In her keynote at the RSA Conference this year, futurist and game designer Jane McGonigal said: any useful statement about the future should at first seem ridiculous. In the post-RSAC recovery period, I pondered the future trends in information security and built my own ridiculous statement regarding the future of information security:
In the future, information security will be easy.
We are still in the era where the security of information systems is complex, difficult, and expensive. Security is dominated with point solutions, few of which work together. Moreover, they all require immense amount of skill, experience, and (more importantly) discipline to provide security.
This is not working, and every breach in the past ten years is proof of that.
Security must become simple. It must be by default and by design. It cannot be an optional component. It also cannot be a checkbox that organizations use to silence partners or regulators.
Skeptical of this prediction? Let’s explore it. We can use the RSA Conference 2018 as a backdrop to explain how security is destined for the simplicity of by default, by design.
One of McGonigal’s other insights from RSA was that if you want to predict the future, you must look for signals. Those are indicators of the future. Reflecting on RSA, I observed three signals of this by default, by design future:
- The ridiculous expectations we place on security practitioners
- Decision makers are abandoning point solutions (and RSA for that matter)
- Impact of the cloud and automation
Let’s work this list backwards, since the third item on that list seems the most pervasive.
1. In the Clouds
Years ago, while working with AWS on a project, I had a realization: hardware is an impediment to security.
In the cloud, everything is code. There is no hardware, networks, or systems in the traditional sense. Everything is virtual. Systems are created, destroyed, scaled, and secured entirely mechanistically. This dramatically reduces the impact of the most destructive vulnerability in every compute environment ever built: humans.
Data breaches exist because of humans. A server does not wake up one day and decide arbitrarily to release its data. Whether it is bad code, weak permissions, or faulty encryption, everything stems from a person who makes a mistake.
Codifying systems allows for extensive automation. The cloud platform does all the work, based on code. When a new system is brought on-line, code installs the system, configures it, and secures it. People are largely uninvolved in the actions. These environments become secure by default and by design. There are no humans forgetting to set a password or opening up access. As long as the security configurations are written into the code, any systems that code creates are always secure.
Right now, we (and others) are building automated environments that do not require teams of security people to run. There are predominantly autonomous. People get to do the “fun work” of analysis, design, and monitoring.
Cloud automation allows organizations to deploy secure environments quickly that already have all the security controls and rights baked right into them. Furthermore, these environments are built with security guard rails. These are controls that force the environment to remain secure, even if people attempt to bypass or break the security controls. For example, if a user attempts to open public access to confidential data, the guard rails automatically disable that access and protect the data. No user intervention is necessary.
Today, many CIO/CISOs view the cloud as merely part of a security program. In the future, the cloud *is* your security program. Codified compute environments are immensely easier to manage, maintain, and secure. They simplify security, which in turn makes that security more reliable and consistent.
However, the cloud is not the only reason security will be simple in the future.
Among the numerous annoying things at RSA this year, the endlessly looping marketing videos in every booth were particularly grating. This are also a metaphor for the current state of information security products: repetitive sameness.
The security industry is stuck in a loop of hard-selling the same point solutions, that is products that solve one small problem, while completely ignoring the larger picture. So much of the landscape today is products desperately trying to convince us they are a “game changer” when they are really more of a “game re-arranger.” They merely move the problems around to somebody else.
This explains why leaders are abandoning point solutions in favor of either managed security or integrated “fabrics.” Multiple CISOs and CIOs I know commented that they are fed up with wrangling point solutions. One CIO commented: “It is the same message, over and over again: ‘buy this and you are secure.’ I am sick of silver bullets.”
Leaders are looking for something they can depend on. Something that simplifies their life, not adds more consoles, dashboards, alerts, and complexity. Each point solution requires yet another person to care and feed for the platform. And nobody can find enough people to manage these systems. This means all the claims from these products remain unfulfilled.
This leads to the last signal, the completely unrealistic expectations we place on people.
3. Reversed Roles
The insane focus on point solutions has reversed the natural order of humans and technology in security. Inside many organizations, people are doing the work of machines, while machines are expected to do all the thinking.
