Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
I actually got this working. Um So interesting. Um I'm, yeah, we're good. I'm just double checking uh back on Facebook. Um simply because I didn't have time to log in to youtube and get the stream key and all that kind of stuff back on youtube tomorrow.
Um But I wanted to get this rolling. Um So I'm broadcasting to you from a new location as you can tell. Uh This is mornings with Mark West Coast edition. So it's pretty early for me. I already, I just got back from getting breakfast, uh you know, standard East Coast advantage of being up really early.
I'm out here in San Francisco uh for the RS A 2018 US uh USA conference. Um So one of the biggest security uh conferences there is um today uh Andrew Hay and I uh Andrew is the co at uh Leo Security.
Um We are running the ransomware and destructive attacks seminar um in Mosconi West. So if you're here on site, come check it out. Uh Room 2001 in Mosconi West is a full day of um deep dives into uh the impact of ransomware.
The impact of destructive attacks. Um And what it means to you. Um But uh this conference, like I said, it's huge, it's massive, which means um everyone uh ends up being here. Uh So from a good perspective, let me just double check the stream right on, um from a good perspective and a bad perspective.
Um So the good news is, you know, everyone's here, it's exciting. Uh the community kind of pulls together. Um And so you get to see a lot of folks, um you get to hear a lot of new ideas. Um The downside is, you know, obviously this is a business focused event, there's a uh two full expo halls.
Um And you see all the marketing position from folks. Um Now, cyber security has come a long way uh from uh when it was pure fear, uncertainty and doubt, however, it's still around. So I hit this uh up on Twitter um yesterday when I landed, it took about 30 seconds to see an ad that was really focused on um fear.
Um you know, that fear, uncertainty and doubt to move product. And uh uh you know, this is my 25th year in professional practice. Um you know, almost all of its cybersecurity focused and it's really, really frustrating um that we undermine ourselves by going the fear, uncertainty and doubt route.
Um So here's the best way to approach security. Um You need a pragmatic, honest and open discussion about what works and what doesn't work um Because nothing's 100% if you're pitching yourself or positioning a security solution or an architecture or design or thought or anything is saying like this is gonna solve all our security problems.
That's never gonna be the case. Security is complex. It's nuanced. What we need to keep doing is um locking off on certain areas and being able to say, look, I've reduced risk or mitigated the risk in this area. Now, I'm going to work on this other area and based on my business appetite for risk were appropriate.
Right. It's not that question of, is this secure? That's an impossible question. It's, is this secure against a potential threat to an appropriate level? Again, definition of cybersecurity, a usable workable one is to make sure that your it systems are doing what they intend and only what they're intended to do.
Um So you're never gonna have stopping 100% of attacks, you're never gonna be able to say, um, you know, we've got a system so advanced that you don't have to think about it. Security is a practice that means you should be doing it every day.
Security is something that needs to be built into the foundation or fabric of your applications. Um which means you need to be building that in constantly. If you're not, it's a problem. And if you position your product, if you position your company, if you position your services, if you position um your open source project in a way that it's going to solve all the problems for all the people in all the cases.
That's a significant issue and you're putting the rest of us behind the eight ball because then the question comes, is this company says they can do 100%. Why can't you do that? Um Now the good news is, like I said in the opener here is that, that's rare that we see that nowadays um the market is maturing people have a better understanding, but I still, I'm a huge fan of being even more prag pragmatic than that.
And I know um marketing folks even uh my own marketing folk, you know, they're like, no, we need to be able to put a bit of a shine on something to make sure that it looks good. Um You know, present it at its best and this I 100% understand.
Um you know, that's just the way the world, that's the way business is. You need to make sure that your solution um is selling because that's how you make money. That's how you employ people, that's how you build better things.
But there needs to be this balance of saying, you know, hey, for this problem set, we're a great solution and here's what we do really, really well, when somebody asks, being able to tell them, here's what we're not so great at, I think there is a balance to be had.
And I think every year we get closer to it as a, as a community. Um And I think that's a really, really positive thing. Um because as I've been exploring more um security over the last year focused on sort of two aspects, the cutting edge in serverless and sort of the trailing edge in operational technology.
So things like um robots and tractors and medical equipment and things like that. It's sort of an interesting confluence of two areas. Um We need to understand security principles and we need to be very practical. Um And very, very clear lines about what security can do and what security can't do because when you're dealing with operational technology, um more often than not you're dealing with um threats to human life, uh like literal threats, not hyper hypothetical threats.
It's the cybersecurity of this robot that's working right next to people or a tractor that is, you know, driving on a farm that's, people are also working on the farm, health care where people's lives are literally in the balance uh hanging in the balance for these machines.
Um So it's not hyperbole to say that, you know, this is zero risk um tolerance uh environment because people's lives are at stake. Um You know, if your website that's selling widgets goes down, nobody's gonna die. You're gonna lose some money.
That's unfortunate, but nobody passes away. So it's a different risk model. Um So that's really where you need to be very, very pragmatic and very, very understanding of what's going on. Um And in serverless, it's sort of that interesting contrast in that we're exploring um the security principles and reapplying them in completely new ways because all of our existing controls and technologies kind of break in that environment.
So I like studying both of those, but they both come back down to being open and honest um that security is there. Uh And to make sure that your system's work is intended and only is intended. Um And that's where we need to go.
So I'm really excited to see the fantastic innovation this week at RS A. Um You can follow along on Twitter. Uh hashtag is Rs Ac Rrs A conference or Rs A. Um And uh there's gonna be a ton of great content this week, some amazing talks, um Some solid keynotes.
Um The X Will Hall gonna be, I think some interesting companies pitching their new approaches to different things, hopefully in a great pragmatic way. Um And just in general, the hallway conversations at this conference are fantastic. I'm looking forward to today.
Um You know, partnering up with my friend Andrew Hay um and uh delivering that ransomware and destructive attack seminar. Um And I think that's really where we're at least hosting it. Um You know, we've got a lot of lineup of great speakers who are delivering it.
Um And yeah, just generally connecting and, and hearing some new ideas. Um That's what this is all about. As always, you can hit me up online at marknca or down below in the comments, a little busy this week on site, but I will be trying to broadcast uh every morning, hopefully back on youtube tomorrow.
Um I'm completely mobile this week, so no laptop. Um even though laptops mobile, but I'm completely like ipad mobile, I'm gonna see how that works because I'm gonna cut this video right now and put it up on youtube um with the normal trailer and stuff.
So we'll see how it goes. Like I said, hit me up online at marknca. I hope you guys have a great Monday and we will talk to you soon.
