technology to access information, even when information changes all the time.
“In fact, in just the last year we’ve created more information than in all the years of our existence,’’ Ghai said.
New technology will bring new exploits and malware that leverages those exploits. How humans think and act is another constant.
“As a sector, we have been built for reactively chasing after the next vulnerability or the next threat or the next one,” Ghai said. “Instead, to transform, we need to build solutions based on the one constant in cyber security: Identity.”
Most cyberattacks occur due to compromised identity, and while most of the attacks can be blocked by multi-factor authentication, enterprises are still only at 50% adoption.
The barriers to adoption have been a lack of open standards, user experience and inertia around passwords, Ghai said. Yet with the maturation of password-less technologies like Fido and the evolution of open standards like OpenID Connect and SCIM, Ghai believes the era of passwords is coming to an end.
But MFA is not enough.
“In a zero-trust world we need to manage the who, why and where of identity in a single, infrastructure-agnostic platform that delivers 360-degree coverage across access, authorization, identity, lifecycle and governance,” Ghai said.
Such centralization would put control of a user’s digital identity back in their hands, Ghai said, calling identity “the one constant in the world of cybersecurity.”
It’s also critical that security practitioners identify the imperatives. To fight disinformation, content should authenticate the author who created it and what their reputation is.
“The veracity of information is the absolute imperative in cybersecurity,’’ Ghai said.
The third insight Ghai gave the audience is to “ditch our dogmas, disruptions – debunk dogma and legacy thinking. After spending decades obsessing over privacy, we somehow got comfortable with sharing our most intimate data,’’ he said.
In cybersecurity, there has long been a trade-off between security and convenience.
“Dogma tells us to prioritize convenience over security,” Ghai said. “Maybe what a cyber disruption tells us is that we should always prioritize security over convenience… We need to stop sacrificing security at the altar of convenience. The level of digitalization of the world has crossed that threshold where the risk of doing so outweighs the rewards.”
With forces at play such as productivity, artificial intelligence, and decentralized edge computing, Ghai observed that “for the first time perhaps, the rate of change in technology is outpacing the human capacity to adapt.”
Ghai’s other message was that we need to “stop believing that security versus convenience is a zero-sum trade-off. A crisis is a terrible thing to waste.”
Ghai then challenged the audience by asking if the world is really going to wait for a cyber pandemic to transform security. While that may not kill as many people, it will have a debilitating impact.” Transforming security will require us to re-orient our thinking from being infrastructure-centric to identity and information-centric.
The interconnected world affects the entire supply chain
In the second keynote address of the day, Jeetu Patel, executive vice president and general manager of security and collaboration at Cisco, also urged the audience to think about the interconnected nature of the world and the security challenges that come with it. Businesses are behaving like ecosystems.
“That means you might be materially impacted by the way your production and supply chain and demand cycle works based on what happened to other members of the ecosystem,” Patel said.
As a result, companies are taking a much more measured approach to risk and making sure they can assess risk. Only 20% of often known vulnerabilities actually get remediated, Patel said, urging companies to approach vulnerability management in a risk-based manner.
Related to this is the trendy new idea that everyone is an insider: Cyberattacks have become much more personalized. Patel said that 56% of the breaches that have happened occur because of unknowing negligence, rather than something malicious.
To simplify security management, Patel noted, it needs to be fluid along with the lowest amount of friction for users. You don’t have to trade off security for convenience: When the friction goes down, efficacy automatically goes up.
The big challenge is that we need security resilience just like business and operational resilience, Patel said. “The weakest link in the supply chain can bring down the entirety of your entire ecosystem.”
He noted that Wendy Nather, the head of Cisco’s advisory CISOs, coined the term “the security poverty line,” which means there is a baseline level of minimum security posture that every company should maintain. When companies don’t have the right level of resources or know-how to go out and maintain that level, they fall below that poverty line, and it puts the entire ecosystem at risk.
He urged the audience not to ignore the smaller and not-for-profit companies in the ecosystem because 60% of companies that have a cyberattack go out of business in six months.
“We collectively have to make sure this problem is solved.”