Ah, RSAC 2017. Into the bowels of Moscone, I dove. Submerged in a calliopean frenzy of schwag hawkers and “where the world talks security” messaging. From the Marvel-esque call to “Be a hero!” to the more existential reminder that “Every moment counts!” I found myself drowning in a sea of Secure! Protect! Defend!
From shiny object to shiny object, I waded. What’s new? What’s different? What’s the word?
The word, the buzz definitely centered around artificial intelligence (AI). But with so much focus on its potential to alleviate the current woes of not enough time or pros to combat a growing number of cyber aggressors using more and more diversified and automated attacks, it started to remind me of, years ago, when my friends would advise me to stop dating “potential.”
Potential isn’t something that can get you very far in the near term—if ever—so in my search for the magical security nostrum du jour, I decided to put aside thoughts of AI and its potential. And that’s when I discovered the true gospel of the conference. In a world where we recognize security shortcomings—too much data, too little time, too many bad guys, too few good guys—it’s increasingly critical to not forget the basics of defense.
A, B, C Before D, E, F
On the odd occasion, I look for ways to relate work lessons to life lessons—for me, almost always to do with horses. And this time, my horse Arty came to mind. He was “born” to piaffe, passage, prance like a prima ballerina. Unfortunately, because of his innate talent, he was pushed a bit too far too fast as a youngster; and the basics were neglected. A trainer once said to me, “He knows D, E, F, but not A, B, C.”
Like AI, upper-level dressage movements are sexy. (No, really, they are.) But for them to even be possible—and correct—requires a commitment to building a solid A, B, C foundation. Sure, to analogize cybersecurity to dressage may seem a stretch. But, when you think about it, both require quotidian diligence. Both are fundamental to good health. And both require a helluva lot of time and money.
In cybersecurity, basic hygiene is a must. You can’t neglect proper testing, patching, encryption, segmentation, visibility, etc. You could implement every eye-catching security tool on the market, but without good, clean hygiene and the ability to deliver tools the right data at the right time, they’ll never shine their brightest. In short, you can’t go wrong investing time, energy, and capital in the basics.
No Wine (or AI) Before Its Time
For anyone who remembers Orson Welles slinging the Paul Masson winery slogan . . . To push for something, like AI, before it’s ready could be a mistake. No doubt, you can still strive toward the promise of AI to aid with detection, prediction, and action, but in the meanwhile, get the most out of what you have before trying to overcomplicate an already hyper complex system.
Give the great pros and products you have in place today the best chance of doing their jobs. Enable them with as broad a view into data as possible (across physical, virtual, cloud infrastructures), but a view that is relevant to their purpose. That way, when AI’s time comes—and it will—it will be all the more effective and successful at Securing! Protecting! Defending!