5 Things I Learned at Black Hat
Sitting at Citizen restaurant in Mandalay Bay, I’m watching people wearing Black Hat badges walk by and thinking about the last three days. Flying here wasn’t fun, but being here has reminded me just how much being with the people in the security industry means to me both professionally and personally.
As humans, we belong to various tribes. I define the cybersecurity industry as one of mine, and it’s a tribe I’m thrilled to be part of. I’ve told many people that I like the tech and the intellectual challenges but I love the people, and this week has confirmed the extent to which that is true. It’s great to be back.
And that’s a sentiment I heard echoed by many people this week. I haven’t seen any statements of attendance but I do know that the hallways of the conference and aisles of the expo hall were filled with people talking, learning, and picking up schwag.
I’ll be heading to DEF CON tomorrow morning and wanted to take a few minutes to eat some steak frittes and jot down the five key things I learned at Black Hat.
We're Learning About the Makeup of Our Infrastructure
The most common words seen on booth signs around Black Hat were “security” and “visibility.” It seems that, in 2022, we’re still trying to understand precisely which devices and people we have hanging out on our enterprise networks. And in most cases this isn’t just about understanding the state of the software maintenance. No, we’re still in the dark when it comes to knowing which computing things we have in our enterprise population.
I heard more than one story about CIOs or CISOs actually laughing at vendors when it was suggested that the IT team might know the details of their network population. And when a proof of concept is run, those executive express surprise when they see just how large their population is. The enumerated population is always larger than the pre-test estimate.
Once you know what’s attached to the network, you can start looking into the specifics – but that takes us to the next point.
We're Learning About the State of Our Infrastructure
Knowing the devices that make up the population of your network doesn’t mean it’s time for a sigh of relief; if you’re like a lot of people in the industry, you still don’t know why your machines aren’t secure or how to make them secure. For that, you need something to scan all those systems and provide a statement of which version of the OS and other software is in place, which vulnerabilities exist, and whether those vulnerabilities are the result of software mis-configuration or un-updated software.
This lack of visibility into the systems that make up our networks is critical. Of course we have to understand who the users are when they sit behind those systems, but that’s a whole different area of technology and a whole different thing to learn. Maybe next time...
We're Learning How to Talk About Cybersecurity
Cybersecurity is complicated. No one seriously argues that it’s not. That’s one of the reasons it’s a field filled with jargon that’s frequently arcane, concepts that are sometimes opaque, and acronyms that can stretch well beyond three letters. Those of us who live in the industry can generally make our way around the conversations but when we try to talk to those who have lives outside cybersecurity – whoo, now that’s a problem.
领英推荐
It’s a special problem when those “outsiders” control our budgets or need to explain to us just what it is we’re protecting (more on that in a moment). We struggle to find a common language to explain precisely what it is we do and why it works to protect the organization. Fortunately, the industry is making progress toward that common language.
At Black Hat a significant number of companies were using the word “risk” to describe the difference their products or services can make to a customer. It’s a word that the enterprise has begun to embrace, largely as a result of the growing influence of cyber insurers. Thinking of risk as a work in progress is probably the best way to think of the current state of the matter.
While more and more companies use risk as a way to talk about the impact of cybersecurity, there is little agreement on just how to define that risk. There are a number of frameworks that can be used, and every vendor has their own way of assessing and representing risk, but those frameworks and individual methods don’t readily talk to one another. The industry ultimately needs that universal risk translator, but what we have now is a meaningful start.
We're Learning to Put Cybersecurity in Context
For years, cybersecurity professionals have heard about just how important it is that they understand the business requirements of the organization. And for years many cybersecurity professionals have nodded their heads in assent while burying their heads in their security dashboards. At Black Hat 2022, I heard a lot of security pros talking about working with the business units – and that’s a major step in a necessary direction.
The business implications of cybersecurity’s work is critical, as is business employees’ active participation in cybersecurity. The rise of the cybersecurity awareness training requirement within the enterprise is the direct result of the recognition (from both sides of the house) that the cybersecurity effort can’t be something laid on top of a careless organization; it has to be “baked in” to the culture of the enterprise.
Like everything else I learned, this isn’t at an end state – it’s an organizational journey. Companies are at different stages on their journeys and all have more path to travel. But it’s good to see that this journey has begun and that most organizations seem to be embracing it with some enthusiasm. It was something very encouraging to see.
We’re In the Best Shape, Yet
For all the “we don’t…” in the preceding paragraphs, the unarguable truth is that we’re getting better and better at protecting our organizations against robust and cunning threat actors. There is certainly progress to be made (none of this is a static game) but I saw and heard a huge variety of very smart and talented people talk about the innovative ways they’ve developed to keep their organizations safer.
Some of those smart, talented people are threat hunters and researchers. Outside the industry, their work is often mis-understood, but their efforts are a critical part of cybersecurity success. I was, as always, blown away by what they accomplish.
I was also impressed by how our industry is making progress toward better inclusion of those of different genders, backgrounds, nationalities, and natures on cybersecurity teams. Because so much cybersecurity work involves imagination and creativity, a wealth of different voices does nothing but make us stronger and able to better create protective measures to defend our organizations.
Now, it’s on to DEF CON. I’ll have some thoughts about that soon, but I’d love to hear what you took away from Black Hat – and what you hope to see and hear the next time the industry gathers.