Skip to the main content.
Two Sides of Security: An RSA Conference 2019 Retrospective

Two Sides of Security: An RSA Conference 2019 Retrospective

A look back at RSA Conference 20192

The 2019 RSA Conference was held in San Francisco on March 4-8.  This is one of the best-known security conferences in the world, with researchers and vendors coming from all over to learn about the latest and greatest in security and sell their products.

This year, I attended the conference and hosted a session on how to do cybersecurity awareness training without the FUD (fear uncertainty, and doubt) and gave a talk about the overlaps in Cybersecurity and Hospital Infection Control with Mariam Salas of the University of New Mexico.

Check Out A Case Study

For the rest of the week, I attended several different sessions on a variety of topics and explored the Expo floor of the conference.

This year’s RSA conference seemed like the meeting of two completely different worlds.  On the Expo floor (and in some of the talks), you had the technical side of security. In many of the talks that I attended, the focus was on human security.  With both in one place, it was obvious to see how different they were.

The Technical Side Of Security

On the Expo floor of the RSA Conference, there was a carnival atmosphere.  Vendors with booths handed out free drinks and swag. There were even buskers with microphones proclaiming the virtues of their product and how it could solve all of your cybersecurity problems.

Schedule A Demo

Many booths offered demos and some even had arcade games to lure visitors over. The goal was always to scan your badge so that they could add your email or phone number to their contact list for future sales calls.

“On the technical side, it seemed like cybersecurity was a solved problem based upon a visit to the Expo floor.”  

With half an hour and a sufficient security budget, you could have your pick of the vendors in every field, building up a cybersecurity strategy and purchasing the necessary tools, technologies, and services from nothing with little or no effort.

The Human Side of Security

Attending the human-focused talks at the RSA Conference gave me a very different perspective.  None of the speakers or facilitators believed that they had the security problem “solved”. Some of the sessions began with the facilitator saying just that: if you’re coming here looking for a solution, you’re going to be disappointed.

The hard part of security is the fact that it’s not just technology.  With technology, fixes are pretty easy. You find the problem, build a solution, and deploy it across the organization in a matter of hours.

With humans, you need to coax, nudge, and outright bribe them into doing the “right thing” because being secure is generally hard and humans are lazy.  Most social engineering awareness training can be summarized as “slow down and think it through”.

With the tens or hundreds of emails that you receive every day, thinking it through can be a significant time investment.  The perceived payoff is less than the cost, so people keep on doing what they’re doing and remain insecure.

Si of Cybermaniacs cheering and holding glasses

Improving the human side of security

The obvious answer to an organization’s human threat surface is cybersecurity awareness training.  Logically, if we provide someone with all of the necessary data, and they make purely logical decisions, the problem is solved.  Training following these principles has been around for ages. The problem with traditional cybersecurity awareness training is that it’s awful.

Studies have shown that people make bad decisions when scared and try to avoid thinking of scary things.  So what do we do? Scare them with cyber.

Mo of Cybermaniacs' head superimposed on a scary body

Research also tells us that humans can only retain about 7 pieces of new information in one sitting.  And the suggested solution is to give an hour-long PowerPoint with tens or hundreds of new facts and figures for the employee to memorize.

“Traditional cybersecurity awareness training doesn’t work.”

Until training aligns with best practices, taking advantage of what we know about the human brain to optimize retention, it will continue to fail.

This is a core message here at the Cybermaniacs and was echoed throughout the human security sessions at RSAC 2019.

However, until this theory stops being “cutting edge” and becomes commonplace, the human side will remain enterprises’ biggest security weakness.


More from the Trenches!

The Remote Work Revolution: Navigating Security in a Changing Landscape

The Remote Work Revolution: Navigating Security in a Changing Landscape

The outbreak of COVID-19 reshaped the world in ways we could scarcely have imagined. Beyond its obvious health and social impacts, the pandemic...

6 min read

Good Reads: The Aon 2023 Cyber Resilience Report

Good Reads: The Aon 2023 Cyber Resilience Report

Aon's Cyber Solutions combines digital risk management services, Professional Risk Solutions and their Global Risk Consulting Practice. They recently...

5 min read

From Couch to Keyboard: Safe Online Practices for Remote Workers

From Couch to Keyboard: Safe Online Practices for Remote Workers

Working from home does have its perks—saving on lunch costs, taking mid-day walks, and even swapping out your office chair for a yoga ball. But with...

4 min read