ESG's Doug Cahill and Jon Oltsik discuss the increased adoption of automation and serverless functions, and the top themes for the upcoming RSA Conference 2020.
Doug: Hi, everybody. And happy New Year. Jon, we haven't done one of these for a while.
Jon: We have not, no.
Doug: Sort of.
Jon: Welcome back.
Doug: Welcome back.
Jon: Thank you.
Doug: Sort of "Car Talk" of "Security Talk."
Jon: The "Car Talk" of "Security Talk," I love it.
Doug: I'm not sure if I'm Click or Clack, but we'll find out as we get in.
Jon: Drive like my brother.
Doug: I love my wicked Boston accent. Hey, it being the beginning of 2020, I mean, we've already done our predictions. I like to think more of those as sort of things on the radar screen, but we've already published that. But again, it being the beginning of the year, I don't know, what's one thread you're going to pull on the most?
Jon: Well, I've got a lot of them, but I'll just...off the top of my head, automation. So we have talked about automation, and we've progressed there, but I think we're about to hit a real curve in our progression there. I'm seeing best practices. I'm seeing people hiring automation managers for security.
Doug: Oh, interesting.
Jon: And then the tools are starting to mature too. So I think it's a big trend for 2020.
Doug: I feel like in automation as a level of comfort, certainly in IT, but in a certain way, cybersecurity, that the team has to have the sort of let control go to a third-party product that actually is going to take action on their behalf.
Jon: Well, I think it's more...it's the process. So you have to make sure that the process is very sound. And then, if you know all the steps, then the tool is going to help you automate. But it's really the processes that we haven't really formalized in the past.
Doug: Yeah. And obviously an audit trail to make sure you can...checks and balances to make sure what you intended to happen did in fact happen.
Jon: Yeah. You need that for auditing purposes, for compliance purposes. But enough about me, Doug. What do you see in 2020?
Doug: Well, like you, I mean, there's a lot to think about and talk about over the course of the year. But an area I'm really interested in and I think is going to be front and center is around how the adoption of serverless functions, which is really coming on at least as strong as containers, probably faster, really. Our research is showing that, you know, those organizations that are already consuming containers are far down the path on consuming serverless functions, sort of as part of their cloud-native application architecture.
I think it's a catalyst around just broader use of APIs and API security. And so, sort of first things first is really understanding how that impacts our threat model, right, so what are the API vulnerabilities? So I think cyber pros or certain developers need to understand, "Okay, now we're working to increase using serverless." I don't have somewhere where I can actually sort of plug something in, right?
I certainly can't do it on my network. I can't plug it on the agent. By definition, a serverless function is running on a server the CSP is operating. So you're going to have to understand your threat model. And also, it's full lifecycle, right. You want to have some controls at dev-time. So you're doing an inventory of your APIs, but also some time controls.
And that's where we're seeing an increase in technologies like runtime application self-protection.
Jon: It's another example of the developers kind of going their own way for the good of their development cycles, for the good of, you know, business logic and functionality, and leaving the security people behind. And we need to bridge that gap.
Doug: Totally. Hey, early 2020 also means RSA Conference is around the corner.
Jon: Yeah, RSA 2020. It's probably my, like 15th, 16th time at RSA.
Doug: Wow. I'm around a dozen, maybe 10, so.
Doug: I know. Hey, so one of the interesting things about RSA this year in terms of the content of the conference is that the RSA Conference committee, those folks who are looking at the speaking abstracts, shared the top 10 speaking abstract themes. In fact, the number one speaking abstract theme for RSA Conference 2020 was the human element, and also included in the list was professional and workforce development.
Doug: So that makes me think about the work you do with ISSA and the life and times of the cybersecurity pro. What are some of the things you think we're going to hear on speaking sessions at RSA that are related to those two topics?
Jon: Well, first of all, I'm happy that we're moving in this direction. As Bruce Schneier says, security is a process, not a product, which I totally agree with. I understand that. Professional development, we kind just touched on this. I mean, the world is moving very quickly. There's the expanding attack surface. We're doing things like serverless application development.
And so security people have to keep up. But what the ISSA research has shown is, year after year, they don't have time to keep up. They're not doing the training that they need to keep up. And that's a gap that every organization should be looking at and figuring out how to bridge. Because if you're not keeping up, you're ignoring certain risks or minimizing certain risks.
You're going to suffer if you do that.
Doug: Yeah. I mean, that's one of the reasons I continue to sort of beat the secure DevOps or DevSecOps drum, because it gives us, you know, security at scale. If you can integrate with your CI/CD pipeline in how you automate, you fundamentally get scale. You can automate your security processes at every step of the application lifecycle.
Still early days. There are obviously some organizations that are truly starting to embrace and adopt DevSecOps, which starts with people. It's all about a cultural shift.
Jon: And, again, it's about automation. We don't have the bodies to keep up with the workload. So there's only a few things we can do, and one of them is automation.
Doug: Absolutely. Well, thanks, everybody, for joining us for this latest episode of "Car Talk" cybersecurity talk. We'll look forward to the next time.
Jon: Don't compute like my brother.