Jason Lim is a Washington, D.C.-based expert on innovation, leadership and organizational culture.
Where the world talks security
.jpg?w=728)
By Jason Lim
That’s the tagline for the RSA Conference, the biggest cybersecurity event in the world, held annually in San Francisco. According to the press release, “RSA Conference is the premier series of global events where the world talks security and leadership gathers, advances and emerges.”
When you are here, it’s tough to argue against this breathless self-description. There is palpable energy and excitement in the air, with tens of thousands of people from across the world converging in downtown San Francisco to hear the captains of the cybersecurity industry and leading policymakers share their insights and predictions. You can also wear out a brand new pair of shoes just walking along the exhibition floors, with hundreds of large to small businesses hawking their wares. Even nation states ― like South Korea and Germany ― have booths showcasing the best cybersecurity firms of their respective countries.
The organic yet self-organizing hustle and bustle of the RSA Conference definitely gives off the impression that cybersecurity is the future, that it’s fast stepping out of the shadows of information technology to define its own space. This must have been what the dot-com age felt like before it ballooned into a bubble and burst. Or the craze a few years ago when mobile apps became the latest rage. I am sure that cybersecurity will soon go through its consolidation stage, but it will play an indispensable role as long as there is a need to connect. No wonder RSA 2016’s slogan is, “Connect to Protect.”
A few hot trends became immediately obvious in the first few hours. One, cloud security is huge. Everyone’s moving to the cloud in some form or fashion, so it needs to be secure. Two, the Internet of Things (IoT) is like a tsunami that keeps on pushing ashore. When you think that it can’t possibly get any bigger, you realize that the real wave is still picking up steam beyond the horizon. An industry veteran even stated that IoT is not a trend; it’s actually the reinvention of the Internet itself. Three, machine learning is the next big product offering for cybersecurity. More specifically, using some type of teachable data analytics engine to baseline normal behavior specific to individual people, workstations, devices, appliances, networks, etc. and send up an alert when the behavior deviates beyond what’s allowed by system owners.
But the biggest trend that underlies all of the above is the absolute lack of cybersecurity workforce. The explosion of cybersecurity as an industry has everyone grasping for a workforce with the right skill set to satisfy the growing demand. It’s not just the industry. A panel of government managers was even talking about creating a different pay scale and increasing permeability between the government and private sector so as to attract and retain skilled cybersecurity professionals. You can automate tools as much as you like, but you still need trained people making the decisions.
Which goes into a few things that I didn’t see during this year’s RSA Conference. I didn’t see a lot of diversity. First, the gender ratio is way skewed. Women make up 18 percent of the IT workforce and only around 10 percent of the cybersecurity workforce. Second, I didn’t see a lot of brown and black people, which is reflective of the larger diversity problem in Silicon Valley where 50 percent is white, 41 percent Asian, 3 percent Hispanic and 2 percent black. It’s probably worse for cybersecurity, which is an additional layer of specialization within the IT industry. Such gross underrepresentation of non-Asian minorities is unsustainable ― politically and demographically ― when cybersecurity has been designated as a key national strategic priority.
I also didn’t see a confluence of change management and cybersecurity. While there is a growing realization and appreciation that human behavior is the largest risk factor, the current tools only track and perhaps predict which people might act with malicious intent. But what about changing behavior? How do we marry up cybersecurity tools with the more mature science of change management to create a more holistic cybersecurity ecosystem that includes how we design and shape desired behavior to mitigate risks? I know that this merging of disciplines is coming soon.
Another thing that was missing was training. More specifically, live environment training for security operations center (SOC) employees. There is a definitely a need for SOC employees to be exposed to realistic threat scenarios much like a pilot trains in a simulation module before being allowed to fly a real plane. No one that I saw was offering a simulation training module for SOC staff. If they are really our frontline warriors in the ongoing cybersecurity war, then they deserve to be trained as close to the real thing as possible. This is a huge need that just cries out to be filled.
All in all, this has been an incredible learning experience. I look forward to seeing how this industry is evolving when I hopefully come back next year.
Jason Lim is a Washington, D.C.-based expert on innovation, leadership and organizational culture. He has been writing for The Korea Times since 2006. Reach him at jasonlim@msn.com, facebook.com/jasonlimkoreatimes or @jasonlim2012.