Security professionals need to stop being snobs to solve the talent gap and improve problem-solving skills.
Actor and activist George Takei opened RSA 2020 with the message, “Homogeneity equals disaster,” and RSA president Rohit Ghai reinforced that message: “We need to stop being snobs and trade exclusivity for inclusion.” The discussion was in the RSA 2020 opening keynote on Tuesday, Feb. 25, at the Moscone Center in San Francisco.
Outside the main conference hall, a big tree with curving branches covered with small metal buttons that held one word each illustrated the many human elements in cybersecurity: defender, dreamer, hunter, hacker, builder, explorer, instigator, idealist.
SEE: Brute force and dictionary attacks: A cheat sheet (free PDF) (TechRepublic)
Ghai made the call for diversity even clearer with a specific call to hire neurodiverse people. The term refers to the fact that each human brain has its own approach to social interactions, learning, attention, mood, and other mental functions. By looking beyond the traditional profile of a security expert, security teams can improve their problem-solving skills by improving diversity.
“Unemployment is running as high as 80% in the neurodiverse talent pool,” he said. “We need to consider potential not just expertise when we hire.”
In addition to thinking more broadly about who can solve security problems, Ghai wants security professionals to change their own stories and stop thinking about security in terms of fighting a losing battle.
SEE: SQL injection attacks: A cheat sheet for business pros (TechRepublic)
Ghai said the current story about cyber security is one that evokes pity for the burned out, overworked security team and fear of the hackers, which is an oversimplified and incomplete view.
“All hackers are technical sorcerers, and we are hapless techies who solely focus on zero-day vulnerabilities and not the threats facing us right now,” he said.
He said security professionals can take advantage of the fact that there are more script kiddies than tech-savvy hackers at this point and that 71% of threat actors are financially motivated.
“The story we want is a business story of cyber resilience, not a tech story of cyber ping-pong,” he said.
Ghai called the sector’s hiring challenges a self-inflicted talent gap.
“We do an inordinate amount of prep for most sophisticated threat vectors even though preparing for the worst does not prepare you for the likely,” he said.
Ghai also said that corporate boards, IT leaders, and risk officers need to be active participants in the security story, not watching from the sidelines.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
How to change the security story to a winning one
To shift the current security story in the minds of professionals, business colleagues, and the public, Ghai recommended these three actions:
- Reclaim the narrative
- Reconfigure our defense
- Rethink our culture
“We are strong and silent types: This is going to be hard for us, but media has been telling our story based on the losses,” he said. “We need to share our wins and losses of our adversary.”
He used the example of the recent ransomware attack in Atlanta. The city suffered downtime, but it did not pay the ransom.
“When we deny the attackers financial gain, they lose, so Atlanta did not win but the hackers lost,” he said.
The city also built a robust business continuity plan as a result of the attack, which was an eventual win, Ghai said.