CSA Summit Panelists Talk Disruptive Technologies at RSA19

At RSAC19, The Cloud Security Alliance hosted a discussion titled, “The Approaching Decade of Disruptive Technologies,” featuring security leaders from Duo, Centrify, Onapsis, and Okta’s own Executive Director of Cybersecurity Strategy, Marc Rogers. IOActive CEO Jennifer Steffens led the session with the intent of discussing what disruptive technologies are expected to impact security in the next 10 years.

For me, one of the most interesting aspects of the session was not how these “disruptive technologies” are going to impact security in the coming years. But rather, which ones were perceived by our panelists as marketing buzzwords rather than legitimate points of interest.

“By definition, disruptive technologies replace or make something else irrelevant,” said Wendy Nather, Head of Advisory CISOs, Duo Security, now part of Cisco. “Have we made something unnecessary or are we just layering security spackle and not really disrupting the industry yet?”

In this post, I’ll talk about some of the “disruptive technologies” discussed in this session, and call out some of the opinions our panelists had on each.

The problem with buzzwords

“Who’s already tired of hearing about Zero Trust?” asked Nather, at the start of the conversation about Zero Trust security.

“I’m not horribly against the term “Zero Trust’,” said Marc Rogers of Okta. “I’m just cautious about buzzwords in general. Many buzzwords are adopted within our industry for marketing purposes and don’t lead to anything that’s actually actionable.”

“The biggest risk with buzzwords,” he added, “is that everyone is using them, and the original intent of the word gets lost over time. There is no way to measure to what extent a buzzword is actually still associated with its original meaning. One company saying they offer ‘X buzzword’ could be delivering something completely different from another organization that offers the same thing.”

We’ve all rolled our eyes at marketing jargon or corporate lingo such as “enhanced business agility” and “synergistic solutions,” but that doesn’t mean that we should discredit the actual concepts behind buzzwords (at least, not all the time.)

Now that that’s out of the way…

Is “Zero Trust” here to stay?

“The Zero Trust model is actually real and actionable,” said Rogers. “It makes practical sense. Now that mobile is becoming such a place for identity, the perimeter is becoming people. Zero Trust is probably the most BYOD-friendly movement out there.”

Nather added that trust is neither binary or permanent, and that she doesn’t necessarily believe the perimeter is dead or gone. “The perimeter is anyplace you make an access control decision, and therefore the ‘perimeter’ can be on different layers of the stack.”

Key Takeaway: As the workforce continues to expand further outside of the perimeter with mobile employees, contractors, and partners requiring access to an ever-expanding catalog of apps and tools, we should expect the elements of Zero Trust to become increasingly pervasive—even if the phrase “Zero Trust” eventually fades out of relevance.

Does the Internet of Things really leave us vulnerable to new threats?

Probably.

“IoT has revolutionized the way we use technology, and is now in the hands of people from around the world,” said Rogers. “Sadly the biggest challenge here is that we’ve been forgetting what we’ve learned over the last 30 years.

As we connect different industries to the internet, we need to remember they should not be siloed. They all need the same security treatments to keep their use safe. Rule one should be not to assume your industry is different. If you’re going to enhance it with technologies used elsewhere, there’s no point in reinventing the wheel.”

Key Takeaway: As IoT becomes more ubiquitous, the creators of these products should avoid assuming that their industry is not vulnerable to cyber threats. Rather, they should learn from adjacent industries to ensure that they are addressing vulnerabilities without starting from scratch.

Will Artificial Intelligence really be at the forefront of the next security revolution?

Perhaps less than you might think.

“At its core, Artificial Intelligence is just a way to automate human operations in a faster, more intelligent way,” said Rogers.

“What this means is in its current form, AI is fantastic for scaling automation of human solvable problems in an intelligent way. Preventing and responding to attacks up until this point has mostly been based on the speed at which humans can act, and I expect that to be the case in the immediate future as well. This is great for security because it means we can let AI handle much of the low hanging fruit, freeing resources to focus on tougher problems.

However it also means that AI is not the silver bullet to solve previously unknown or complex problems just yet. Today, it needs data and human guidance to know how to recognise problems people can teach it. I.e the ones we already know. But tomorrow AI has the potential of being truly transformative, so long as we can overcome it’s innate challenges such as complexity, opaqueness and vulnerability to bad data.”

Key Takeaway: AI may not be the golden goose for the immediate future of cybersecurity, but it will be great for automating lower effort processes at scale. It does have the potential to be “truly transformative” in the long run, so long as its weaknesses can be addressed.

Learn more

A big thank you to all of the panelists who participated in this discussion. Check out these links to learn more about our perspective on Zero Trust, IoT and AI.