In this six-part blog series, the RSAC editorial team highlights the six buzz topics featured at RSAC 2022. Each blog will highlight one of the most popular topics and trends seen within related sessions. Our fourth topic is security strategy & architecture.
Transforming Security through Design
J. Wolfgang Goerlich, Duo Advisory CISO at Cisco Secure
Coming in hot with some important numbers, Goerlich drops that 90% of breaches are caused by people. Most industrial accidents are caused by human errors. Estimates range from 75% to 95%. How are so many people incompetent? They aren’t. It’s a design problem!
Constrained users are creative, and creative users are dangerous. Security depends on how well the needs of people are met by the affordance of the security controls. If they don’t meet, people will creatively satisfy their own needs with their own affordances. Good security gets out of the way of users while getting in the way of adversaries.
The roadmap depends on where we are. Before: using the design approach for security architecture and planning. During: using the design approach as a part of an active security initiative. After: using the design approach to troubleshoot and address security problems is an ongoing business era.
What Actually Works in Security?
Wade Baker, Partner and Co-Founder at Cyentia Institute
Wendy Nather, Head of Advisory CISOs at Cisco
What does it take to actually make security work? Baker and Nather broke down the results from surveying industry professionals, and the answer is people, process, and tech—all of those are needed to make it work.
Is it better to insource or outscore SecOps? 75% of inhouse report success, while 89% who outsource reported success. Those who mix are least happy at just 56%. One interesting caveat is that internal teams work nearly twice as fast in terms of response (6.2 days on average vs. 13.3 days on average).
Does cyber threat intel raise our intelligence? Those who don’t use it feel good. Those who use it extensively feel good about it, but using some threat intelligence yielded the worst results in terms of satisfaction. It’s all or nothing. Ignorance is bliss, perhaps, in this instance.
BCDR performs best when run by security. You are not going to be successful until you are covering 80% of your systems and assets, Nather concluded.
Read all of the series: