If change is the only constant in life, as ancient Greek philosopher Heraclitus of Ephesus is often quoted as having written, then cybersecurity is alive and well.
Reminders that cybersecurity is an era of unprecedented change were everywhere at this week's RSA Conference in San Francisco, but nowhere were they on more obvious display than during the week's keynote sessions.
In fact, one of the most obvious changes—the growing female presence in the industry—figures prominently in this post in that all of the keynote speakers quoted are women. And yet, none of them referenced this during their talks. Rather, they chose to focus on other changes the cybersecurity industry is undergoing, and how they're thinking about and contending with those.
It started on Tuesday with cybersecurity strategist Niloofar Razi Howe, who, during a theoretical talk about the evolution of trust over the next 30 years with RSA President Rohit Ghai, touched on the reality that the most effective security in the near future will be powered by both humans and artificial intelligence algorithms.
"Man and machine together are more trustworthy than they are individually," she said, portending a time when people work side by side with AI, presumably without the mistrust of AI that dominates today.
A short time later, the always-anticipated cryptographers' panel featured two women among the five cryptography experts on stage. One of those, Shafi Goldwasser, director of the Simons Institute for the Theory of Computing, also chimed in on the topic of AI, suggesting that security should be sacrificed in the name of innovation, and thus the code behind AI applications should be written to be cryptography-friendly.
"The best machine learning models are accurate, but they should be built to work well with encrypted data," Goldwasser said.
Shifting to a decidedly untechnological story, Paula Januszkiewicz, CEO of cybersecurity consultancy CQURE, shared a social engineering experiment she conducted that illustrates just how much more of a piece of the security puzzle humans are than they were once thought to be.
As the story went, Januszkiewicz got on a secure elevator in an office building with a man who used a keycard to get on, and she was not questioned at all. Once on the elevator, she commented to the man, whom she had never met, that it was nice to see him again.
As they walked off the elevator on the 6th floor, he said it was nice to see her again, and the two of them then walked into a gathering in which she was clearly an outsider, but no one said anything. She could have easily walked around the office, writing down personal details, copying any exposed passwords and generally obtaining information any hacker would be happy to have.
Januszkiewicz told the RSA Conference audience that she'd been conducting these types of experiments frequently, and she'd only been caught or stopped once. She shares these stories with clients so that they're clear on just how vulnerable they are, how easily the physical can impact the digital, and how little they can do about it.
"The moral of the story is that despite all the technology and processes, security is often about people, and people open up vulnerabilities," she said.
The following day, during a keynote panel on the weaponization of the Internet, the conversation shifted to a different kind of social engineering, the kind that involves social media-based manipulation.
Del Harvey, VP of trust and safety for Twitter, talked about the first time her team saw evidence of Twitter being used to manipulate. To some, the incident was far worse than a cyberattack: Justin Bieber fans in Brazil were tweeting about him constantly so that he'd become a trending topic in the country and thus be swayed to eventually perform there, which he did.
While it was far from a nefarious purpose, Harvey said it was an exercise that reinforced the growing awareness that social media could be used to achieve ambitious goals by building momentum around selected information — or misinformation.
"It's a useful example to keep in mind," she said. It's also symbolic of cyber security's expanding reach.
On Thursday, Heather Mahalik, mobile forensics course director at SANS Institute, became the first woman to sit on SANS' annual "dangerous new attack techniques" panel, and she brought a fresh focus on mobile devices, lending an element of change to an always forward-looking conversation.
Most notable: Whereas her colleagues typically focus on large-scale attacks that impact organizations, she zeroed in on the emerging trend of targeted, individualized attacks. More than anything, she provided an ominous reminder that the days of protecting assets while inside the network are long over. Thanks to mobility, GPS, and the array of location-based services, a company's cyber security efforts must be capable of following — and protecting — users anywhere on earth.
"They know where you are," said Mahalik said of the bad guys. "They have access to all of your devices. They are going to know where you are. Not only where you are, but everywhere you plan to go. You really can't shake it.
As much as the steady string of female cybersecurity influencers reflected the dizzying change the industry is facing, they all took a back seat to Kyla Guru, the 16-year-old wunderkind who walked onto the stage on Thursday afternoon with a presence and confidence that belied her youth. Guru, a junior at Deerfield High School in Deerfield, Ill., is the founder and CEO of Bits N' Bytes Cybersecurity Education, which seeks to inject cybersecurity skills into the general population, especially youngsters.
Among all the energetic, eye-opening perspectives Guru shared during her talk, the most important was her message about the importance of looping in tech-savvy youth into the cyber conversation, even if they lack the education and certifications of cybersecurity pros working in private industry.
Guru noted that Generation Z, the teens and college students of today, are the most tech-obsessed part of the population, spending about 80 percent of their waking day online. As such, she believes that planning for how cybersecurity will be conducted down the line without their input is shortsighted.
"We are talking about securing the future for a generation," said Guru. "That generation has to be in the room. In fact, that generation has to be leading the conversation."
There you have it: change isn't something cybersecurity professionals have to look for, or study, or debate. If they open their eyes and ears, she just might be standing right in front of them, telling them she's here and that it's time to listen.
That voice will only be louder next year.