In her RSA Conference 2018 keynote this year, futurist and game designer Jane McGonigal said: "Any useful statement about the future should at first seem ridiculous." In the post-RSAC recovery period, I pondered the future trends in information security and built my own ridiculous statement regarding the future of information security:
In the future, information security will be easy.
We are still in the era where the security of information systems is complex, difficult, and expensive. Security is dominated with a lot of great ideas, none of which are remotely practical. They all require immense amount of skill, experience, and (more importantly) discipline to function properly.
Security must be simple. It must be in all information systems by default and by design. It cannot be optional. It also cannot be a checkbox that organizations use to silence partners or regulators.
Skeptical of this prediction? Let’s explore it. We can use the RSA Conference 2018 as a backdrop to explain how security is destined for the simplicity of by default, by design.
One of McGonigal’s other insights from RSA was that if you want to predict the future, you must look for signals. Those are indicators of the future. Reflecting on RSA, I observed three signals of this by default, by design future:
- The ridiculous expectations we place on security practitioners
- Decision makers are abandoning point solutions (and RSA for that matter)
- Impact of the cloud and automation
Let’s work this list backwards, since the third item on that list seems the most pervasive.
1. IN THE CLOUDS
Years ago, while working with AWS on a project, I had a realization: hardware is an impediment to security.
In the cloud, everything is code. There is no hardware, networks, or systems in the traditional sense. Everything is virtual. Systems are created, destroyed, scaled, and secured entirely mechanistically. This dramatically reduces the impact of the most destructive vulnerability in every compute environment ever built: humans.
Data breaches exist because of humans. A server does not wake up one day and decide arbitrarily to release its data. Whether it is bad code, weak permissions, or faulty encryption, everything stems from a person who makes a mistake.
Codifying systems allows for extensive automation. The cloud platform does all the work, based on code. When a new system is brought on-line, code installs the system, configures it, and secures it. People are largely uninvolved in the actions. These environments become secure by default and by design. There are no humans forgetting to set a password or opening up access. As long as the security configurations are written into the code, any systems that code creates are always secure.
Right now, we (and others) are building automated environments that do not require teams of security people to run. There are predominantly autonomous. People get to do the “fun work” of analysis, design, and monitoring.
Cloud automation allows organizations to deploy secure environments quickly that already have all the security controls and rights baked right into them. Furthermore, these environments are built with security guard rails. These are controls that force the environment to remain secure, even if people attempt to bypass or break the security controls. For example, if a user attempts to open public access to confidential data, the guard rails automatically disable that access and protect the data. No user intervention is necessary.
Today, many CIO/CISOs view the cloud as merely part of a security program. In the future, the cloud *is* your security program. Codified compute environments are immensely easier to manage, maintain, and secure. They simplify security, which in turn makes that security more reliable and consistent.
However, the cloud is not the only reason security will be simple in the future.
2. THE ENDLESS LOOP
Among the numerous annoying things at RSA this year, the endlessly looping marketing videos in every booth were particularly grating. This is also a metaphor for the current state of information security products: repetitive sameness.
The security industry is stuck in a loop of hard-selling the same tired equipment, buzzwords, and fear. Except for brief moments, like RSA’s Innovation Sandbox, there were few (if any) “game changers.” The noisy, big name vendors consumed all the oxygen in the room, leaving none for anyone else.
This explains why leaders are abandoning both the RSA Conference and many of those noisy vendors. Multiple CISOs and CIOs I know commented that they are fed up with the endless loop of point solutions: products that solve one small problem, while completely ignoring the larger picture. One CIO commented: “It is the same message, over and over again: ‘buy this and you are secure.’ I am sick of silver bullets.”
Leaders are looking for something more, something they can depend on. Something that simplifies their life, not adds more consoles, dashboards, alerts, and complexity.
This leads to the last signal: automation.
3. REVERSED ROLES
The insane focus on point solutions has reversed the natural order of humans and technology in security. Inside many organizations, people are doing the work of machines, while machines are expected to do all the thinking.
Consider the ludicrous expectations put on information security professionals at many organizations:
- Know every possible attack technique, vulnerability, and compliance requirement there ever was, ever will be, and ever could have been
- Never miss a single detail, issue, or attack
- Do all this without increased headcount
- Take all the blame if there is any breach
Furthermore, if there is a breach, we attack the security people as incompetent, lazy, and stupid. After Equifax got hacked, social media filled with insults directed at the CISO.
