At Black Hat 2018, one sentiment was made abundantly clear: working in cybersecurity today feels like being trapped inside a pressure cooker. Between the struggle of finding solid security solutions, filling in the gaps left by the talent crisis, and dealing with more advanced hacking threats, there’s little question why.
Jeff Moss, the founder of Black Hat, grappled with this topic in his opening address, stating, “The industry is at the ‘final exams’ stage. We’ve matured enough that world events have caught up with us, and we’re now being tested.”
Black Hat is what you choose to make it—you can walk away with the knowledge to help you take that “test” or you can leave with 50 new vendor t-shirts stuffed in your backpack. The real value, however, comes from listening carefully to luminaries and leaders. I was lucky enough to spend this conference speaking with several security pros, tech journalists, and other experts on the state of cybersecurity, and I’m paying it forward by sharing the best tips and insights they gave me.
6 secrets from Black Hat 2018
1. Take the basics seriously
Basic cybersecurity hygiene isn’t glamorous, but it needs to be a priority in today’s day and age. If you’re not already practicing the fundamentals daily, start planning a security routine you and your employees can get into. Regularly maintaining system health and improving security where you can in the short term is bound to have positive effects in the long term.
One anonymous CISO with a staggering budget got blunt about his needs: “I’m really big on getting the basics right. Ninety-five percent of the vendors in the business hall are offering solutions for advanced threats, which aren’t our biggest risk. This year, I’m getting hygiene dealt with.”
2. Don’t panic
“The first thing CISOs say is ‘Help!’,” HP Head of Security Michael Howard said with a laugh. “We used to joke the CISO role was invented so CIOs didn’t get fired as much, but it’s matured.”
“Today, CISOs are desperate for solutions to secure existing endpoints,” he continued. “Many lack understanding of their current multivendor environment. They need vendor-neutral advice on basic best practices.”
3. Bring IT to board meetings
The biggest issue facing cybersecurity isn’t the attackers at the front door but the disconnect between business and IT already existing inside many organizations.
After some spirited discussion with the brightest minds in cybersecurity, it was decided that to inspire meaningful change in the organization, tech needs to learn “BSL”—business as a second language. Doing so will help bring CISOs closer to the executive function, where they can evangelize the need for better protection in today’s threat landscape. In addition, when leadership sets the standard for cybersecurity practices, the whole company will follow, which keeps the organization safer across the board.
4. Share your organizational best practices
The average organization likely has a dozen or more security solutions in place. Often, these solutions aren’t used and drive little value.
“CISOs are desperate for dashboards,” said Howard. “They’re overwhelmed with governance and compliance. Security leaders need experts who can share best practices.”
5. Don’t let talent retention get you down
“The first thing I worry about when I wake up is my people,” Michael Howard said. “Losing talent to a competitor is a real risk. I advocate hard [for my team]. It’s important for leaders to protect individual happiness and make sure talent is paid competitively.”
Howard is obviously doing something right, because he’s only ever lost one team member, and it was to an internal promotion. Still, he’s not the only exec stressed about losing talent to the threat of competition: “Let me know if you talk to anyone I can recruit for pen testing,” one security executive whispered to me in Light Nightclub. Talent worries evidently don’t stop—not even at Vegas parties.
6. Dedicate yourself to diversity
Diversity issues terrified one anonymous CISO with two young daughters. “My team has 150 people and two women. One of these women just accepted a special forces opportunity. Now, we’re over 99 percent men.” It’s not a cure, but I was happy to see more women at Black Hat 2018 than any other tech show I’ve attended. The industry is under pressure, but it’s trying to get better.
In fact, that sentence might sum up my takeaways from Black Hat overall. The cybersecurity industry is under immense pressure, whether it comes from external cyberthreats, internal disconnect, or staffing challenges. That said, there are strategies that can help you handle that pressure and experts who can lead the way. By focusing on basic cybersecurity hygiene and supporting your team, you just might come out unscathed.
Looking for more security insights from this year’s Black Hat conference? Check out, “Black Hat 2018: Michael Howard talks IoT technology risks” and “Black Hat 2018: I partied with The Fixer and 17,000 hackers.” And click subscribe at the top of the page to stay on the cutting-edge of security insights with Tektonika.