From captivating keynotes to impromptu coffee line chats to networking party hopping, there’s nothing like being together with thousands of industry peers for the RSA Conference. But while we missed the annual trek to San Francisco, this year’s all-virtual event held true to tradition, spotlighting the biggest trends shaping 2021, along with insights from some of the brightest minds in cybersecurity.
The 30th annual event’s theme of “Resilience” was woven across all 735 event talks, honoring three decades of industry accomplishments and celebrating the resilience CISOs, security leaders and their teams have demonstrated throughout this time of pandemic upheaval.
Source: RSA Conference
As CISOs and senior security leaders look ahead, this notion of resilience remains top-of-mind. They’re grappling with hard questions such as: “How must cybersecurity operations evolve to drive resilience in this new threat landscape?” “How can I keep cybersecurity at the forefront of business-level discussions, even after times of crisis have passed?” And, “How can cybersecurity become a transformation-enabler that’s directly linked to business success?”
As we reflect on the innovation, research and education coming out of RSA 2021, seven key themes stood out to us. All will play a role in shaping the evolving — and expanding — role of the resilient CISO.
1. The Way We Work, Reimagined
The global pandemic has been the largest test yet for the future of distributed work. Remote workers have proven to be incredibly resilient as they continue to rise to the challenge of blending home and work lives. Now, as many regions of the world come out of lockdown, CISOs have a unique opportunity to provide strategic direction for sustained remote and hybrid work models — moving from legacy approaches and implementing new digital security strategies and user-friendly tools and policies that empower workers (wherever they may be).
2. Zero Trust is the Way… But One Size Does Not Fit All
There’s broad consensus around the value of Zero Trust. In fact, we lost count of how many times it came up during the conference. The complexity of today’s cybersecurity challenges demands a “trust nothing, verify everything” approach that repositions the security perimeter around individual identities.
But Zero Trust isn’t a one-size-fits-all kind of thing. The best way for CISOs to get started is to identify the organization’s greatest security risks — address them first, then extend controls to new areas over time. Equally important is mapping the change management journey and working with IT and end-users to understand and adopt this new mindset.
3. Think Like an Attacker to Minimize Attack Impact
Attackers are constantly innovating. We saw many examples of this throughout the conference — from SolarWinds CEO Sudhakar Ramakrishna’s presentation to our own CyberArk Labs teams’ demonstrations of Kubernetes cluster attacks, biohacks and SSO compromise. By “assuming breach,” the question becomes, are you protected even if you’ve already been attacked? That’s where an attacker’s mindset can give CISOs the edge they need to stay one step ahead. By assuming that any identity in the network has already compromised, security teams can anticipate an attacker’s next move, minimize impact and stop threats before they reach valuable assets and cause harm.
4. Retrospectives Build Resilience
The SolarWinds digital supply chain attack prompted many CISOs to re-analyze current risk tolerance levels, cybersecurity and risk management efforts, areas of ongoing vulnerability, supply chain partner practices and more. It’s also the time, presenters urged, to update your incident response strategy, using frameworks like NIST as a guide. If your organization is attacked, use retrospectives to learn, further optimize your incident response strategy and build resilience. For example, “How were we compromised or breached?” becomes “How can we stop it next time?” (i.e., block lateral movement) — And “Why didn’t we realize this was happening?” becomes “How can we improve MITRE ATT&CK coverage?”
5. A Job Requirement: Fluency in the “Language of Business”
Recent headline-grabbing attacks have made cybersecurity a regular boardroom discussion and business imperative. It’s the CISO’s job to make sure it stays front and center, even when news cycles quiet down.
It’s critical to have the capability to quantify risk (and resulting mitigation actions) in terms of dollars and cents, demonstrate how the cybersecurity program will drive business — and directly link key initiatives to business objectives. Industry frameworks like Factor Analysis of Information Risk (FAIR) can help CISOs “demystify” cybersecurity and bridge communication gaps with Boards and executive management.
6. Communication Matters. A Lot.
But it doesn’t end with Board discussions. Today’s CISO must be able to effectively articulate cybersecurity’s value proposition to customers, partners and internal stakeholders too. With digital supply chain attacks under the microscope, the need to build trust through transparency has never been greater. This takes a special mix of both hard and soft communications skills — the power of empathetic communication cannot be overstated.
The good news is CISOs don’t have to shoulder the burden themselves. By actively collaborating with IT security teams, CISOs can strengthen their message to various audiences and break down siloes. And increasingly, organizations are bringing on Business Information Security Officers (BISOs) to help translate the security agenda and make sure security objectives are treated as business requirements.
7. The New Heroes of Digital Transformation
CISOs and security leaders must become strategic advisors from the onset of digital transformation initiatives. Doing so enables innovation to move faster with greater protections in place. For that to happen, however, they must proactively embrace an advisory position, giving guidance and strategy to key stakeholders from the start. To that end, CISOs should seek partners (both within the organization and through outside public and private partnerships) that will boost their advisory capacity, facilitate information sharing and accelerate the shift to the next stage of cyber resiliency.
One of our favorite moments from this year’s RSA Conference was the closing keynote, featuring special guest Steve Wozniak. In this time of turbulence, he encouraged CISOs and security leaders to focus on the bright side of resilience — one of innovation and reinvention. In this spirit, until we meet again in San Francisco in person, let’s learn, evolve and build resilience to, as the RSA team put it, “protect the people and organizations that rely on us as their advocates. We will do more than survive. We will thrive.”