I just had a heart-to-heart talk with a few thousand of my fellow security professionals at the RSA Conference. We had a lot to discuss. As I walked off the stage, I was thinking about all of the people in our industry who weren’t in attendance, and all those who aren’t in our industry, yet still should be aware. If you happen to be one of either of these groups, you deserve to know what we talked about. Actually, it’s imperative that you know.
In past years, and even in some keynotes this year, the messages we hear have been too similar. Despite our efforts, we don’t seem to be gaining ground. Organizations continue to be vulnerable to devastating attacks. Adversaries penetrate our defenses and their total addressable market rises, costing businesses and individuals trillions of dollars each year. Executives are losing their jobs and board directors facing potential personal liability are demanding more.
We’re just not doing enough. It’s our job — not just us security professionals, but all of us — to upgrade the rule of law, measure efficacy, build security above everything, and change the game. What is it going to take to change this dramatically? I shudder at some of the thoughts that brings.
Ok, that’s the bad news; but there’s also plenty of good news. Perhaps the best is this — we can do something, in fact, we can do many things. I feel the best place to begin is by envisioning the world we want, setting our intention, then get after it.
First, imagine a world in which we’re always ahead — able to anticipate our adversaries’ attacks globally because we can see them quickly, know how best to counter them and have the tools to get it done. To do that, we need to look beyond what’s right in front of us, beyond just our own perspectives and approaches to see what others around the world are doing and the positive impact they are realizing.
We have to ask ourselves if the measures they are taking will bring value to our own environments. The answer, in many cases, is “yes.” I have had the opportunity to exchange ideas with security and government leaders all over the world and I can assure you that we can learn a lot from what they’re doing — their perspectives and approaches.
Now imagine a world where we have the best security teams ever because they were built on inclusion and diversity, and their combined differences, broader skills and perspectives, produce safer and more secure organizations. Considering that half of the world’s population is female, yet only 11 percent of cybersecurity professionals are women, just think of what we could accomplish if we tapped into the other 89 percent.
Our adversaries are male and female, different ethnicities, different social backgrounds, and different nationalities. That means they may have the advantage. We need to even that playing field to be safer, and there are numerous programs that can help to shift the balance to us if we only take action to make a difference.
We’re going to change that. The Cisco Cybersecurity Talent Initiative is aimed at developing the most diverse talent pipeline possible. Cisco Networking Academy is transforming today’s brightest minds into a formidable workforce across sexes, ethnicities, and nationalities. The Multiplier Effect Pledge is a differentiator, where industry leaders can disrupt the status quo by sponsoring extraordinary job candidates with diverse backgrounds and challenging their peers to follow suit.
Finally, imagine a world in which trust is more than just a word. Trust is one of those ephemeral words – you know when you have it, and you know when you don’t. The lack of trust is preventing us from reaching our goals.
As part of the honest discussion we’re having at RSA this week is that the very systems that we need to trust right now — the global financial systems, critical infrastructure like energy, water and transportation, the telecoms, etc. — are the ones being attacked. We need to bring trust back to those areas and maintain it. It’s all about knowing that we can trust what has been built, the companies that built it, and that they stand ready to care about the things we do, and that includes Cisco.
Our trusted partners must consider your security not only their job, but their mutual responsibility. We need to demand more from our security vendors. From a technical standpoint, we need to insist on secure development lifecycles and completely secure value chains for every element that goes into their products. At the business level, we need to insist on better relationships, greater transparency, and complete accountability when things are good and when not.
So where does this all leave us? We’re at a historical moment in time and have a significant decision to make. All of us. We can stay on the same track we’re on now and continue to get the same results, or we can commit to blazing a new, different path — one that makes an impact and nets positive results.
We need to do more and must start doing some things very differently.
This isn’t a government problem… this isn’t a company problem… this is a set of world problems – the safety and integrity of systems, the protection of data, protecting life, building safety and security in.
If you’re wondering how to do any of this, here are a few ideas: Know thyself and thy adversary. Measure the time it takes to detect an adversary in our environments and continuously work to lower it. Demand more from our technology. Demand more from our workforce. Demand more from our vendors, including for them to prove why they should earn our trust.
Don’t settle; get angry at the problems, gain resolve and go. Don’t feel stymied by not knowing how to take action, what to do or where to start. Refer to the webcast of my keynote where I share a number of ideas and do your part.
Every positive action we take matters. I can’t stress that enough, and each step is vital. Our collective actions will enable us to break this cycle and change the trend line. It will help us to deliver greater impact, leading to better results. It will prevent me from delivering the same keynote again next year. More importantly for you all, it will spare you from having to listen to it.
Security above everything.