In this podcast recorded at RSA Conference 2017, Melanie Ensign, Co-Chair for WISP and Head of Security & Privacy Communications at Uber, and Ajay Arora, CEO and founder of Vera Security, talk about how information security is changing on several levels and how modern security teams are now looking at their responsibility in their companies as enabling new business opportunities.
They also tackle the notion of transparency and control, the fact that people now literally have both a physical existence and a digital existence, and much more.
Here’s a transcript of the podcast for your convenience.
Ajay Arora: Hi, I’m Ajay Arora. I’m the CEO and founder of Vera Security. I’m here with Melanie, if you’d like to introduce yourself.
Melanie Ensign: Sure. I’m Melanie Ensign, I’m currently on the board of WISP which is a non-profit Women in Security and Privacy. And we are dedicated and really focused on helping more women join the security community and help them advance and develop once they’re in the field.
Ajay Arora: Excellent, I know this is your anniversary in WISP, correct?
Melanie Ensign: Yeah, a couple of months. We’re pretty new but we definitely saw a need for the organization just had so many women that were really interested in getting involved cause these are problems like security and privacy are things that resonate with a lot of people. A lot of people want to help and get involved, so we created the organization to give women those resources and that opportunity to join.
Ajay Arora: That’s a really interesting perspective. So we’re here at RSA this year, so with that as kind of the theme, with that as a backdrop, are you seeing just the face of RSA in security in general changing, and why and how is that important? What’s your perspective on that?
Melanie Ensign: Sure. So, one of the things that I’ve noticed this year at RSA in particular, and I can’t say I’ve seen this so much on the show floor, but one of the great things about RSA in general is the community that it brings. Everybody’s here in San Francisco all at once making connections, forging relationships and so there are a lot of events, kind of side-events that happen because we’re all here at the same time. And so you’re able to see smaller groups of people meet because they are working on a similar problem together and because they are attracted to solving the same issues and helping people in similar ways.
What I’ve seen at some of those surrounding events is more and more people from outside the traditional infosec community coming on board and bringing new perspectives and expertise with them. So, disciplines like psychology, behavioral science, neurobiology, a lot of things that are less about the technology and more about the people.
We’ve seen some of this at specific companies. Google’s actually a really good example where they’ve done a lot of user testing in terms of how do people respond to security warnings. Having too many of them and having them when they’re unclear is really hard to get people to understand what you’re trying to communicate to them, and then also motivate them to take the steps and the behavior that you hope that they will do. And so there’s definitely more in the surrounding community here this week. More of those types of people who are coming together to say ‘I’m not an engineer, but I know how to help solve this problem because we’ve been working on it in other disciplines and other fields’.
Ajay Arora: That’s a very interesting point. So I’ve been coming to RSA for longer than I want to admit, and every year there’s more and more people. It’s not just the number of people that the actual composition of these people are changing dramatically. I think you struck on a really important point, is that when people are bombarded by the same messaging, they get desensitized to it. And this whole notion about security being all about fear for boarding and that whole fear and certainly doubt facto, it kind of turns people away from it. So, what do you think, with this kind of new composition of people coming in, how’s that going to change the face of security? Is it actually, at the end of the day, going to make things better and how?
Melanie Ensign: So I mentioned we’re really excited about the future of security for that reason, with this integration of people from other fields and disciplines. Because I think what it does is it removes a lot of the mysticism and magic from the way that we’ve traditionally talked about security, and it forces people to be a lot more transparent and a lot more logical in the way that we think about security. And so, you know, sometimes as an industry, I like to tell people – if people believe that you’re a wizard and they don’t understand what you do, it may make you feel very valued, but it actually, they don’t value you because they don’t understand what you do.
I think having all of these disciplines come together is forcing us to change the way that we communicate to people about security. I think it’s good for consumers who are going to get better communication from the companies who provide services and products for them. I think it’s better for internal security teams who are learning how to better communicate with their internal stakeholders and business leaders. And I think it’s good for society at large. I think one of the negative consequences of some of this fear-based communication is that when you’ve sufficiently scared people, they make poor decision and that’s actually how we end up with really poor laws and regulation in this space as well because, you know, we’ve sufficiently freaked out society and they’re distracted, they’re not focused on the right things.
Ajay Arora: That’s a really good point, so, one thing that we’ve seen that’s real interesting too is that security for too long has been synonymous with friction and getting in the way and not being something, you know, for example if something’s encrypted or you have to enter a password and then another step of authentication, it’s like so many steps to get in from here to what I’m trying to do when I’m trying to do my job or access whatever it is.
