Security is changing rapidly, and the COVID-19 pandemic hasn’t helped. A Cisco roundtable of chief information security officer advisers plotted the course for a secure future.
It’s time for collaboration, not control. CISOs can’t simply dictate security policy and expect users to fall in line. Not only will workers not fall in line with top-down security directives, they’re also likely to intentionally subvert them to get what they want out of the tech they use at work. “The more constraints placed on users, the more creative they become,” Goerlich said. Savvy users, Goerlich said, can be an asset to a cybersecurity team, helping to secure networks by collaborating with CISOs instead of working against them.
AI and machine learning: CISOs are right to be skeptical. “Training an AI model can take months,” Goerlich said, adding that a rapid change like the kind encountered with stay-at-home orders can throw machine learning models out the window. There were countless alerts and false positives thrown by AI-powered security software at the start of the pandemic, Goerlich said.
It’s time to embrace a passwordless future. “Passwords have had their time. Nowadays attackers don’t break in, they log in,” Archdeacon said. Goerlich said the transition will be driven by two things: What users expect from consumer devices (e.g., FaceID, Microsoft Hello, etc.), and new security standards like FIDO2 that make passwordless security practical.
Wolf’s Additional Thoughts
I’ve taken to calling what happened in March and April as “the Spring when the AIs went insane.” Everyone shifted from working from the office to working from home, and then some shifted back when many were returning to the office. This occurred in three months. Typical general purpose UEBA takes 6-months or more to train. The result was a significant increase in false positives as the human response to the pandemic outstripped the UEBA AI/ML ability to learn. Everything was unusual. Everything was a threat. Everything generated an alert. In other words, the AIs went insane.