Hello everybody. Welcome to the conference and thank you for joining this talk on security in the face of change. It's a truism at this point to say that change is only accelerating technological change, business model evolution, and a rapid shift in geopolitics. It really has felt recently, like there are years where nothing happens and weeks where decades happen. My name is Anthony Scarf, Director of Information Security at Elastic, a distributed remote first and cloud first company since we were founded in 2012. Prior to that, I worked in places with a bit more of a perimeter. I was part of the group information security team at Nestle for eight years in both security architecture and leadership roles prior to that building secure infrastructure for a UK government and ministry of defense contractor. Now, I didn't agree with Thomas Friedman in 2005 when he wrote that the world was flat, but I do agree with him on this point from a more recent article in the New York Times that we have never been here before. And I don't want to sound alarmist will suggest that this is the most dangerous or the most precarious or the most uncertain time in our history.
But I do think that this current blend of digitization and decentralization, automation and geopolitical change is indeed new and different and unique together. They point to the fact that we are in the midst of an era of rapid and enduring change that has studied at different points throughout our history in just a few months, the Covid 19 pandemic brought about years, perhaps even a decade of change across all sectors of the economy and all regions of the
World.
A study by McKinsey found that organizations had accelerated their digitalization of customer and supply chain interactions and their internal operations by around three to four years. And the share of digital or digitally enabled products in their portfolios accelerated by around seven years. And many of these things were possible before the pandemic. So when asked why they hadn't implemented these changes before the crisis, the most common answer was simply that there hadn't been enough of a business priority to drive that alignment. And the pandemic, the crisis removed that barrier so much as Newton's first law indicates. Resistance to change is normal for all organizations and their customers alike until acted upon by an external force. Covid 19 was that force and the changes will endure. Post pandemic employees now expect to work remotely having adapted their lives to a a new world. Customers take more of their interactions and purchases online and expect answers to their questions digitally from wherever they are. And hiring managers want to recruit talent wherever it exists and not hope that they can find it within 20 minutes of your office. The digital and virtual worlds have never overlapped to this extent, and this creates new challenges and new opportunities.
Every aspect of our lives changed since 2019 with improvements in financial services, telehealth, supply chain automation, online retail and remote learning. And quicker than we expect these expectations just become normal. And going back to how things were before becomes impossible to imagine. What that means for us in security is more devices, more decentralization, more data, more reliance on the cloud, more integrations and more attack surface to defend or to exploit. What isn't changing is our capacity as humans.
So if we're gonna live in this more complex world, then we have to expect that we will use more automation. And automation is not just a quest for efficiency. It's becoming vital in this changing more complex technology driven world. And what we feel as security leaders or as information technology leaders being pushed to do more, to go faster, to do it better, to do it with less resources is not unique to us. Even if it sometimes feels that way, it's felt across the business and the need for more resources, more expertise is felt everywhere, from engineers to marketers, to cooks in restaurants. At the same time, this digitalization is giving us power for tremendous insights that would be under the capacity of any individual to analyze or to process for themselves. The paradigm shift that we felt with the dawn of the internet will now be felt again with the growth of data automation and artificial intelligence. And there is no road back, quite the opposite. In fact, automation itself is undergoing an evolution as it grows from the assistant assisted intelligence that we use to power and automate simple, repetitive tasks with well defined inputs and outputs to augmented intelligence that organizations use to analyze their data and drive faster decision making. An example is ride sharing companies that use augmented intelligence to analyze data, operate their service, connect drivers with passengers and monitor supply and demand to dynamically adjust pricing. Something I saw for myself on the way from Berlin Airport the other day.
And increasingly we will see decision making handed over completely to algorithms through autonomous intelligence like that used to power driverless cars, autonomous underwater exploration vehicles. And even as simple as creating our increasingly personalized and filtered social media feeds, there's a popular notion that the future is already here. It's just unevenly distributed. I remember my first trip to Silicon Valley after the pandemic walking down the street in Mountain View, watching autonomous vehicles, delivery vehicles zipping past me. I spent much of the last two years working from home in Switzerland surrounded by fields and cows and felt like I'd woken up in a William Gibson novel. But even closer to home, the self-service farm shops that surround my village had finally adopted mobile payments, forced to scrap their cash boxes and accept mobile payments if they were to stay open once handling cash was no longer deemed safe. So this trend to increase digitalization and automation is here. It's real. And in increasingly mundane and everyday use cases, these changes are unfolding in a world that is departing rapidly from the trajectory that many of us thought we were on throughout the 1990s and the first decades of the 21st century.
The age of the global internet is over and the internet is now splintering along ideological lines. This splintering manifest itself through nation state firewalls,
Through
Battles over norms and standards, export restrictions on on technology like semiconductor manufacturing technology and with cyber attacks. Data residency is a less troublesome, but equally consequential impact of this splintering. GDPR has been with us now for four years, and Germany had strong privacy laws even before that. But Europe is now not alone. Countries as diverse as Bahrain, Israel, South Korea and Canada now all have data privacy laws of their own. Some of them mandating jail terms for transfer of data outside of their zones. In the us, California was the first to move, but now something like 15 states are looking at their own data legislation for data privacy. As the internet splinters is becoming less trustworthy. There's an old saying that a lie can travel around the world before the truth has even put on its shoes. And this has never felt more true. And this information is not new. It's been used since the dawn of time by political activists, governments, corporate competitors by scammers and schemers as long as humans have walked the the earth. But what has changed is the speed with which believable disinformation can be created and distributed. Deep fake technologies allow the modification of of video and audio while the prevalence of social media rapidly amplifies its propagation.
