Thoughts From RSAC, Part II

When I first joined the Global Cyber Alliance, one of the first pieces of advice I got was not to imagine hackers as movie characters in dark places, wearing hoods, illuminated only by the dim green light of their computer terminal (thanks, Runa!). Likewise, the targets aren’t always wealth or technically-savvy global institutions, either. It turns out that the motivations, causes, and effects of cyber vulnerability are far more visible to regular civilians than the stereotypes. They’re woven into the fabric of society as we’ve come to understand it—into our supply chains, in the algorithms that filter communication with our friends, in our work-from-home setups, and so on.

If the COVID-19 pandemic has taught us anything (I know, I know, it’s cliche to say at this point), it’s that one can plot out where our connectivity falls along Maslow’s hierarchy of needs. To give you a quick primer of Maslow, his idea was that different categories of needs—bodily needs, a sense of personal safety, social belonging, and self-esteem—must be met, in that order, for individuals to realize self-actualization. If you can’t eat because the web-connected systems your local grocery store runs on are compromised, or you can’t drink because your local water authority has been held to a ransom, then your bodily needs can’t be met. If your location is being tracked by stalkers, you don’t feel personal safety. If embarrassing photos stolen from your phone are published online, your social belonging and self-esteem might suffer. And so on. Again, repeating the theme from my last post, cybersecurity is more human than anything.

On day two of the RSA conference, I got to hear about the global state of the cybersecurity industry from the people who lead it. These are the folks who, from top-to-bottom of the Maslow hierarchy, have security in mind. I heard from the security chief at Ahold Delhaize, Florence Mottay, who protects customer and supply chain data at one of the world’s largest grocery conglomerates. I heard how Johnson & Johnson is giving us our lives back—social belonging—by making sure that vaccine development happens quickly and fairly amid the pandemic. Then companies like Box and Australia’s broadband provider, nbn™, lead us toward self-actualization by enabling forms of communication and collaboration that are accessible to just about most human beings.

I wanted to share some quotes from their talks, informed by the calls-to-action their companies took up in response to COVID-19:

  • According to Mottay, at the beginning of the pandemic, “everybody wanted to put on a brave face, but we were all struggling in our own way.” But when the cybersecurity infrastructure is not prepared for a stress test like COVID-19, then it becomes difficult to retroactively prepare.
  • “As we felt a healthcare crisis, we didn’t realize that there will be a huge digital opportunity,” said Marene Allison of Johnson & Johnson. “The role of the CISO became a huge role,” suddenly the cross-disciplinary nature of a security chief became mission critical and appreciated for what it is by companies. That was the unfortunate result of J&J becoming a huge target, given that healthcare saw a 30% rise in cyber attacks in 2020, according to Allison.
  • “If security competes with usability, it’s probably not good security,” said Phil Venables, Chief Information Security Officer at Google Cloud. “It’s not about mitigating risk, but also about good business practice”
  • Lakshmi Hanspal of Box talked about the importance of “leading with empathy” when implementing new practices and policies on the corporate level, understanding the needs and anxieters of employees and end users.
  • Darren Kane of nbn™ Australia said that there are three takeaways from COVID: broadband, not road and rail, saved the economy; people are always able to adapt when it’s in their best interest; and the role of cybersecurity needs to shift from gathering intelligence to offering business continuity and response.
  • And finally, to tie it all off, Dr. Reem Al-Shammari from the, Kuwait Oil Company said that CISO wins foremost when “focusing on the ‘people aspect.”

The author, Julian Hayda, is the Craig Newmark Journalist Scholar at the Global Cyber Alliance. You can follow him on Twitter or connect with him on LinkedIn.