RSA 2022 Observations: Revealing Security’s Dirty Secrets
Editor's Note: This post from Forcepoint's CEO originally appeared here on LinkedIn.
Now that we are past RSA22 by a couple weeks, I put together some observations from this year’s event. First, attending in-person after two years away was more fun than I expected. Second, making security simple is not easy. More on this later.
On the first, it was great to see old friends and exchange stories after not meeting in person the last two years. Lots of good stories too about new hobbies undertaken and trips planned as the world has opened back up.
The last two years were undoubtedly a period of intense transformation, which was appropriate because that was the theme for this year’s RSA. If you had a plan previously to go to the cloud in three years, you had to do it in three hours. We’ve seen tremendous shifts and changes in how we work and use information.
For an industry that is constantly changing, it's hard to get out of old habits, but we need to. Old habits die hard and that’s the problem. Every time there’s a breach, we create a new product for it. A new appliance. Another product, which requires another way to manage it. It’s a vicious cycle.
Let's be honest, it's not working. It’s not surprising that we got here.
And that’s the dirty little secret. As an industry, we’ve made security so complex, we’re falling behind in stopping the bad guys. We need to change. Everyone—customers, partners, and vendors—need to move faster to radically simplify.
I invite you to watch my RSA keynote, “Security's Dirty Little Secret: The Conservation of Complexity,” where I walk through the argument:
But since we’re all busy trying to re-introduce ourselves to the people in real life, I thought I’d also highlight the key points.
With greater productivity comes greater responsibility.
Our productivity has exponentially increased because of innovations in software, in access, and in connectivity. On any given day, I can acquire and consume information as soon as I get up in the morning (at 5 o’clock if you’re wondering). Our work and personal lives are merging to the point it’s hard for us to tell the difference between the two. All of this incredible productivity also creates more opportunities for the hackers.
By 2025, the cost of cyber will be $10.5 trillion dollars, equal to the third-largest economy after the U.S. and China in terms of GDP. Who says cybercrime doesn’t pay? Just ask the 3.5 million security pros we still need to hire to stop the bad guys.
The industry is not helping by offering more acronyms as solutions.
We cannot continue to serve up more alphabet soup of three- and four-letter acronyms, representing security products that all have to be managed separately. As human beings, we have a natural tendency to solve a problem incrementally instead of starting over with a clean sheet of paper. An incremental solution can be faster and easier to execute for a vendor. You’ve seen companies bolt on features or capabilities. The false answer is a hodge-podge of complexity.
We must fix this by thinking differently about security architectures.
1. Make Zero Trust easier to adopt. Abandon legacy perimeter thinking and move toward “never trust, always verify” throughout your organization.
2. Follow a SASE framework of converged security and connectivity capabilities that can adapt. Simplifying security should rest on a foundation of Risk Adaptive Zero Trust with built-in threat protection and data security. Add gateway capabilities to control access for email, websites, or apps. Put management in the cloud, because security needs to be everywhere, freeing your employees to work from anywhere.
3. Connect via the “Smart Edge.” Use next-generation SD-WAN technology to push security services to remote sites and connect the people working at the edge of your organization to internal systems and cloud apps.
With this modern architecture, we can move easily from implicit security to explicit Zero Trust. We stay productive and create a better experience for our people. The infrastructure is all in the cloud, so we can focus on speed and innovation, not monthly patches. We can simplify the management environment and reduce cost. It’s the path we must take to simplify and move quicker or be left behind. Because as my old friend Ben Franklin says, “If you’re finished changing, you’re finished.”
See you next year.