 from San Francisco, it's theCUBE. Covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Hey, welcome back everybody. Jeff Frick here with theCUBE. We are wrapping up Wednesday here at RSA 2020 in Moscone Center. It's the year we know everything. It's Women in Tech Wednesday, and we're really excited to have our next guest. She's been coming to the show for a very, very long time. She's really dialed in with the community. She's an author, I got the whole as author, advisor, consultant, speaker. I could go on and on and on. She's here rubin' off. She's here, great to see you, and welcome back to theCUBE. Oh, thank you so much. Pleasure to be here again. Yeah, so RSA 2020, a lot of kind of crazy stuff going on, a little coronavirus kind of impact, which is really interesting, coming off of Mobile World Congress, being in the event space, and kind of seeing how this is going to shake out. But the theme this year is the human element, which kind of plays right into your strength. So just first get your kind of impressions of the show, and really kind of that theme, and kind of your take on why that's an important theme for RSA this year. Certainly. Well, I think the human element has always been at the forefront. It's just now becoming accepted and put at the beginning of what people are really talking about. We talk about the people, the process, and the technology all the time. When it comes to practice, everyone's really been focused on the security and the technology, but they forget the human element. And RSA this year is really focused on the human element being at the forefront. We have to realize there's a human, creating the technology, a human at the end of the technology is trying to help, and the glue in between the process. How it all intersects together really depends on how people embrace it. And that was actually the premise for my book, Cyberminds. So yeah, plug for the book. Plug for the book. Cyberminds is a book as I view cybersecurity as the umbrella over all other technology. You need cybersecurity intersected in some way when you're dealing really with anything. But the human element really takes the forefront. So I really talk about cybersecurity and cyber hygiene and cyber elements within the book. And cyber hygiene I broke down into four categories, which are training and that's ongoing training from the top down being from the border and all the way down to the intern, global awareness within organization, keeping that culture going, security and patching, and digital transformation within the organization, as well as zero trust. And I take that and I really continue with it throughout the book when we talk about blockchain, artificial intelligence, internet of things and cyber warfare, and really showing how the human element is an integral part of everything we're doing in order to protect ourselves as people, as an organization, and just all as a forefront. And sharing of information now is completely critical and it's being done because of that human element piece that's being embraced and understood. A lot there is to unpack, right? So the human element is interesting, right? So it used to be pretty easy to identify a phishing attack, right? Bad grammar and everything a little bit out of context and maybe the vocabulary wasn't quite right. That's not the way anymore. The sophistication of these attacks, the phishing attacks specifically at a friend in the real estate business, and it was an email from a banker that he does business with at a bank that he does business with around the transaction that he had knowledge about and doing a wire transfer. And it just was slightly mistimed where he called the banker, his buddy, and said, did you send this? So in the age of deep bakes, which is barely beginning, in the age of this more advanced AI for them to really put together these packages and really infinite bandwidth time and money if you're really trying to purvey. How will the role of the human shift, can we really expect them, even with ongoing training, to be sophisticated enough to keep up with these attacks? Well, I think it also boils down to real-world examples. We have to really understand the demographics that we're working for. I think today it's the first time really in history that we have four generations working side by side in the workforce. So we have to understand that people learn differently. Training should be adjusted to the type of people that we're teaching, but phishing doesn't just boil down to clicking on links. Phishing teaches also, it boils down to tricking somebody, getting someone's trust, and it could come in many different forms. For example, think of social media. How do people connect? We're connecting across social media on many different platforms. I'll give a very easy example. LinkedIn, LinkedIn is the business platform. We're all connected on LinkedIn. Why are we connected on LinkedIn? Because that's a social platform that people feel safe on, because we're able to connect to each other in a business form. However, think of the person who's getting their first job with an organization. Their first job in, maybe they're a project manager, and they're working for Bank A. Excited to be working for Bank A. Hey, I'm gonna list all the projects I'm working for. So here's now my resume on LinkedIn. I'm working on Project A, B, C, D, and this is my manager I report to. Perfect. There's some information sitting there on LinkedIn. Now, what else I will tell you is that you might have somebody who's looking to get into that bank. What will they do? Let's look for the lowest hanging fruit. Ooh, this new project manager. Oh, I see they're working on these projects, and they're reporting into someone. Well, I'm not a project manager. I'm a senior project manager from a competing bank. I'm gonna befriend them and tell them that I'm really excited about the work they're doing. So they're social engineering their way into their friendship, into their good graces, into their trust. Once somebody becomes a trusted source, people share information freely. So people are putting too much information out there on social, trusting too easily, opening the door for more than a phishing attack, and things are just rapidly going out of control. Right, well, it's funny. So one of my other favorite women in cyber is Rachel Taubeck. I don't know if you know Rachel, but she's famous for, you know, kind of live hacking at Black Hat, all social engineering, calling people up and just getting through. And, you know, she says she's basically undefeated. Well, think of it this way. If you're thinking about the human element, why do people act quickly? The biggest problem is people don't stop and pause. So if you think about my background also is in psychology and psychology and business. Great, great. So when you deal about the human element, it's panic. Let's set panic in. When you set panic in on a personal nature, people are quick to respond and quick over to give over information if they feel it's pertinent to them. Calling someone quickly, hey, your babysitter called, I need your social, anything like that. To set somebody into a spin, they're very quick to give over information because they feel personal at risk. When it comes to business, in the business setting, it may not be as personal that way so they kind of pause it back. But the way people get in is through other social channels in ways that are more personal to individuals. So that is more sophistication around the human training element, really