Consider the ludicrous expectations put on information security professionals at many organizations:
- Know every possible attack technique, vulnerability, and compliance requirement there ever was, ever will be, and ever could have been
- Never miss a single detail, issue, or attack
- Closely monitor every single detail from a sprawling, complex web of point-solutions
- Do all this in an environment where security talent is scarce and turn over is extreme
- And if there is a breach, you will be blamed for it and have your reputation destroyed
We setting up security teams to fail. We expect them to know everything and miss nothing. Which of course is impossible.
Consequently, leaders are elevating technology to wholly inappropriate levels of authority. Security technologies are sold to anxious leaders as “silver bullets” that will take care of everything. With disturbing regularity I hear leaders define their security program in the context of theira security product. It usually starts with some statement such as: “Well, we’re a Palo Alto shop so…”
The latest twist is “artificial intelligence” or “machine learning.” These technologies are being sold as literal replacements for IT and security employees.
Technology is still not a replacement for the intuition and creativity of humans. However, humans are no replacement for the speed or consistency of technology. This is partially why hackers always have an advantage. A human is infinitely more creative than any NGFW could ever hope to be.
If security is to ever become simple, the relationship of humans and security technology must revert back to a more classical arrangement: technology does the hard work, and humans do the fun work.
This means the technology must simplify the process of detecting, identifying, blocking, and reporting on attacks. It must work harmoniously and autonomously. People on the other hand should be behind the scenes asking the big questions, like why is this happening?
Automation and orchestration, especially when combined with the cloud, rearrange this relationship. When an environment is highly automated, it allows people to step back and focus on vision, design, and operations.
Future Mind Games
So, if we accept that information security in the future will be simple, what does information security look like in 2028?
McGonigal suggested using mind games to test out future predictions. I have one of these to help me predict the future called the Ten Year Lookback. Here is how it works.
- Think back to where you were ten years ago. What were you doing? What was important to you back then?
- Imagine, you can send yourself a message from 2018 back to 2008. What advice would the 2018 you give to the 2008 you?
- Now, project forward. What advice is the you of 2028 giving the you of 2018?
I find this to be an excellent meditation. It grounds me in all tenses of existence: past, present and future.
Let’s try this out on information security. Since the Internet forgets nothing, I went back and found this story about RSA 2008:
The biggest story of the RSA Conference 2008 meeting of security professionals yesterday (opening day) was Department of Homeland Security Secretary Michael Chertoff’s keynote address. He said that enhancing cybersecurity is a major focus for this year. He talked about a national cybersecurity initiative “that would be almost like a Manhattan Project to defend our cybernetworks.” He promoted a partnership between the federal government and businesses to fight cybercrime. He encouraged private enterprises to take advantage of what government has learned in its fight against cybercriminals and to send their “best and brightest” to work in government cybersecurity efforts.
Here we are 10 years later and the government is still promising public/private partnerships, yet delivering nothing of substance.
As such, my message from 2018 to 2008 might be:
Do not trust the government to do anything meaningful in information security. Focus on the fundamentals: patching, access control, security operations, and so forth. Make the technology do the work, so you can keep an eye on the big picture.
Now, let’s project forward. What is 2028 want to tell us about security in 2018? I believe the advice from 2028 might sound like this:
Do not trust the tech vendors. Focus on the fundamentals: patching, access control, security operations, and so forth. Make the cloud do all that work for you, so you can keep an eye on the big picture.”
It is time to evolve.
Now, here the bad news. This simple future means many of us security professionals will become obsolete. If you want to future proof your security career, learn cloud automation and coding. Stop fiddling with hacking techniques, compliance, and equipment. These are not skills that will be lucrative or in demand in 2028. The future security professionals are DevOps and SecOps people.
Information security, simple? When security is baked into everything, by default and by design – it is possible. Codifying compute environments also puts people and technology back in their rightful places. It makes the technology work for us, rather than us working for the technology.
This may sound ridiculous, but we are building this future right now.