What We Learned at RSAC 2024
Written by: Jeffrey Wheatman
RSA has become one of North America’s biggest and most visible cybersecurity conferences. Hundreds of sessions cover the gamut, from deep technical discussions to high-level panels on topics like enterprise risk management.
I’ve attended the last three RSA conferences. In addition to the sessions, I get to roam the exhibitor floor and learn about trends in myriad markets and submarkets within the cybersecurity realm. It also gives me an opportunity to see friends, colleagues, and OG leaders in cybersecurity.
I attended RSA this year with a handful of Black Kite employees to listen, discuss, and learn. In the spirit of collaboration, here are my biggest takeaways and action items from the sessions I attended.
Session: What Hacking the Planet Taught Us About Defending Supply Chain Attacks
Speakers: Douglas McKee, Executive Director of Threat Research at SonicWall and SANS Instructor; Ismael Valenzuela, VP of Threat Research & Intelligence, Cybersecurity Business Unit at BlackBerry, SANS Senior Instructor.
What it was about: Douglas and Ismael posit that, based on their experiences, there’s a better way to defend against software supply chain attacks within organizations.
- Theories are lovely but need to be supported by realistic and practical applications.
- When looking at stuff already deployed in your network, CISA says: 1) Look at products that require privileged access; 2) Look at products that require lots of phone home capabilities. NIST SCRM process is a great starting point.
Action items
- Short-term: Identify and prioritize critical assets, threat model on CA.
- Medium-term: Plan for security testing on existing critical assets and define a plan for new critical assets.
- Long-term: Test critical assets and update threat models and product-specific plans.
My take: Software and hardware supply chain risks aren’t new but are growing in importance.
The risks within software and hardware (and, in the future, AI) are a mix of new and old, abstract and straightforward, and basic and advanced. In any case, they are dangerous; cybersecurity practitioners must work more closely with traditional supply chain teams, vendors and partners, and internal legal, compliance, and audit stakeholders to assess and treat these risks.
Session: Your Cybersecurity Budget Is a Horse’s Behind
Speakers: Ira Winkler, CISO at CYE Security
What it was about: How to apply machine learning and other math-based concepts to justify budget allocation, optimize risk, and design effective cybersecurity programs with limited resources.
- The process for modern budgeting is broken: Most budgets follow a formula based on what was spent last year, whether we can get more, what you actually want, and whether this exceeds the accepted percentage of the IT budget. As a result, we’re working off budgets that were defined a decade ago.
- CISOs must be more business-oriented and link budgets to organizational goals and values. You need to use numbers to support your gut instincts when making decisions.
- Most organizations can’t mitigate threats, so focus on vulnerabilities. You can spend all the money and eliminate all the threats, which isn’t wise, or you can find the balance between investing enough to offset the most dangerous vulnerabilities.
- The biggest issue is: What vulnerabilities are in the critical attack path, and what are the choke points? In other words, can we implement countermeasures that would short-circuit more than one threat vector?
Action items
- Short-term: Understand the budgeting process and how your board defines delta.
- Medium-term: If you can, conduct an ROI. Evaluate CRQ and its place in your program.
- Long-term: Consider building math models and look for opportunities to drop redundant countermeasures.
My take: Security budgeting should be determined based on the current risk landscape — not as an incremental multiplier over previous budgets.
Ira made some great points about the failure of current budgeting approaches. This is a case of doing things “because we’ve always done it this way.” There is a better way! Instead of focusing on what we have done in the past, let’s focus on our risk landscape and getting the most bang for the investment. And, finally, let’s budget based on risk and not on threat.
Session: Gartner’s Top Predictions for Cybersecurity 2023-2024
Speakers: Leigh McMullen, Distinguished Vice President, Analyst and Gartner Fellow in Gartner’s CISO, Security & Risk Management team.
What it was about: This was a lighthearted session covering Gartner’s predictions on human factors and generative AI colliding within cybersecurity.
- Privacy regulations keep coming, but only a few organizations will seize the opportunity to use privacy as a competitive advantage. This seems weird to me; you’re already doing privacy, so why not tell your customers what you are doing? Possible ka-ching missed!
- Stress will force more CISOs to leave their jobs — or the industry altogether. This is a problem we can’t afford to ignore. Organizations must better reign in the dangers of leaving CISOs hanging in the breeze when budgets are cut and layoffs abound.
- Over the next two years, more than half of boards will include a cyber expert. This one isn’t new, but I also think it’s wrong. We have been discussing this for a while now, and it isn’t happening as we want. Board seats are expensive: between pay, T&E, and stock, a board seat can cost companies well into the seven figures. In other words, I don’t think we will see too many CISOs popping up on boards. I think this prediction is too soon and off base.
- Shadow IT is on track to get worse, in part due to generative AI. GenAI, easy access to the cloud, and explosion in attack surface, data, and application creation will continue to be democratized. They wille risk exposures well beyond what we’ve ever seen. The response here better be flexible, dynamic, and automated. No more onerous and draconian controls; we need to educate and empower our people. We are all looking toward the same end game: hitting business goals and objectives while maintaining risk programs that keep us from too many exposures.