Consequently, leaders are elevating technology to wholly inappropriate levels of authority. Security technologies are sold to anxious leaders as “silver bullets” that will take care of everything. Weak leaders believe that as long as they own the latest next-generation box, they are safe.
With disturbing regularity I hear leaders define their security program in the context of their NGFW or SIEM product. It usually starts with some statement such as: “Well, we’re a Palo Alto shop so…”
The latest twist is “artificial intelligence” or “machine learning.” These technologies are being sold as literal replacements for IT and security employees.
Technology is not a replacement for the intuition and creativity of humans. This is partially why hackers always have an advantage. A human is infinitely more creative than any NGFW could ever hope to be. However, humans are not machines, and we cannot expect them to know everything and miss nothing.
If security is to ever become simple, the relationship of humans and security technology must revert back to a more classical arrangement: technology does the hard work, and humans do the fun work.
Security technology must automate data analytics, response, and guard-rails (as discussed earlier.) People on the other hand should be behind the scenes asking the big questions, like why is this happening?
Automation and orchestration, especially when combined with the cloud, rearrange this relationship. When an environment is highly automated, it allows people to step back and focus on vision, design, and operations.
FUTURE MIND GAMES
So, if we accept that information security in the future will be simple, what does information security look like in 2028?
McGonigal suggested using mind games to test out future predictions. I have one of these to help me predict the future called the Ten Year Lookback. Here is how it works.
- Think back to where you were ten years ago. What were you doing? What was important to you back then?
- Imagine, you can send yourself a message from 2018 back to 2008. What advice would the 2018 you give to the 2008 you?
- Now, project forward. What advice is the you of 2028 giving the you of 2018?
I find this to be an excellent meditation. It grounds me in all tenses of existence: past, present and future.
Let’s try this out on information security. Since the Internet forgets nothing, I went back and found this story about RSA 2008:
The biggest story of the RSA Conference 2008 meeting of security professionals yesterday (opening day) was Department of Homeland Security Secretary Michael Chertoff’s keynote address. He said that enhancing cybersecurity is a major focus for this year. He talked about a national cybersecurity initiative “that would be almost like a Manhattan Project to defend our cybernetworks.” He promoted a partnership between the federal government and businesses to fight cybercrime. He encouraged private enterprises to take advantage of what government has learned in its fight against cybercriminals and to send their “best and brightest” to work in government cybersecurity efforts.
Here we are 10 years later and the government is still promising public/private partnerships, yet delivering nothing of substance.
As such, my message from 2018 to 2008 might be:
Do not trust the government to do anything meaningful in information security. Focus on the fundamentals: patching, access control, security operations, and so forth. Make the technology do the work, so you can keep an eye on the big picture.
Now, let’s project forward. What is 2028 want to tell us about security in 2018? I believe the advice from 2028 might sound like this:
Do not trust the tech vendors. Focus on the fundamentals: patching, access control, security operations, and so forth. Make the cloud do all that work for you, so you can keep an eye on the big picture.”
It is time to evolve.
Now, here the bad news. This simple future means many of us security professionals will be obsolete. If you want to future proof your security career, learn cloud automation and coding. Stop fiddling with hacking techniques, compliance, and equipment. These are not skills that will be lucrative or in demand in 2028. The future security professionals are DevOps and SecOps people.
As for RSA Conference? RSA should be a developers conference, not a trade show. In fact, I would argue that AWS or Microsoft should buy the RSA conference away from Dell. Take it back to its academic roots. Bring back brainy speakers and big ideas. Dial back the vendor booths. There is plenty to keep, such as the Innovation Sandbox.
Mostly, RSA must re-orient toward the future. That future is the cloud. It is a future where we are not obsessing over the latest hacking technique or blindly checking off PCI compliance boxes. The future of information security is where technology does all the dull work of data mining and threat hunting, and we humans can do the “fun work” of analysis and research.
Information security, simple? When security is baked into everything, by default and by design – it is possible. Codifying compute environments also puts people and technology back in their rightful places. It makes the technology work for us, rather than us working for the technology.
This may sound ridiculous, but we are building this future right now.