RSA Conference 2020 was a bit unlike prior iterations of the big security industry event in San Francisco. While technology is alway part of the event, the theme this time around wasn't about the technology but rather about the human element.
In session after session, speakers reiterated how the human element impacts different issues across the IT landscape and even how it impacts nation state based cyberattacks.
Rohit Ghai, President of RSA Security opened the conference with an optimistic message that it is up to the security community to write the narrative about how people are making a difference.
"While we have focused on preventing hacks on infrastructure, the adversary has hacked our brains and cranked up the contrast in our story," Rohit Ghai, President of RSA Security said during his opening keynote.
The way that security if often portrayed today in the media according to Ghai is that all hackers are technical sorcerers while all users are old gullible folks with technophobia. On the periphery are hapless techies who solely focus on zero-day vulnerabilities and the most advanced threat vectors.
Ghai noted that the reality is that attackers don't necessarily have the best technology, rather their advantage is often one of organization.
"We continue to spend an inordinate amount of energy preparing for the most sophisticated threat vectors, while most incidents occur due to very, very basic issues or unforced errors," he said. "Look, preparing for the worst does not prepare you for the likely. "
A risk that is perhaps considered a worst case scenario by some is a nation state level attack, which was a topic that came up in multiple sessions. While there are technology approaches to dealing with that type of threat there is also a human element as well.
In a session about how to deter nation state threat actors, U.S. government officials outlined the different options available including diplomatic, legal and other retaliatory actions.
Thomas Wingfield, Deputy Assistant Secretary of Defense for Cyber Policy at the US Department of Defense (DOD) commented that a key part preventing attacks is about influencing would-be attackers to make a different decision.
"At the end of the day, deterrence is meant to work in one place, and that is inside the human element, inside of the brain of the adversary decision maker," Wingfield said.
We the People: Democratizing Security
While there were many sessions where speakers talked about why humans and not technology should drive decisions, the message of enabling users to be more involved in their own security was perhaps best told by Wendy Nather, Head of Advisory CISOs at Cisco.
Nather suggested that it's time to change the model of security from a control model to a collaboration model. Users today will do what they want to get what they want. Nather emphasized that users today are pushing back against IT security.
"The users are pushing back," she said. "They are taking back control and we can either fight it or we can work with them to make it work for them. "
Part of the reason why users push back is because the direction that IT security has been providing has been confusing. For example, one common thing that comes up every year at RSA Conference is the question of why users keep on clicking on things that IT security tells them not to click on.
"I'll tell you why, it's because users have different priorities that are not security but also, hello, the whole internet is built to click on," she said. "And we do not help as security vendors when we say here, click on this to download our 18-page white paper on how not to click on things. "
Nather suggested what it would be easier and better to just secure things so that it doesn't matter if use click or not.
"When we democratize tech and security, people are going to vote," Nather said. "They're going to vote for what they want, with their budgets, with their compliance or their non compliance and we have to be ready to compete in that marketplace. "