My take: Cybersecurity and risk leaders need to prepare for disruption — not just from the outside.
Cyber and IT risk leaders must be prepared. Focus on projects and program initiatives that support resilience and performance and balance the two. We will never be able to catch our breath. Include forward-looking forecasts, predictions, and prognostication in strategic planning and tactical implementation to respond no matter what the world throws at us.
Session: Techniques to Evolve Risk Governance and Comply with the SEC Cybersecurity Rule
Speakers: Jim Mirochnik, CEO and a Senior Partner at HALOCK Security Labs
What it was about: This was a fun and informative session on a serious topic: why we need better governance in cybersecurity.
- NIST CSF 2.0, PCI-DSS 4.0, and the new SEC Cyber reporting rule all require better governance. However, how do we do this when our businesses also want to reach other competing goals and objectives?
- The industry has undergone several shifts in thinking that make better governance critical. These include a shift from technical to business discussions with executives, looking beyond one’s own company to one’s ecosystem, shifting from little to no accountability to applied ownership and accountability, etc.
- At this point, companies must skip from “governance 1.0” to “governance 2.0.” To establish risk governance 2.0, companies must do the following: 1) Determine if your program is legally defensible; 2) Define a “clear line of acceptable risk;” 3) Define “total known risk” to your organization; 4) Create a roadmap that reduces risk to an acceptable level; 5) Justify budget requests in business terms.
My take: Governance isn’t new, it isn’t sexy, and it isn’t easy. But if it isn’t happening, your program will struggle, and you will fall afoul of regulators!
A cybersecurity program built without governance structures is destined to struggle. A lack of clarity on ownership and accountability leads to poor decisions, or worse, no decisions at all. Poor governance leads to issues such as insufficient funding, investing in the wrong technology, protecting the wrong things, the wrong people making decisions, an inability to adapt to change, and — don’t forget — punitive issues such as fines, prison, or worse.
Session: Navigating Third-Party Risk in OT Environments
Speakers: Christopher Walcutt, CSO at DirectDefense
What it was about: This session dove into why remote access for real-time troubleshooting is a security red flag.
- Do not allow whatever remote access your vendor says you must enable. Build new contracts and renegotiate existing contracts to include this. Otherwise, contracts lack owner protection, hampering real-time control.
- Patching and vulnerability management are huge challenges in the OT environment. Know your vendors, and be wary of patching cadences and scanning.
- The procurement process is your friend.
Action items:
- What to do now: Control remote access, follow least privilege, renegotiate contracts, practice better communication, talk to your vendors.
- What to do later: Segmentation to provide better visibility, create a baseline to know what normal looks like, understand partners are key, and build new processes, procedures, and protocols.
My take: For many a year, OT and IT Convergence was a myth, but not anymore!
OT security has been based on security by obscurity. With the rapid convergence of OT and IT, consumerization dumping consumer-grade devices into corporate networks, and the democratization of cloud and AI, CISOs and their teams need to be ever-vigilant about managing the security of OT devices—whether they are old and have been there forever or new and recently added.
Session: You Can’t Measure Risk
Speakers: Andy Ellis, Advisory CISO at Orca Security
What it was about: In this session, Andy dives into using qualitative and quantitative measures to help your company make wiser risk choices.
- There are three reasons to measure risk: To compare, communicate, or change it.
- When talking about risk, create a story or scenario based on the following: a hazard, a loss, an adversary, and the environment.
- The challenge lies in aggregating risks. We can’t just add them together.
Action items:
- Examine your measures: Know what you are measuring and how much it costs to measure it.
- Know your audience: Give your audience what they ask for, don’t overexert, and make sure you’re on the same page with terms and definitions.
My take: You can measure risk, but it requires a common language and taxonomy.
First thing, Andy is awesome. His reputation is stellar in our industry, and he is a true thought leader. That said, I jumped into this session, ready to run up on stage and tell Andy how wrong he was. However, my discomfort with the title was based on a misalignment of terminology. Andy talked about old-school risk calculations, aka “Likelihood * Impact = Risk,” whereas I was thinking about financial impact and operational risk. I agree 100% with Andy concerning the old approach: all it does is layer quantitative scores on top of qualitative measures. I know we can measure risk in financial terms — we do it at Black Kite all the time via our implementation of OpenFAIR.
Let’s Keep the Spirit of Collaboration Alive
Did we miss each other at the RSA cybersecurity conference this year? Feel free to reach out to me on LinkedIn. I’m always happy to chat about cyber and IT risk management, executive communication strategies, strategic planning, and great movies. Speaking of which, check out my latest episode of Risks & Reels, where I chat with cyber experts about the latest and greatest in cybersecurity and film.
Check out the latest episode of Jeffrey’s Risk & Reels podcast.