As he has done for 15 years running, Hugh Thompson, program chairman for the RSA Conference, took the stage Monday for this year's Innovation Sandbox kickoff event, and shared a personal anecdote that packed a powerful security message.
Thompson has five children ages 1 to 9, which he described as "an amazing experiment when thinking about human behavior." For instance, he said his 2-year-old can play peek-a-boo for more than hour, and be equally shocked at the results after 100 repetitions.
"There's something wired into us about expectations," Thompson said. "It's something that makes us human, but it's also something attackers prey on."
Then he offered up a story that made this point even clearer. He was in an intense afternoon meeting when he got a text from his wife.
"Where is the iPad," read the text. Thompson responded that he thought it was in the closet. A few minutes later, a response arrived.
"It's not in the closet. Where is the iPad?" Then he suggested looking in his 8-year-old son's bedroom, and he got an immediate response: "It's not there."
This is when he got suspicious and decided to verify that it was his wife texting him by asking a challenge question: What restaurant did they frequent on their first date? When he got what he thought was an incorrect response, he said, "No, stop texting me," assuming it was one of his children on the other end.
Lo and behold, he gets a call moments later from his wife, who was irate that he did not remember the actual restaurant from that first date.
Thompson offered this tale as a metaphor for how complicated the issue of authenticating a person is, and how authentication parameters can change.
"When you get into these security stories, they end with a human being," he said.
Hence this year's RSA Conference theme: the Human Element. And during the Innovation Sandbox competition, in which 10 hand-picked startups make 3-minute presentations to a panel of judges, at least half of the presenting companies are addressing some human element of the security equation.
Whether that means changing human behavior, protecting privacy, or helping extend human beings' limited capabilities, a generation of cybersecurity startups is looking to make people a stronger part of the security paradigm.
For example, BluBracket wants to help the gatekeepers of fast-growing source code libraries know exactly what code is where, because it’s impossible to protect what you don’t know is there. The company creates a blueprint of where a company’s source code is stored, and provides alerts when it determines that a piece of code is vulnerable.
“People are completely blind,” said Ajay Arora, founder, president and COO of the Palo Alto, Calif.-based startup. “They don’t know where the code is.”
Elevate Security, meanwhile, is focused on combining social proof, competition and positive reinforcement to rank employees by behavior, with a goal of changing that behavior to improve cybersecurity. Masha Sedova, co-founder and CPO, noted that 95 percent of breaches are tied to human behavior, and that the company’s early efforts have demonstrated that appealing to employees’ competitive nature and desire to have accomplishments singled out are effective methods for modifying behavior.
“We know this approach works,” Sedova said.
But the company that really caught the judges’ eyes was San Jose, Calif.-based startup Securiti.ai, which was awarded the top prize for its use of artificial intelligence to create “people data graphs” that detect data in structured and unstructured systems and links that data to an individual. The idea is to help organizations contend with the sprawl of user-identified data through numerous systems, which has made it a challenge to preserve privacy safeguards.
“Privacy is your and everyone’s basic human right,” said CEO Rehan Jalil. “Companies need to respect this at a granular level.”
When a company looking to protect basic human privacy rights is considered a top cybersecurity innovator, it’s clear that the human element has moved to the center of security strategy. And as Thompson’s story illustrated, it’s an incredibly complex component, and one that deserves the focus of cybersecurity teams everywhere.It certainly has the attention of the startup community.