Chris Roberts (@sidragon1), currently the Chief Security Strategist at Attivo Networks, really stood out last year at All Day DevOps. You really just have to watch his session, below, to truly appreciate his unique point-of-view.
He summarizes by saying that developers need to evolve. Developers must live, breathe, and think DevSecOps because we can’t count on humans to protect us.
Chris underscores that in 2017, 2-3 billion records were lost in security incidents. This, even after tens of billions of dollars were spent by private entities on cybersecurity. Moreover, that doesn’t count the cybersecurity spending by governments!
As he says: “The beauty of humans is that for all that we err, we also have an equal capacity to evolve. We humans are both the problem AND the solution.”
With 5.5 billion connected people in the world, after you take out the people who use "123456" as a password and all of the “sheeple,” you get a small number who actually get security. Chris estimates that it is about 9% of the United States population.
Now, consider this small group of security-minded people with these facts:
- We are adding more and more complex technology
- We are handing technology to a broader population that doesn’t understand or care about security
- We are integrating technology into our homes, offices, bodies, cars, and lives
- We don’t have enough qualified people to manage the current list of issues, let alone anticipate and prepare for the future
- We don’t have good eyes on (any!) of our own environments
Chris concludes, "we are *&!!&#% unless we evolve!"
He launches into next generation areas that need to adequately prepare for security by using DevSecOps principles. Examples include: nanotechnology; technology that eliminates passwords (because we become the password); and, actual artificial intelligence. He digs into each of these and presents some very interesting ideas, future gazing, and provocative statements on privacy.
Chris also lays into “his industry,” noting the cybersecurity industry has:
- Sold false promises
- Continued to Band-Aid rather than fix problems
- Profited off the misery of others
- Acts like entitled snowflakes
- Blames everyone else
- Flaunts the mission of security
- Treats information as currency and holds it over others
- Uses FUD (fear, uncertainty, and doubt) at every turn to maintain the upper hand
But what is one to do? Chris walks through some back-to-basics, summed up with:
- Humans - turn it from a security conversation to a safety conversation
- Computers - they are everywhere, even where you don’t know
- Your perimeter - recognize you don’t have one
- A plea - start and stop a bunch of simple things, like stop buying the hype and thinking there is a free lunch and start paying attention to your users and being proactive instead of reactive.
- Get a plan - &#*$&$ is going to happen
- When you think "all is quiet on the Western front" - it isn’t.
What is the bottom line according to Chris? “I will fail. We will succeed.” Individuals will fail; we have to work together.
Chris's presentation, Why The T-Rex Didn’t Get Hand Extenders will provoke ideas about what needs to be done to secure our digital future.