the key as opposed to, God knows how many vendors are in this building right now. I mean, I feel so much for the buyer trying to sort it all out, right? And there's big players, the established solutions that have been around forever. And then of course, you get to spice with the startups that are cutting edge and doing new things. When in fact, all that goes out the window if I can call the person up and say, you know, your house is on fire, please give me your password to your front door because I got to get the kids out. I mean, I'm exaggerating to make a point, but it is enough appreciation going into the human factors of training, not on the technology side, but really the motivators for people to do things, to try to please, right? That's another great motivator to try to please. Well, right, because people like to be wanted, they like to be acknowledged, they like to feel they're doing good. But again, it boils down to the people, the process and the technology. You can't have one without the other. You can't just focus on the people without focusing on the technology. But if you leave them as separate entities and you don't deal with the process in the middle, that glue, you're going to leave yourself open. So they have to work hand in hand all the time. It's something that's a one plus one equals 10 at that perspective. So yes, you really need all of it together. The other thing that we hear over and over and over right is just zero trust, the whole concept of zero trust that's been around for a long time, which you just assume that the bad guys are going to get in. So then how do you try to find them quicker? How do you try to limit what they can get once they get in? So it's a really different kind of point of view to take a zero trust attitude on the assumption they're going to get it at some point and then try to mitigate the damage after the fact. So I look at zero trust from a little bit of a different perspective. I think zero trust is pertinent. Everyone should be using it because again, you're authenticating yourself. You're giving access only to that person for that specific task. But again, organizations, if they say we're locking down everything all the time because we want to be secure, the employees are going to say, this is ridiculous. We don't have to be locked down for ABC. It makes no difference to us. What I say to organizations are, don't lock down things that don't need to be locked down. And when you do lock down something, it's important to have that 360 dialogue with your employees. Explain why, make them part of the solution, not part of the problem. If everyone's saying, hey, you human, you're the weakest link, people are going to take offense at that and say, look, we know what we're doing. But if you make them part of the solution, hey, we're in this together, let's make this part of the culture. And they act as that within an organization. You're going to have the cohesiveness. So it becomes just an ongoing everyday life living thing. Right, you know, that's interesting, you brought that up. The Wendy Nather from Cisco was one of the keynotes on the first day and she was phenomenal. The basic, her basic premise was we as an industry have been too kind of not inclusive, exclusive, like we own everything, we have all the control, we have all the answers, we know everything. And her whole just was, no, you don't. You don't have the context necessarily to make risk trade-offs and benefit trade-off. You don't necessarily have the context to see the softer stuff. And really what you're saying, really embrace everybody as part of the solution as opposed to trying to preach people to do certain things and not do other things. Well, a little bit of both, right? There has to be a proper balance, but also look at organizations today. In the past would be these are our solutions. We found out this intel, you figured it out on your own and that wasn't helping anybody. The idea now of sharing of information has become widely embraced. Certainly in the larger security companies at large and they really understand the value of it. So when I talk about OTS, you do have to lock down certain things and people do have to understand where the endpoints are, but they also need to understand that they are part of the solution and where the end in the beginning happens. So let's shift gears a little bit from the people and back to the machines because the other thing that's happening really, really fast, right, is IoT. A lot of more edge devices, a lot of sensor devices, we saw what happened with some of the Alexa devices that was not very good. So as you talk to your clients and people that read your book, how do you get them to think about IoT? How do you get them to think about this kind of machine and machine that will of course have 5G, which will just accelerate it at whatever 100X speed to think about working that in because we want API to API communication. We want machines to interface with each other. We want to remove that kind of human integration point a lot of times, but now you're just opening up a boatload more of attack surfaces, don't necessarily have the smartest machines and often they can be compromised in ways that maybe people didn't think through before they connected them onto the internet. Well, it's also interesting when you talk about 5G, it's not that we could do things at that speed. It's also bad actors could do things at that speed. So you also understand the portals of what your connectivity is, your third party software, who's access? Where are the access points? How are you going to protect those access points? Because the speed is that much quicker, we have to be that much more diligent. So yes, they're massive, really good positives, but there's also some negatives. So if we have to be diligent around those, it could be fabulous, but it could also be really, really dangerous for us. Sure, and it's coming, right? It's coming. All right, so give us the 411 on the book. What's the kind of the top level themes for people to run out and get this? I saw some great reviews on Amazon and you're selling it upstairs. You know, what are kind of the really key takeaways here? Well, the key takeaways are really, again, cybersecurity is the umbrella over all of the technology. When you think of technology, cybersecurity is part of it. And when you look at cybersecurity, that comes in many different elements. It's not just the technology play, it's also human element play. And the humans are an essential part of cybersecurity. Whether you're securing four or securing two, it's just an interplay of both. So CyberMinds really touches upon all those concepts and all the latest and greatest emerging tech out there as well as blockchain, AI, OOT, cyber, warfare. Think about it, it really just travels through and I had some really amazing interviews with some top of the minds within the book that really adds tremendous value to it and grateful for them. Great, well I'm glad to finally get my own copy so I will be able to dig in and next time we talk, I'll be digging deep into this book with you and getting a little bit more of that insight. I look forward to hearing your thoughts. Well thanks, you're hopefully can kick your feet up a little bit tonight, but probably not, I'm sure you're busy, busy, busy. Well thanks for stopping by. Thank you so much. It's been a pleasure as always. This year I'm Jeff. You're watching theCUBE. We're at RSA 2020 at Moscone. Thanks for watching. We'll see you next time. Thanks.