Security Experts:

Do You Know Your ABCs?

Ah, RSAC 2017. Into the bowels of Moscone, I dove. Submerged in a calliopean frenzy of schwag hawkers and “where the world talks security” messaging. From the Marvel-esque call to “Be a hero!” to the more existential reminder that “Every moment counts!” I found myself drowning in a sea of Secure! Protect! Defend!

From shiny object to shiny object, I waded. What’s new? What’s different? What’s the word?

The word, the buzz definitely centered around artificial intelligence (AI). But with so much focus on its potential to alleviate the current woes of not enough time or pros to combat a growing number of cyber aggressors using more and more diversified and automated attacks, it started to remind me of, years ago, when my friends would advise me to stop dating “potential.”

Potential isn’t something that can get you very far in the near term—if ever—so in my search for the magical security nostrum du jour, I decided to put aside thoughts of AI and its potential. And that’s when I discovered the true gospel of the conference. In a world where we recognize security shortcomings—too much data, too little time, too many bad guys, too few good guys—it’s increasingly critical to not forget the basics of defense. 

A, B, C Before D, E, F

On the odd occasion, I look for ways to relate work lessons to life lessons—for me, almost always to do with horses. And this time, my horse Arty came to mind. He was “born” to piaffe, passage, prance like a prima ballerina. Unfortunately, because of his innate talent, he was pushed a bit too far too fast as a youngster; and the basics were neglected. A trainer once said to me, “He knows D, E, F, but not A, B, C.”

Like AI, upper-level dressage movements are sexy. (No, really, they are.) But for them to even be possible—and correct—requires a commitment to building a solid A, B, C foundation. Sure, to analogize cybersecurity to dressage may seem a stretch. But, when you think about it, both require quotidian diligence. Both are fundamental to good health. And both require a helluva lot of time and money.

In cybersecurity, basic hygiene is a must. You can’t neglect proper testing, patching, encryption, segmentation, visibility, etc. You could implement every eye-catching security tool on the market, but without good, clean hygiene and the ability to deliver tools the right data at the right time, they’ll never shine their brightest. In short, you can’t go wrong investing time, energy, and capital in the basics.

No Wine (or AI) Before Its Time

For anyone who remembers Orson Welles slinging the Paul Masson winery slogan . . . To push for something, like AI, before it’s ready could be a mistake. No doubt, you can still strive toward the promise of AI to aid with detection, prediction, and action, but in the meanwhile, get the most out of what you have before trying to overcomplicate an already hyper complex system.

Give the great pros and products you have in place today the best chance of doing their jobs. Enable them with as broad a view into data as possible (across physical, virtual, cloud infrastructures), but a view that is relevant to their purpose. That way, when AI’s time comes—and it will—it will be all the more effective and successful at Securing! Protecting! Defending!

view counter
Erin O’Malley is an incident response delivery support manager at Accenture Security, FusionX, Cyber Investigation and Forensics Response (CIFR), where she teams with incident responders and threat hunters to document and catalog incident report findings and highlight the value of taking an adversary-based approach to minimize the risk, exposure, and damage of cybersecurity incidents. Prior to joining Accenture, Erin was a security solutions marketing manager at Gigamon. Other past roles have included product marketing for virtualization and cloud security solutions at Juniper Networks and customer marketing at VMware. She has written and edited for GE Digital, WSGR, Business Objects, and the TDA Group, and holds a B.A. in French from Penn State University and an M.A. in French from Middlebury College. The opinions and statements in this column are solely those of the individual author, and do not constitute professional or legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. No representations or warranties are provided, and the reader is responsible for determining whether or not to follow any of the suggestions or recommendations, entirely at their own discretion.