1. There's a shortage of good security people
No surprises here. Everyone who works in Security is aware of this. I noted a lot of ‘crowdsourcing’ based security startups, such as Hackerone, and Polyswarm (who had one of the silliest giveaways at the show, a miniature cinder block on a necklace.... Yes it was a ‘block chain’). It seems that these companies aim to take a limited resource (security skills) and make it available to as many companies as possible. There were lots of vendors working with this model, including Bugcrowd, Synack to name just a few more. Time will tell how successful this concept will be, as the ‘gig economy’ continues to grow I can see this being quite popular amongst security professionals. Success will therefore hinge on the ability of these companies to market themselves and package this in a meaningful way to their customers.
2. Existing security teams don't have enough hours in the day
This is a variation on point 1, but different enough in application that it warrants its own bullet point. The terms AI and ‘Machine Learning’ have been thrown around so much lately that they get lost in the stream of buzzwords. Looking at the demonstrations, I saw a lot of quite practical applications of AI, designed to lift up important security events and gain analyst attention. They seem designed to fill one of two problems, either the security team is understaffed (or underskilled, due to lack of skilled staff), or they have so many sources of security data (Firewall, IPS, Proxy, 10 Client side things, Cloud based security solutions, etc etc etc) making it impossible to sort through the tidal wave of events to actually find the ones that need their attention now. Many established security vendors have been promoting this concept over the past years, and the jury is out whether we have reached ‘peak buzzword’ status yet.
Everyone wants to be proactive in security, but few are
The show floor was one thing, full of big ideas, cool technology and freebies. A lot of the marketing promised the ability to lift security from a ‘reactive’, i.e. handling incidents as they come, state to a ‘proactive’ state with more threat hunting in mind. I agree that this is the goal, and we as an industry should strive to get there as fast as we possibly can. But, looking at the talks on offer shows a different story. A lot of talks centered around human error, failures in basic security (default passwords for example in this excellent talk by Justin Shattuck), not patching, and other stuff we all know but still can’t seem to do. Without getting the basics in line, no organization will be able to properly move to being proactive, no matter how much they spend on the latest blockchain enabled AI in the cloud.
4. Increased awareness around mental health
A consequence of point 1 and 2, a shortage of staff and not enough hours in the day, is stress. Mental health saw an increased focus at Black Hat 2018, and although anxiety, depression and stress in the cybersecurity field is nothing new, these important, human topics got more attention amongst the community this year. At Baffin Bay Networks, we place a high value on work-life balance and employee health, and hope that these issues will continue to be brought up in the security community in more venues.