#RSAC: Wendy Nather: Why AV Should Never Have Been Invented and Why We've Brought the Skills Gap on Ourselves

Written by

Of all the people I met at RSA Conference 2017 in San Francisco this year, the one who left the biggest impression on me was Wendy Nather, previous CISO, then analyst, and now at home in the vendor sector, working as principal security strategist at Duo Security.

She made the biggest impression for two reasons. The first is that she is just a wonderful person. The second is that she is one of the only people who told me something new. Something I’d never thought of before, something controversial, and let’s face it, that is something us journalists search out and celebrate.

Nather has many alternative – perhaps controversial – thoughts on the industry, and the hour we had together simply wasn’t enough to drill down on all these ideas. I very much look forward to doing this with her in the future.

For now, I’ll summarize some of the highlights of my conversation with Nather.

“We wouldn’t have a skills gap if we didn’t make technology so hard to run in the first place”.

“You need several degrees in this industry to be able to build and manage this stuff”, which is great for the education and training industry, Nather laughs. She believes that we have “created the skills gap problem ourselves. This self-feeding skills gap is a result of the complicated technologies we’ve created that need so much man power”.

The industry tells itself that growth is good, she continues, “but we shouldn’t need this many people if the technology didn’t require so much human power. Too many layers have been added, it’s not sustainable.” Nather adds that CISOs want to reduce their portfolio of vendors and products, a point also made by Dr. Zulfikar Ramzan, CTO at RSA Security in his RSA keynote.

Nather references the Bank of America’s cyber-defense metric, a scorecard to plot out your security products and look at what they’re protecting, detecting and responding to. “It’s a practical matrix that considers what requires the most time and people. It’s going to help a lot of organizations rationalize their portfolio,” she says.

When asked what she would change about the industry if she could travel back in time 25 years, Nather says she would “kill baby anti-virus. I wish AV had never been invented,” she says. “It has put us on this road that we’re on now. I blame the mentality that security is an add-on. We’ve built an industry completely separate from what it should be securing,” she laments, “it’s really hard to go back.”

“We should never have told people not to write passwords down.”

Telling users not to write passwords down means that they opt instead for simple, memorable and thus easily breakable passwords. “This was a huge mistake,” declares Nather. While she obviously does not endorse writing them on post-its and sticking to laptops, she does suggest that a secretly-stored written password is a better alternative. “A password manager is an intermediary between the user and system.” Nather describes this as building in another interface to protect users against “the terrible malignant growth of passwords.” 

We wouldn’t have a skills gap if we didn’t make technology so hard to run in the first placeWendy Nather

“Too many people in the industry still feel that the answer to our problems is technology.”

“Too many people look at adding and refactoring technology as a solution”, which Nather disagrees with, most of the time. Her disdain for the method of stacking technology and product after product on top of each other is no secret. “As an industry, we always look forward, never look back to learn from our mistakes and rectify them.”

“We need to stop blaming the user.”

“I’d love to see a trend whereby we stop blaming the user for everything,” considers Nather. “Maybe we built the ecosystem wrong, maybe we’re building technology wrong.” After all, she adds, users misuse complicated technology.

Duo Security’s objective, Nather explains, is to “democratize security and make it more reachable and simpler.” Making technology that users actually want to use is paramount, she explains. “You need to make technology that users want to use, not just technology that people want to buy. We have to sell the user on our technology.”

Nather tells me that the net promoter score at Duo Security is very good, a benchmark that she was not aware of as an analyst. “The industry doesn’t often talk about net promoter scores because we don’t normally get good scores in security.” Practically speaking, it should be a big selling point, Nather says. “If we do a good job with a product, people will use it throughout their lifetime, so we keep that in mind.”

“We should be asking questions around how to define multi-factor authentication.”

There are more than 80 vendors in the access and management space already, explains Nather. In fact, Gartner are making a separate access control quadrant.

“We need to secure access in a more flexible way and we need to authenticate systems and applications, not just humans.”

On the topic of using machine learning and artificial intelligence (AI), Nather says they are always looking at better ways to pull insight from authentication events and find behavioral patterns. “Machine learning will play a role in helping us mine better insight from data, but will it take over from decision making? I don’t know. Some of AI is trying to solve things we’ve built that we’re not smart enough to manage,” ultimately, though, “AI is led by our intelligence to build it.”

 “When I was a CISO purchasing decisions were driven by the top right corner of the quadrant”

There is so much marketing noise in the information security industry that CISOs have to rely on peers and analysts to make decisions. “They just don’t have the time to do the research they need,” she says. “When I was a CISO and wanted to buy a product, I’d take it to my CIO and he’d want it to be in top right of quadrant. They want and need that validation.”

When I was a CISO purchasing decisions were driven by the top right corner of the quadrant

“Analysts are burning out.”

When I ask Nather which of her roles – CISO, analyst or now vendor – has been the most intellectually challenging, she doesn’t know how to answer. “They all are in their own ways,” she finally answers. “Analysts are all moving on because they’re burning out. There were 1200 vendors in the US database alone [at 451 Research] and the “real challenge is to understand what one company is trying to achieve in an hour briefing.”

“CISOs, however, have to sleep with their phone on. They have a huge amount of responsibility at any given time, and they have to rely on the good will and understanding of everyone in their organization,” she says.  

“To make security better, we may need to use reduce our choices.

Take cars, for example, she says. “There are only so many types of engines you can get. Our industry needs to learn that we don’t need to invent our own engine.”

“Information security doesn’t have a manufacturing model. Instead, everyone is writing their own magnum opus, and they are so different that it’s hard to secure in a repeatable manner or find all the flaws in them.” Nather insists that it is time to stop reinventing the wheels. “We need to find and stabilize the things we know work and everyone else will have to live with it. Maybe then many people would be out of jobs and we wouldn’t have the skills gap.”

Taking the choice away will make people sad, but it will make people safer, so that’s what we have to do. “That’s the only way we get to keep the public safe. Artistic license shouldn’t threaten the safety of the general public.”

Amen to that. Wendy Nather, what an absolute pleasure.

What’s hot on Infosecurity Magazine?