As the RSA Conference continues to grow, I saw two ends of the spectrum related to solving security problems. At one end is a software provider, AutoDesk, which is figuring out how to provide security while they adopt cloud computing, SaaS, open source, and CI/CD methods. At the other end were the challenges of the US Federal government in delivering cybersecurity in an always connected world.
In the useful talk presented by Autodesk's Tony Arous, Head of Application Security, and Reeny Sondhi, Chief of Product Security, titled "Rethinking Product Security: Cloud Demands a New Way," we learned that issues related to areas as disparate as corporate culture, the move to using open source, and CI/CD methodologies to deploy software in a cloud combine to create new security challenges. You are no longer delivering shrink-wrapped software that goes through an old school waterfall methodology where you have plenty of time to gather and specify requirements, test out security, run beta tests, and gain confidence that the product is secure. Instead, you incorporate pieces of open source, and deliver continuously to a cloud SaaS model, forcing you to rethink all aspects of how to provide security. The talk is too long to summarize here, but the takeaway is that you need to look at everything -- starting from technology all the way to company culture -- to make sure that old methods do not impede the adoption of new software development and delivery methods. Even though Audodesk is a software provider, all firms that develop cloud software, including enterprises creating internal apps ought to heed their lessons. I hope they share their lessons for all to read.
At the other end of the spectrum was a forum titled "Modern Policymaking in a Hyper-Connected World," a panel moderated by Michael Daniel, Former Special Assistant to the President, Cybersecurity Coordinator; with panelists Adam Hickey, Deputy Assistant Attorney General (DAAG), National Asset Protection, US Department of Justice; and Jeanette Manfra, Acting Deputy Under Secretary Office of Cybersecurity and Communications (CS&C), National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS).
These departments have the challenge of moving a large organization to the modern age, recognizing that their assets and processes are traditionally slow moving, with legacy requirements and internal oversight and responsibilities. But they can't hide in a box and move slowly. Society demands immediate action (often to world events), adapting to fast rates of innovation, and ultimately delivering on a responsibility of the government to provide frameworks that guide other departments as well as private industry.
There is a tremendous tension between providing security while ensuring the freedom that the citizens of the United States expect. I am in no way saying that they are shying away from the problem, as you would expect from a cliched view of a government bureaucracy. I recognize that they have a completely different set of challenges that a SaaS vendor such as Autodesk has. The issues are more complex and they are doing some thankless work to deliver change. Almost all aspects of the government are connected via networking and are therefore increasingly vulnerable, but you can't just reduce connectivity to ensure security, as we all demand easy access to information and services.
The key item is adhering to the set of policies and conventions that cannot be changed at a moment's notice. Enterprises too can learn from this, as compliance and regulations also govern enterprise behavior. Understanding and respecting the challenges these departments face will give pause to enterprises that think they have a complex task to secure their retail stores, on-line banking or medical systems.
Understanding the requirements that these departments face will give us pause: Some of the commercial enterprises' challenges are minor in the grand scheme of things related to national security and obviously the stakes are higher.
I wish there was more representation from the current administration and their views on cybersecurity. Prior years' RSA conferences had good representation from various federal agencies, such as Attorney General Loretta E. Lynch or Secretary Jeh Johnson, Department of Homeland Security, both from President Obama's administration. Given the current cybersecurity climate, it would have been nice to hear how the current administration views this topic, such as someone from cybersecurity adviser Giuliani's office.