ladies and gentlemen please welcome
senior vice president chief security
officer and trust officer cisco John
Stewart
I hope you guys are wide awake
because poetry at that hour of the
morning
is something I never thought I would
hear at RSA and I was smiling in the
back thinking how do you follow that
well part of what I wanted to celebrate
was the fact that being here at RSA in
2019 to me is one of the Paramount
possibilities of my career to actually
talk up to you for about 20 minutes
about the state of the cybersecurity
industry as it is right now part of the
situation we face in in this year is
that we're looking at new business
consumption models the emerging
technologies that you all face AI ml
every letter you can imagine so much so
that you have to be an acronym
monologist actually in order to figure
out exactly what they all mean
by the way look that one up in Webster's
vulnerabilities are up 20% by all
accounts we have more threats we have
more costly breaches each and every
single year the speed complexity
intensity of the attacks that we're
facing has just challenged every part of
our industry again in another year we've
had 80,000 new jobs open in the last
year that we can't fill we don't have
enough people to fill them we have
enough trained people and as you can see
again this year we have more vendors we
have more solutions including from us
and frankly are looking a little bit of
the same results just this week
just this week five new startups started
four shut down because they ran out of
money we had the first combination
attack where you actually hit multiple
sectors at the same time just this week
and we have 50 million data records hit
we had at least two board directors that
are under civil lawsuits and we've had
for executives fired for breaches in
this week alone will above all been
sitting here and by the way one
government attacked another one publicly
just last month cisco launched the
annual cybersecurity report for 2019 and
by the way the conclusion is that we are
completely screwed even more than we
were last year congratulations
welcome to RSA
that's exactly the speech I didn't want
to give that's precisely the speech that
I have no interest in spending any time
next year and anybody on this stage
should not have to give I imagine you've
heard that speech plenty of in fact I
think RSA now hands out buzzword bingo
cards for all of us that are actually
talking to get a sense of what in fact
will be different
none of us keynoting should give you
that same old speech none of us should
actually be talking about the threat
landscape being bigger and larger and no
problem without an attack here and the
truth of it is for having done this for
about 30 years it feels like at times
we're trapped in that sort of textbook
definition of insanity where we're doing
the same things and getting exactly the
same results and not making enough
progress as a result of it in short is
the work that we're doing actually going
to be enough to stop the problems faster
than they're growing now I appreciate
how hard this is I've been operating in
protecting networks for probably odd
thirty years and in the end believe I I
actually don't feel like we're doing
enough yet for all the hard work you all
go through so as I stare at it I think
all of us have to ask three questions I
asked them of myself and the first is
where are we today
where are we going and is it the right
direction and what role does every
single person in this room be from
government education be it from
commercial institutions people on stage
people seeing the audience people in the
booths companies leaders
operators hackers because we're
critically dependent on technology and
we're protecting it in a way that isn't
effective enough yet
so my conclusion to the question where
are we now where do we have to go and
what is everybody going to do is going
to look like this and I think you have
to have answers to the questions that I
just posed not my answers they have to
be yours because right now if an
attacker could be inside a network for
146 days before they're seen
and we're not tapping into half the
population in order to get diverse teams
to fill the jobs that are already
growing and far too many of them that
exist that in fact we don't demand
vendors develop products with security
in mind I would argue that we're making
the future worse not better
so my conclusion about this is let's
stop that madness we have to think about
different ideas we have to go a
different direction we have to try
something different
than we have tried before and think of
it this way if we had one year until
2019 the real 2019 what could you do in
one year if you essentially wipe the
slate clean and start it over now that's
where imagination comes in well you
actually imagine where you're going and
then find out how to get there as you do
it so imagine this imagine a world where
we could actually anticipate when an
adversary is going to attack us imagine
where the cost to attack is actually
more than the cost to defend or the risk
is higher imagine a world where we
actually know our systems better than
the adversaries do which seems to be the
case pretty regularly and what if you
could have a five petabyte data array
pulling 300 terabytes of information
from around the world and you could
figure out how to stop or preemptively
stop an attack before it was effective
in hours minutes and maybe even right at
the same time that it started would you
feel better I know I would and then
imagine a world where we've actually
built teams based on the strength of
diverse thinking because it's
politically correct but because it in
fact it actually produces higher value
where we're filling the jobs being
created faster than they're being
created if those diverse perspectives
and the different thinking actually come
up with different outcomes than with
in the past because in fact we need them
now that changes the game in one year
then imagine a world where in fact you
could I don't know trust a vendor what a
