RSA President: We're At A Security Inflection Point, But Not On A Path To Win

The security industry is teetering on the edge of enlightenment as it works to fight back against a growing threat landscape. But the security industry will never get ahead if it doesn't change the way it's approaching the problem, RSA President Amit Yoran said in the opening keynote Tuesday at the 2015 RSA Conference in San Francisco.

"It's time for a new sense of exploration, awareness and understanding. It's time for security to escape the Dark Ages and pursue our own age of enlightenment," Yoran said.

While computing advancements and the universal spread of technology have come with many benefits, they have also opened the doors for megabreaches and growing cyberthreats across all industries, Yoran said. That trend will only continue to get worse in 2015, he said.

[Related: Accuvant-FishNet Picks Out New Name From 1,200-Plus Options]

Sponsored post

"Things are getting worse, not better," Yoran said. "2014 was yet another reminder that we are losing this contest. The adversaries are outmaneuvering the industry. They are outgunning the industry. They are winning by every measure," he continued.

To address that, security professionals have to change the way they look at the issue, he said. Instead of building taller walls and deeper moats to protect the perimeter around infrastructure and data, Yoran said, the industry needs to start thinking differently and, more important, acting differently.

"What I'm describing isn’t a technology problem. We have systems for visibility, identity, threat intelligence, [to] map and manage our digital and business risks -- this is not a technology problem. This is a mindset problem," Yoran said. "The world has changed and trust me, it's not the terrain that’s wrong."

To illustrate the problem, Yoran told a story from when he was a student at West Point. On a training hike, he kept getting lost as he couldn't get his map to match up with the terrain he was seeing. When he approached his supervisor, he was told that it was either the terrain or the map that was wrong. In the case of the security industry, Yoran said, security professionals will keep getting lost and losing the fight against attackers if they don't realize that it's the map that they are using that is wrong, not the terrain.

"It's clear that in security, we haven’t been able to find what we're looking for with our map in both hands. The map were looking at simply doesn’t match the terrain, but we keep pretending it does," Yoran said. "It's time to realize that things are different," he continued.

Yoran highlighted five key areas that security professionals should take a look at if they want to change the way they are approaching threats.

First, he said, security professionals need to stop believing that advanced protections will stop all threats and, as a result, they must actively question vendors to see if their solutions are just another addition to the castle wall of security solutions.

Second, Yoran said, security professionals should look to increase visibility from the end point all the way up through the network and the cloud.

"You simply can't do security today without visibility," Yoran said. "These aren’t 'nice to haves,' these are foundational core requirements for any modern security program. If you don’t have that level of visibility or agility, you're only pretending to do security."

Third, Yoran said, security professionals should focus more on identity and authentication, as research shows that upward of 95 percent of compromised data was a result of stolen credentials and end-user mistakes that allowed threats to walk right through the front door.

Fourth, Yoran said, security professionals should leverage, operationalize and customize external threat intelligence.

Finally, he said, security professionals should characterize what information is mission-critical and what isn't in order to prioritize resources.

"I'm not saying we have all the answers -- far from it," Yoran said. "There are resource challenges. There are skill set gaps. There are legal impediments. But, we're on a path to change a paradigm under which the security industry has been in for decades."