More than half of US adults now get their news from social media. It is both a target and a platform for attackers and just as core to the modern internet as dns, http and the underlying infrastructure. If we see cybersecurity as a data integrity and brand protection problem, then this information is a security issue. And as a modern see, so you will be pulled into discussions that involve brand protection and customer trust. So what does this mean for us? Well, it means a lot. I wanna focus on four things. First of all, we saw from the last discussion that the role for the role of the CISO is changing. And in fact, if we're anywhere near close to keeping up, it should have already changed. Mon CSOs are moving away from being purely a technical or operational leader to a business leader who can frame security in terms of enabling business outcomes. And modern securities don't speak to the board about knobs and dials, but about product security and the security culture that we need to enable that about talent acquisition and retention and of course about enterprise risk. CISOs need to be business leaders, not just for our own sake, but because security is increasingly part of our business strategy. And top of mind for the board,
Think about your post covid attack surface. Your employees are now everywhere in the office, at home, in coffee shops in a different country on different hardware that you don't control. So how do you think about your attack surface and how that changes your risk profile? How are you keeping up with changes to the infrastructure that you have? If you're in the cloud, take advantage of the fact that the provider knows exactly what you have, where it is, and how long it's been there, and they make that data available to you at the end of an API and you can trust that it's accurate because they use it to generate your invoice. Of course, security doesn't exist in isolation, so anything you use has to integrate with your existing context. So how open are your vendors to that? Can you add additional data feed to your security tools? Can you integrate your own tools or do you have to use theirs? The best security teams and the best security leaders know that breaches are inevitable and security will fail at some point. So we need to have response plans with detailed playbooks for different phases of response, stakeholders with roles and responsibilities that they know about ahead of time and not only when things go wrong. And it's important to test. These
Breaches don't happen Monday morning at 10 o'clock when everybody's at their desk and they've had two coffees. They happen on a Friday night of a holiday weekend when the CEO's on vacation, the CISO's on a plane and key leaders in the soccer unreachable. Security is now a data problem, and observability and security are now intertwined with more and more of our applications being delivered from the cloud and a accessed anywhere, whether that's by our employees or by our customers, more now than ever. Our application is tied directly to business revenue security and observability teams rely on very similar data and evil happening or a or a problem happening makes your application stack traces just as valuable to security teams as network logs have been in the past. So be careful of silos of information and remember that security is a data problem and more of that data available to your security teams the better. When the log four J event occurred last December, many organizations went through similar drills of trying to understand where Log four J was embedded in their environment so that they could fix it through patch cycles and upgrades. And some of those upgrades and patches were easy to achieve. Some of them were much more difficult or even impossible in the short term. And at this point, visibility into the environment and identifying potential compromise becomes critical and top of mind to business leaders and their security teams.
At Elastic, we look back through petabytes of information over a year to ensure that we hadn't already been breached before the log four J vulnerability had been made public. We now live in a world characterized by a shortage of key skill sets that pervades every discipline, whether that's startups yearning for engineers, InfoSec leaders trying to fill an Analyst role, or DevOps and SRE teams who are crushingly overworked. The best way to approach this is to recognize that it will continue to exist and to plan for it. Now, diverse teams are better teams. I've seen this firsthand time and time again, and diverse inputs and perspectives are critical to security. But it's not enough to think about this only when we are hiring, because hiring is an incremental addition that isn't gonna change things for us. So think about a federated approach to security that puts responsibility for security closest to where the work happens. Building a network of security champions across the industry, sorry, across the organization that don't just add but multiply our impact. What is your automation strategy? Do your security teams even have time to think about automation or are they just too wrapped up in the day to day to get out of that? It has to be deliberate. It has to be an investment, it has to be made a priority.
So what workflows can you automate? How can data help that? Whether that's by enriching data that gets to an Analyst so that they can make decisions faster, or getting to the point where you, you have such confidence in your data that you can take actions without a human being involved, remediating stopping attacks, or at least getting the ticket to the right team and a slack message to them to tell them that something needs to be fixed. We shouldn't need people for this anymore. I'd like to close not by talking about technology specifically, but about change more broadly and how we might deal with it. We've been saying for many years, over a decade, I think that the perimeter is dead. But very few security teams have actually acted that way, at least before the pandemic. I believe strongly coming from a distributed company that the new remote distributed from anywhere, from any device can be a more secure model than the way we did things before. But that's not gonna happen by itself. Likewise, I think that managing change in an agile world of DevOps and SRE workflows, the scared security teams to death a couple of years ago is actually better.
A world where changes are scrutinized and approved and peer reviewed and atomic level by engineers close to the problem is much better than the world we were in before where a disconnected change advisory board would look at it from a high level. But again, making it more secure, more efficient, more effective is not gonna happen by itself. So CISOs need to be there doing the work and leading small security teams should be thinking about how we adopt these practices and technologies for ourselves instead of our first instinct always to be how we control and manage other people around us. So technology can be an enabler of repressive regimes who wish to control and control what their citizens can or cannot see, and use the power of technology primarily as a way to extend or cement their own power. But it's also increasingly an enabler of human flourish. It's how we learn, it's how we communicate with each other. It's how we explore the world around us. So as security leaders, we should see change as a very positive thing, and not just the naval innovation, but embrace it. That's the thing that ultimately keeps us safe and secure, recognizing that while the pace has changed, have never been this slow, the pace of change has never been this fast. It will never be this slow again. Thank you.
