RSAC unwrapped: two key themes from this year’s conference

The resiliency of organizations was the theme of the recent RSA Conference, one of the premier cybersecurity conferences across the globe, and among the big issues discussed was the long-standing shortage of qualified cybersecurity professionals. After all, it’s hard for an organization to be resilient when it doesn’t have enough cybersecurity professionals to handle the changing landscape and the organization’s evolving needs.

No surprise there.

Training cybersecurity professionals is essential to bridging the skills gap

Keynote speaker Chuck Robbins, Cisco’s chairman and CEO, told attendees that there are more unfilled cybersecurity jobs across the globe than there are actual cybersecurity professionals working today. He noted there are 4 million open positions, with only about 2.8 million cybersecurity professionals out there to fill them and seventy percent of cybersecurity professionals say the organizations they work for are impacted by the skills shortage. One solution he suggested is training more cybersecurity professionals, including retraining existing employees, and better training programs are definitely needed.

But is that enough?

Bridging the skills gap

I think there’s also room for a conversation about additional approaches, including automation and managed detection and response (MDR), to help bridge that skills gap. Artificial intelligence and other automation technologies are gaining traction in cybersecurity, with tools like security orchestration, automation and response (SOAR) helping to coordinate cybersecurity responses.

For many businesses, moving to an MDR service may also make sense. MDR can add an additional layer to automated cybersecurity tools, with a managed service provider bringing in the people an organization needs to fill in its security gaps. At many companies, security professionals or the management team can have trouble trusting an automated security response system. I have seen many instances of intrusion prevention systems put in place but left in “detect only” mode. But an MDR service combines automation with analysts in place to put human eyes on the security issues as well.

If you think about it, threat actors are already automating, scaling and becoming increasingly innovative. In order to keep up with the threats, automation is key. But this doesn’t mean there is no one at the helm. Today there is almost too much threat intelligence to sift through making it easier to miss a major threat within the desired breach exposure time. Automation frees up threat analysts to look at the bigger picture.

Securing the supply chain

A ransomware criminal ecosystem is on the rise, with developers creating it for other cybercriminals, or affiliates, to use

In addition to the skills shortage, supply chain security was another big topic at the RSA Conference. The recent SolarWinds and Colonial Pipeline attacks were covered heavily – both generating a lot of discussion.

Ransomware has become a popular attack vector for cybercriminals, who see that it can bring them a quick payday. We’re seeing the rise of a ransomware criminal ecosystem, with developers creating it for other cybercriminals, or affiliates, to use.

It appears that some criminals using ransomware have shifted their targets, with the previous gentlemen’s agreement not to attack organizations that provide critical resources now falling by the wayside. The attack on Colonial Pipeline is the latest example of a noticeable shift toward attacking critical infrastructure.

I think key to securing the supply chain and fighting ransomware, and other attacks, beyond automation, intelligence and incident response (and tools like SOAR or MDR) is, yes 1) training employees to practice better cyber hygiene, but also 2) industry accountability.

The bottom line

Education is key, because a lot of the threats today penetrate a company’s IT infrastructure when an employee clicks on a malicious link in a phishing email or downloads a file they shouldn’t. If every organization can focus on training every employee in security awareness, that's going to go a long way to curbing the success of common attacks on these and other known vulnerabilities. But it’s not enough.

In terms of accountability, I think the public and private sector can collaborate on a much bigger scale and hold each other accountable to maintaining at least a baseline of cybersecurity responsibility. I love “hole in the wall” restaurants, but if a place has a “C” rating from the health department, I might try someplace else instead. If we applied a similar system to cybersecurity preparedness, it could help companies be more confident about their partner ecosystem. If one company is selected over another because it has an “A” rating in cybersecurity preparedness while their competitor has a “B” rating, then that means cybersecurity responsibility can affect the business bottom line and that’s when I think we’ll see some real traction.

One of the main messages coming out of RSA is that cybersecurity has a huge human component, whether it involves employee security training, working around the skills shortage, or expecting more from ourselves and the industry as a whole.

My colleague, Setu Kulkarni, and I discussed this and more in a recent podcast with cybersecurity influencer Byron Acohido. Give it a listen here.