For enterprises today, one thing is certain: Disruption is always just around the corner. While technological disruption can offer opportunities, it also amplifies risk.
That’s the theme of a cleverly titled panel at this year’s RSA Conference 2022: The Jetsons Are Here—Now What Are the Security Implications. The panel will be held June 6, from 2:20 p.m. to 3:10 p.m. PT, at the Moscone Center in San Francisco.
Panel moderator Lisa Lee, who is chief security adviser and global lead for vertical industries and engagement at Microsoft, and panelist Diana Kelley, the CTO and co-founder of cybersecurity advisory SecurityCurve, offered Endpoint a sneak peek at what they’ll discuss, why you should attend, and what enterprise CISOs can do to stay relevant and reduce risks as new enterprise technologies come into use.
Those of us of a certain age recall the promise of flying cars when we were kids. Yet they’re still not really here. What future technologies do you both see having the most significant impact in the next five to 10 years?
Lee: It is funny you mention flying cars. When I started the exploration for this session, almost two years ago, it was said flying cars were two or three years out. I thought, “There is no way. It’s at least five to 10 years out.” We just don’t have the infrastructure to handle flying cars.
Today, flying cars are hitting the news every day. Companies are passing flight tests, getting certifications and regulatory ratings. So, yes, flying cars are here. They’ve been here, in different stages, for two years. I recently read that Uber expects to have its flying car operational by 2023. And, of course, flying cars—just like autonomous cars—will come with massive cybersecurity challenges in terms of safety, data privacy, and many other issues.
Flying cars aside, what enterprise technologies will you be discussing at RSA 2022? And which do you see being the greatest concern for CISOs?
Lee: For this panel discussion, we’re thinking in terms of industries or where we see the biggest disruptions happening. So, for this panel, Diana will talk about alternate worlds, such as the metaverse, and
all the cybersecurity implications. Theresia Gouw, a founding partner at Acrew Capital, will discuss Web3. Patricia Titus, chief privacy
and information security officer at Markel Corporation, will be talking about transportation. I’m going to be talking about the healthcare sector.
If your company plans on going full steam into the metaverse, the CISO has to take a big step back and consider the impact on security.
Kelley: I can tell you the metaverse will be one of those disruptive technologies that bring many cybersecurity challenges. People today have an appetite for virtual worlds, unlike years ago when we had Second Life but it didn’t take off. People have been out of the office for years, and we’re replicating the real world online. In the metaverse version, it’s much easier to be somebody else, especially with deep fakes. This creates enhanced concerns about identity theft. People have even been attacked in the metaverse, which can have a big emotional impact on individuals.
Think about this as a CISO. If your company plans on going full steam into the metaverse, including holding company meetings there, conducting sales there, and so on, the CISO has to take a big step back and consider the impact of all of this on security. In these worlds, the company has very little control over the society regarding who can speak with whom. How are people going to react in the metaverse? Are they going to behave differently? Companies also have little control over data within that world. What happens if your data goes missing?
Lee: There are similar concerns over robotics. You could have a robot that sits in any city, such as Tokyo, and you would never have to fly there for meetings. The robot would attend all of your meetings there. You can take control of the robot and even wear a haptic suit that enables you to shake hands through the robot. There are lots of ways that you can interact. But what’s to say that if you have conflicting meetings, you couldn’t have someone else sit in and no one would know? Suddenly, it’s a very different situation, especially considering the risk of identity theft.
RSA 2022’s theme is “transform.” Do you think the growing pains for these transformational technologies will be similar to what we experienced in the 1990s and early 2000s with the growth of PCs, local area networks, the internet, and e-commerce?
Kelley: It’s going to be similar. And what’s concerning is how much we’re using this technology in areas where the impact is huge. When we started on PCs, I remember I thought a virus that stopped somebody from typing a document was terrible. And then it advanced to What if your bank account got cleaned out?
Today, there are smart cities that use these emerging technologies. These cities are incredible, using vast amounts of data to make our lives much better, such as with easing traffic flow. These systems can ensure that the ambulance gets to the person who needs help in time and that you can find a parking space. But now, if you see attackers starting to mess with that, you have the risk of lost lives.
As new technologies come on board, the enterprise attack surface will expand. Are we going to keep running into this tech skills gap challenge?
Lee: I worry about the need to bring so many more people into the security mindset and the security skillset. We’ve all seen the stories about that. But I also worry how we sometimes try to make it sound like it’s not that hard to do security, so that people will come into the field. It is hard. I think it’s super hard. But I think that’s what makes it interesting, because it’s so challenging.
It is hard. I think it’s super hard. But that’s what makes it interesting, because it’s so challenging.
Kelley: As the technologies change and shift quickly, we will need deep experts in those areas to design and implement the solutions. But if everybody who’s building a new system or adopting a system could at least have a security mindset and take security and privacy into consideration from the beginning, perhaps perform some threat modeling, we could improve security considerably. Otherwise, we’re going to end up where we always bolt security on after the fact because something terrible happened.
So let’s start building it in, especially now when many of these new technologies and their impact on humanity are much more significant. We’ve already seen little bits of it, such as the Colonial Pipeline attack and people not being able to gas up their cars on the Eastern Seaboard.
Bringing this home pragmatically for CISOs, what kind of things should they keep in mind to future-proof their security program?
Lee: One approach we talk about during the session, and it applies to the type of technology, are different aspects one should consider for new technologies. For instance, one must think about the data: What’s the potential threat to data in the latest technology? We’ll talk about new technologies related to risks.
Marketing is probably going to want to adopt the metaverse so they can engage with your customers there.
We also need to ask CISOs to drive this kind of thinking regarding new technologies. They need to be looking at what is coming six months out and what is coming three years out. And they have to try to determine how quickly the technology is moving.
Kelley: When it comes to new technologies, instead of saying We don’t need to worry about this yet, talk to the executives at your company, in all areas, because marketing is probably going to want to adopt the metaverse so that they can engage with your customers there. So, talk to the potential key stakeholders, and understand how the company feels it can benefit from using the metaverse.
For instance, HR may even want to start recruiting there. And once you know how the business intends to use it, now you can identify the potential risks. Also, consider the enterprise use cases. For example, if HR wants to recruit on the metaverse, will they just be posting a public notice on many different sites and perhaps making initial contact with potential recruits? And after contact is made, will the communications shift to the standard review process? If so, that’s fairly low risk. However, if you find that the CEO is conducting M&A conversations in the metaverse, that could be a very high risk.
Lee: To Diana’s point, talking to the key leaders in your organization who might want to take advantage of new technologies is essential. You may also want to have a team or a committee that’s constantly looking at different technologies, talking about how the organization might use them, and examining the benefits to the company and the risks to the company. Who do we have in the company that knows anything about this? You may find that some of your deepest experts are some of your most entry-level people. It depends on what the technology is and how it’s getting used.
Think back to the early days of the internet. Some of the younger people in your company [then] were probably exploring all over the place. That’s probably true with the metaverse today. Some of the younger people on your staff are probably well engaged in the metaverse. It’s not always an age thing, however. Sometimes it’s just about one’s likes and dislikes.
But having the conversation and learning about those in-house experiences is key. What are the bad experiences they’ve had? What are the positive? Where do they see the value? Conversations like this will go a long way to understanding how the organization will approach new technologies and gain insights into potential risks.