thought where in fact you know that the
companies that you work with in the
colleagues that you are working with in
them care just as much about security
and anything they do as you care about
it in your job that in fact you
challenge the status quo of hey I'm just
buying it because it's a good company
brand or because I need it today but you
actually know that it was developed with
security in mind now everything I just
described is extremely possible you just
have to decide it's gonna happen and you
have to then as a result make it happen
so how do you get there from here so
though I take no pride in what I'm about
to say I travel about 300,000 miles a
year on airplanes I would highly
recommend not doing that but that said
one of the things that I get a unique
advantage to be able to do is spend time
in many countries and see the remnants
of what's actually started in multiple
countries around the world that is
effective that is actually working and
the some of that good work in fact
includes arrests of those that have
broken in and done damage some of it in
fact includes the fact that we've got
penalties that are rising for taking
attacks and harming other businesses
frankly there's a lot of those that we
can learn from and build upon the key
thing I do think with high degree of
confidence though is that despite all
the newspaper articles and whether or
not we want to admit it or not we're in
all of this together government
companies citizens vendors you me and
despite the chasms that seem to be being
built we actually have to find the
common ground to make differences in a
hurry
because ultimately success leaves clues
and failure leaves Clues too and I
actually would prefer to look at the
success part because I'm too
to lose now let's talk about a little
bit of the cybersecurity skills gap that
we're facing today part of what we're
facing right now is that by 2021 three
and a half million jobs are gonna be
available in cyber that don't yet have
the capacity to be filled and there are
those who would argue technology is
gonna solve all of this and we don't
need those people I think all of you
would prefer that that's not the case
but I also don't believe it I believe
that people are essential and yet 11% of
the cyber security workforce today
probably in this room is Allah it's 11
percent as women 11 now the global
workforce is about half and we have 11
percent in this field and the highest
concentration in the world in this
domain is actually here in the United
States we're in the technology world 48%
of the workforce as women and we have 14
percent that are actually in cyber we
have role models we have proof of
incredible leadership from women Sarah
Andrews Melissa Hathaway Theresa Payton
Mary Ann Davidson Judy Novak Myrna Soto
and we lost one this past year in Becky
base who is an industry leader and an
icon that I want to make her proud I
think all of you should too it's just a
partial list and it's not about this
politically correct thing it's not just
in vogue to actually go after this
problem it's actually strategy partially
because it's an under tapped community
that we could hire from and partially in
all candor because scientifically it's
been studied that diverse inputs to
teams make them better and if nothing
else our our adversaries cover all walks
of life you can be a hacker no matter
who you are so why not have the same
kind of thought process of all diversity
in the very teams that we have I think
it actually switches
the advantage to our side because
unilateral thinking quite possibly got
us to where we are now and diverse
thinking I have a tendency to believe is
going to get us out of it by the way if
you want to know some of the rest of
those outcomes feel free and drop a note
because I'll tell you my own team's
experiences in many of these examples
but I want to talk about global examples
of changing this entire dynamic and the
first one give an incredible shout-out
to the girls go cyber start that just
happened this year eighteen governor's
got behind a program that was led by
sands and had an incredible backing of
an innovative skill and technique and
test and game that brought 6,000 high
school girls into the cyber world in
this basically a one-week contest you
can hear a little bit more about that so
it almost do all the thunder but the
idea is that next year all 50 states are
going to be participating 20,000 girls
in high school into college and
hopefully all the way into the workforce
that I just mentioned we need them in
women in cybersecurity it's in its
fourth year wisss it was an NSF grant
it's now a 501 C it's actually not for
profit and the attendees have jumped by
200% it doubled this year for the
programs that they've put in place and
then we and I challenge all the other
companies sponsoring this conference to
do exactly what we did we put 10 million
dollars to work three years ago actually
technically about two and a half years
ago and have now gotten to a place where
we have 19,000 students in programs for
cyber and I wish I could dive into every
single thing that's on this page there's
no chance if you don't know what these
are if you haven't had a chance I would
ask you all to get involved in at least
one of them that can change between now
and a year from now what we face and now
the imminently difficult word to imagine
what is trust I think Trust is one of
those things you actually know when you
have it and you're very convinced when
you don't and by the way if you've lost
it someone will point that out to you
systems are being attacked
right now they're very critical life
systems we have be at the financial
sector be at the information systems
social media they're all being attacked
today and yet we we really do need to
trust those they're essential to get
through the day in 2015
I published a blog and wrote a paper
that essentially said why is it that
we're just trusting vendors because we
buy the product but don't say hey look
how did you develop it how did you
