Security Leaders Call For A 'Dream Team' And Highlight The Need For Increased Industry Collaboration At RSA 2017
Threats are increasing and, more than ever before, the security industry needs to come together if it hopes to get ahead of attackers, top security leaders said Tuesday at the 2017 RSA Conference in San Francisco, Calif.
"We are far away from declaring victory. We are going to need to do more and we are going to need to do more together if we are going to address this problem effectively," Brad Smith, Microsoft president and chief legal officer, said. "The time has come for us to come together."
Intel Security Senior Vice President and General Manager Chris Young compared what needs to happen in the security industry to the 1992 Olympic Men's Basketball team, where basketball superstars, including Magic Johnson, Larry Bird and Michael Jordan, had to put their previous competition aside for a broader goal of a U.S. gold medal.
[Related: Michael Dell at RSA 2017: Security A Key Part Of Business Digital Transformation]
"None of us can go it alone. We must work together as an industry," Young said. "They knew they could only win if they saw themselves as a small part of much, much larger effort. There was no room for stars … We need our own 'Dream Team' in the cybersecurity industry. Working together, we are that team," he said.
That's a shift that has already started to come together in some ways, Young said. He cited examples of the "No More Ransom" website, which was formed through industry collaboration and helps victims of ransomware recover lost information, as well as the Cyber Threat Alliance, which was officially established this week by the top (and very competitive) leaders in technology, including Intel Security, Fortinet, Palo Alto Networks, Symantec, Cisco and Check Point Software Technologies.
Microsoft's Smith said there are three areas where security companies can step up. First, he said security companies should start with themselves, making sure they are leveraging the power of data instead of just creating security features. Second, he said the security industry needs to call on the government to step up. He said the public sector should form an independent cybersecurity organization - a "Digital Geneva Convention" of sorts – to form rules around cybersecurity, including government agreements to not engage in attacks on the private sector, assistance to private sector response efforts, vulnerability reporting, restraint in cyber weapons development, commitment to nonproliferation and the limiting of offensive operations.
Finally, Smith said the security industry needs to act to do more collectively. To accomplish that, he said the security industry should pledge to not assist in offensive actions, collaborate in development, collaborate in remediation of attacks, make software patches available to all, have coordinated disclosure practices for vulnerability and provide support for international defensive efforts.
"It's great that we do so many things alone. But, we need to do more together," Smith said. "Even in an age of rising nationalism, we as a global technology sector need to become a trusted and neutral digital Switzerland … I think a sense of humility is a positive force that can infect and help us all."
That push for collaboration also extends to a need for the cybersecurity industry to reach across the aisle to other areas of business, RSA CTO Zulfikar Ramzan said. Ramzan said there is currently what he called a "gap of grief," where the business teams and security teams aren't aligned. However, he said as security becomes more of a business problem, these two sides need to come together under an approach he called "business-driven security."
"We can't have security folks on one side and entrepreneurs on the other side … This isn’t a middle school dance. People can't be afraid to mingle," Ramzan said. "What ripple will you create to help your organization build a business-driven security strategy?"
Ramzan suggested security teams can take three steps to bridge that gap. First, he said security teams should treat risk as a science instead of a dark art, creating scenario analysis and risk frameworks to handle security risks. Second, he said security teams should simplify what they control, consolidating down the number of security vendors they work with and integrating them. Finally, he said security teams should plan for the event of a security incident, including forming an incident response plan, with budget and collaboration across all departments in an organization.
For solution providers, the push to bridge the gap between security vendors, as well as between security teams and business leaders, presents a significant opportunity, Accenture Security Global Managing Director Kelly Bissell said. He said companies are looking to consolidate the number of vendors they work with, looking to integrate their solutions for a more effective security strategy.
"I see us as a super-aggregator of technology to solve the problem of security risk through the lens of that industry," Bissell said. "That’s how we think about it."
The ultimate goal, Intel Security's Young said, is to make the world safe for technology usage. He said little changes that the industry has already made, as well as pledging to further collaborate, will help it ultimately deliver more effective security for customers.
"Enemies are moving faster and scaling. We have to do the same thing. That’s the only way were going to make this work: if we come together and find our own ways to scale and move faster."