Two Sides of Security: An RSA Conference 2019 Retrospective

A look back at RSA Conference 20192

The 2019 RSA Conference was held in San Francisco on March 4-8. This is one of the best-known security conferences in the world, with researchers and vendors coming from all over to learn about the latest and greatest in security and sell their products.

This year, I attended the conference and hosted a session on how to do cybersecurity awareness training without the FUD (fear uncertainty, and doubt) and gave a talk about the overlaps in Cybersecurity and Hospital Infection Control with Mariam Salas of the University of New Mexico.

For the rest of the week, I attended several different sessions on a variety of topics and explored the Expo floor of the conference.

This year’s RSA conference seemed like the meeting of two completely different worlds. On the Expo floor (and in some of the talks), you had the technical side of security. In many of the talks that I attended, the focus was on human security. With both in one place, it was obvious to see how different they are.

The Cybermaniacs own Howard Poston headshot

The Technical Side Of Security

On the Expo floor of the RSA Conference, there was a carnival atmosphere. Vendors with booths handed out free drinks and swag. There were even buskers with microphones proclaiming the virtues of their product and how it could solve all of your cybersecurity problems.

Many booths offered demos and some even had arcade games to lure visitors over. The goal was always to scan your badge so that they could add your email or phone number to their contact list for future sales calls.

“On the technical side, it seemed like cybersecurity was a solved problem based upon a visit to the Expo floor.”

With half an hour and a sufficient security budget, you could have your pick of the vendors in every field, building up a cybersecurity strategy and purchasing the necessary tools, technologies, and services from nothing with little or no effort.

The Human Side of Security

Attending the human-focused talks at the RSA Conference gave me a very different perspective. None of the speakers or facilitators believed that they had the security problem “solved”. In fact, some of the sessions began with the facilitator saying just that: if you’re coming here looking for a solution, you’re going to be disappointed.

The hard part of security is the fact that it’s not just technology. With technology, fixes are pretty easy. You find the problem, build a solution, and deploy it across the organization in a matter of hours.

With humans, you need to coax, nudge, and outright bribe them into doing the “right thing” because being secure is generally hard and humans are lazy. Most social engineering awareness training can be summarized as “slow down and think it through”.

With the tens or hundreds of emails that you receive every day, thinking it through can be a significant time investment. The perceived payoff is less than the cost, so people keep on doing what they’re doing and remain insecure.

Si of Cybermaniacs cheering and holding glasses

Improving the human side of security

The obvious answer to an organization’s human threat surface is cybersecurity awareness training. Logically, if we provide someone with all of the necessary data, and they make purely logical decisions, the problem is solved. Training following these principles has been around for ages. The problem with traditional cybersecurity awareness training is that it’s awful.

Studies have shown that people make bad decisions when scared and try to avoid thinking of scary things. So what do we do? Scare them with cyber.

Mo of Cybermaniacs' head superimposed on a scary body

Research also tells us that humans can only retain about 7 pieces of new information in one sitting. And the suggested solution is to give an hour-long PowerPoint with tens or hundreds of new facts and figures for the employee to memorize.