actually make sure that you cared about
it the way I do because I'm gonna rely
on you to do many many things with who
and what you build
I actually think embedded security has
to be challenged in to the vendor
community where the essentially you you
as vendors or as consumers are saying I
think this matters to me just as much as
the fact that it's cool it's this color
or it's this particular painting I need
to change your thinking mr. mrs. vendor
to have security in mind we actually
have customers that are doing this now
we have a global service provider that
challenged our company and said in very
comprehensive terms you had best do this
right and when it goes wrong you'd best
handle yourself correctly so my takeaway
from that one is security and privacy
you're actually gonna be pivoting fairly
soon if not already started to where
vendors are going to differentiate with
you on whether or not we do it right or
not and how we handle ourselves when
things go wrong now this is a whole lot
of hard work but I also want you to
remember something that a good friend of
mine tells me regularly which is don't
ever confuse hard work with results why
do I say it well despite all of the hard
work I just described I'm gonna give you
some information that would suggest that
we are not doing enough still by showing
you what we're what we're facing in data
by data I mean objective information
that essentially paints a picture so
this year 2018 we now have nearly half
the planet connected to the Internet in
some way
or form a smart device certainly a PC
laptop etc that went from less than 7%
of the population 18 years ago half the
world is connecting to the internet now
by next year all projections being
counted malware that is in the form of
ransomware went from a 300 million
dollar business to an eleven point five
billion dollar nightmare just by next
year by the way if you do the math if
you're really truly math geeks you'll
realize that at the moment because of
that opportunity every 14 seconds a new
type of attacking ransomware has been
launched because there's so much
possible money involved by 2020 and I
remember very distinctly when there was
a discussion that said hey fifty billion
devices are gonna be connected on the
internet by 2020 I think it was anybody
saying it was laughte right out of the
room now all projections suggests that
it's about 200 billion IOT devices of
some type are going to be connected to
the Internet in two years 26 I owe t
devices per person however the number of
insecure non-development
with security and mine devices joining
the Internet has far exceeded the number
that were designed with security in mind
that's a trend line that'll tell you why
I think we need to do more and last but
certainly not least the amount of cyber
crime went from three trillion dollars
all counted as best as anyone can count
it and it's going to double by 2021 this
is not a commercial to get into the
cyber crime world how messed up is that
are you okay with it I'm not it's not
like we didn't try and stop this but
look at what the data is telling me and
what I think the data should tell you
we're the were the leaders we're in
we're the ones we're the ones that
actually have to turn these tides so the
question then becomes how do you build
through the positive actions to change
what the data shows and this is where I
think we are historically in time the
boardroom government's people citizens
everyone's awake to this the level of
knowledge and insight towards cyber
right now is the highest I've ever seen
and we're going to essentially be
remembered for creating some of these
challenges and ultimately be remembered
if we've fixed some of them crazy ideas
what happens if all of a sudden we
suggest that all countries should ensure
that clean devices are connecting to the
Internet what happens if we figure out a
way to help service providers be
successful and also filter malware off
the internet and then what happens and
this is always important my dad always
said this to me
what happens if you don't do it well
what if I believe is gonna happen is if
we don't control this outcome there's
going to be disruptive events including
strange laws and regulations they're
gonna push it GDP our net in the air
PNAS directive are essentially first
indicators that we have something going
on right now which says we have to do
more and in since the industry hasn't
we're going to start putting regulations
into play I'm not arguing against it I'm
just suggesting that if we don't can
take control of our destiny it's going
to be taking control for us now I think
you all believe that the security is a
mission critical element of our world
that's probably why you're here at RSA
that and all the parties I get it I
think we also have to do something which
is uncomfortable we have to bring and
talk to people that frankly we don't
usually talk to we don't usually talk to
government leaders we don't always talk
between security and IT teams we have to
bridge chasms because it's not about
holding this information close and
saying hey it's security it's we got to
keep it tight we can't let you know it's
about bringing other people into the
discussion in case you don't have any
ideas on how to do some of this I have
10 ideas and the first is certainly
knowing you better than the adversaries
do the second is the multiplier effect
pledge where you can sponsor another
person
and help them in their career the third
frankly has changed the vendor game and
say that security has to be part of
their development process as part of
your conclusion to buy from them and the
fourth and never to be underestimated is
you've got a demand truly demand
explicit trust in this discussion with
the people and companies you work with
so pick one pick three I'd be interested
to see if you pick all ten and I'll be
interested to talk to you in a year give
a very different speech and then I
started with and change where we are
going before it changes on us thank you
very much for spending 20 minutes with