Maybe you can comment for a second on how do you think that equation is going to change overall – not just in removing friction to make security easier? Do you every think, to your point earlier, that security can be viewed in a much more positive sense instead of instilling fear or doubt, but as an enabler for other things? Are you seeing that kind of happen in the security products or teams that you’ve seen? Or do you think that shift will ever happen?
Melanie Ensign: I do actually have seen it, I’ve seen in happen. I think the most modern security teams are actually now looking at their responsibility in their companies as enabling new business opportunities, building a trusted foundation so that businesses can move really quickly and try new things and innovate. And that’s not possible if people are scared of technology, if we can’t give them that trust and foundation. And so I think the best security teams and the smartest security teams are already thinking that way: how can I contribute to not only the technological health of the company but the financial health, but making those business opportunities possible?
Ajay Arora: Excellent point. So, let me ask this also: if you fast-forward a year from now and then maybe 5 years from now in just getting maybe a little bit more, taking the crystal ball out and looking: what do you think we’ll be talking about next year? And in 5 years? Do you think we’ll be still in a world where the problem’s getting worse in terms of the number of breaches, frequency, the implications? Will we be getting better? I mean, this last year was the first year that we actually saw cybersecurity play into an election and have such dramatic effects. Do you think it’s going to get better in a year? Do you think it’s going to take 5 years? 10? I know maybe it’s an unfair question…
Melanie Ensign: I hope at least a year from now, maybe it will take 5 years, but I hope at least this time next year we’ll be having more conversations and less about the specific attack or breach, but the change we’re seeing in society and culture in terms of how people are viewing these incidences. It shouldn’t not feel like the end of the world if a social media account is compromised, right? Can we actually get to a point where people have their personal instance response planning, you know, losing a password for an account feels like I just lost my credit card and I’m just going to call and cancel it and I’ll move on.
There are parts of security in our daily lives that we’ve somehow become comfortable with. Losing my wallet at a restaurant – it’s frustrating, it’s inconvenient, it’s annoying, but I’m calling and cancelling cards. But, you know, if there’s an online account that’s compromised today, it’s a big headline. It’s news everywhere, and I think we need to get people to the point where they’re comfortable enough with this new normal, that they don’t freak out every time. Because again, that fear is where it makes it really difficult for them to make smart, logical decisions about what to do next.
Ajay Arora: Couple that with the other side of security, the flip side or closely coupled to it is the notion of privacy. So how do you people’s views in the last couple of years and going forward changing with respect to privacy? Do they have a lot less expectation of it? Are they just kind of – I’m still going to put stuff out there, but I know that it can be compromised? Are they surrendering the idea of privacy or the absoluteness of it?
Melanie Ensign: What I’ve actually seen is not that people are surrendering their expectation of privacy or giving up on it completely – they just want control over it. So that they have a choice on when to share or when not to share and transparency about, you know, what is actually out there and how it’s being used? And so I think the notion of transparency and control is really the future of where the conversation on privacy is going.
Ajay Arora: Yeah. It’s a very interesting thing because I think people know that their data and their information is much more at risk that they think about it now, but yeah, people still tend to – they all share their everyday lives. And one thing that we’ve seen too is this last couple of years with all these debates around encryption and all those other pieces is that the notion that people now literally have both a physical existence and a digital existence, and there is still, they know that that footprint is out there on both sides, still viewed as differently, so for example, last year when we were talking about the encryption debate with Apple, and the government wanting like a backdoor key to like all the information that was there, you know, there was a debate over it. But if you just frame the conversation in the sense to say hey, the government, let’s say you lived in New York City, in Manhattan and the government said I want a skeleton key to every single apartment that’s in Manhattan, people would never think to do that. So I’m curious to know, do you think that people like when it comes to their privacy versus their protection, where do you see that if you can about that evolving? Are people willing to surrender their privacy for this notion of protection, or at least the specter of it being better?
Melanie Ensign: I actually think part of the reason why sometimes people will make that trade-off has a lot to do with the fear factor in the way that things are communicated to them. That debate of do I want security and protection, or do I want privacy? Sometimes that’s a false dichotomy. So I think be mindful of that and helping people again understand what’s actually at stake, what the real risks are in a way that they can actually understand and consume is going to be really important in helping them make personal choices about when does that tradeoff actually exist, and which option do they want?
Ajay Arora: Well, that was really wonderful. So, thank you so much for taking the time and giving your perspective on it. It’s obviously something you think about a lot.