>>Hi from San Francisco, it's the cube covering RSA conference, 2020 San Francisco, brought to you by Silicon angle media. >>You're welcome back. You're ready. Jeff Frick here with the cube. We are wrapping up Wednesday here at RSA 2020 Moscone center. It's the year we know everything. It's women in tech Wednesday and we're really excited that our next guest, she's been coming to the show for a very, very long time. She's really dialed into the community. She's an author. I got the whole as author, advisor, consultant, speaker. I could go on and on and on as you share. Rubinoff Shira, great to see you and welcome back to the cube. Oh, thank you so much. Pleasure to be here. Again, RSA 2020. A lot of kind of crazy stuff going on. The little coronavirus, you know, kind of impact, which is really interesting coming off of mobile world Congress, being in the event space and kind of seeing how this is gonna shake out. But the theme this year is the human element, which, uh, kind of plays right into your strengths. >>So just first get your kind of impressions of the show and really kind of that theme and kind of your take on why that's an important theme for RSA this year? >> Well, I think the human element has always been at the forefront. It's just now becoming accepted and put at the beginning of what people are really talking about. We talk about the people, the process and the technology all the time. When it comes to practice, everyone's really been focused on the security and the technology, but they forget the human elements and RSA this year is really focused on the human element being at the forefront. We have to realize there's a human creating the technology, a human at the end of the truck. Technology is trying to help and the glue between the process, how it all intersects together really depends on how people embrace it. And that was actually the premise for my book cyber Myers. >>So a plug for the book plug for the book cyber minds is a, a book is I view cybersecurity as the umbrella over all other technology. You need cybersecurity intersected in some way when you're dealing really with anything. But the human element really takes the forefront. So I really talk about cybersecurity and cyber hygiene and cyber elements within the book and cyber hygiene. I broke down into four categories which are training and that's ongoing training from the top down, being from the border and all the way down to the intern. Global awareness with an organization, keeping that culture going, a security and patching and digital transformation within the organization as well as zero trust. And I take that and I really continue with it throughout the book when we talk about blockchain, artificial intelligence, internet of things and cyber warfare and really showing how the human element is an integral part of everything we're doing in order to protect ourselves as a, as people, as an organization and just all support friends and sharing of information now is being, is completely critical. And it's being done because of that human element piece that's being embraced and understood >> lot a lot there. Right? So the human over the string, right? So it used to be per T E Z to identify a phishing attack. Right. You know, bad grammar and everything. A little bit of context and >>maybe the vocabulary wasn't quite right. That's not the way anymore. The sophistication of these attacks, the phishing attacks specifically at a friend in the, in the, in the real estate business, you know, and it was, it was an email from a banker that he does business with at a bank that he does business with around the transaction that he had knowledge about and doing a wire transfer. And it just was slightly mistimed where he, where he called the banker, his buddy and said, you know, did you, did you send this? So, you know, in the age of deep fakes, which is barely beginning in the age of this war, advanced AI for them to really put together these packages, um, and really infinite bandwidth, time and money. If you're really trying to pervade, I mean, how will the role of the human shift, you know, can we really expect them even with ongoing training to be sophisticated enough to keep up with these attacks? >>Well, I think it also boils down to real world examples and we have to really understand the demographics that we're working for. I think today it's the first time really in history that we have four generations working side by side in the workforce, so we have to understand that people learn differently. Training should be adjusted to the type of people that we're teaching, but fishing doesn't just boil down to clicking on links. Fishing teaches. Also, it boils down to tricking somebody, getting someone's trust, and it could come in many different forms. For example, think of social media. How do people connect? We're connecting for us social media on many different platforms. I'll give a very easy example. LinkedIn. LinkedIn is a business platform. We're all connected on LinkedIn. Why we connect on LinkedIn, because that's a social platform that people feel safe on because we're able to connect to each other in a business form. >>However, think of the person who's getting the first job with an organization, their first job in maybe their project manager and they're working for bank, a excited to be working for bank gay. Hey, I'm the list all the projects I'm working for. So here's now my resume on LinkedIn. I'm working on project a, B, C, D, and this is my manager I report to. Perfect. There's some information sitting there on LinkedIn. Now what else I will tell you is that you might have somebody who looking to get into that bank. What will they do? Let's look for the lowest hanging fruit. Ooh, this new project manager. Oh, I see. They're working on these projects and they're reporting into someone. Well, I'm not a project manager. I'm a senior project manager from a competing bank. I'm going to be friend them and tell them that I'm really excited about the work they're doing. So you're their social engineering your way into their friendship, into their good graces, into their trust. Once somebody becomes a trusted source, people share information freely. So people are putting too much information out there on social trusting to easily opening the door for more than a phishing attack. And things are just rapidly going out of control. Right. >>Well, it's funny. So one of my other favorite women in cyber is Rachel Tobik. Back, I don't know if you know Rachel, but she's famous for, you know, kind of live hacking at black hat, all social engineering, calling people up and just getting through and you know, she says she's basically undefeated. Um, this >>way if you're about the human elements, why do people act quickly? The biggest problem is people don't stop and pause. So if you think about, my background also is in psychology, psychology and business. So when you deal about the human element, it's panic. Let's set panic in. When you set panic in on a personal nature, people are quick to respond and quick over to give over information. If they feel it's pertinent to them, calling someone quickly, Hey your babysitter called, I need your social or anything like that. Set somebody into a spin. They're very quick to give over information cause they feel personal at risk when it comes to business and the business setting, it may not be as personal that way. That, so they kind of composite about the way people get in as through other social channels in ways that are more personal to individuals. >>So is that, is, is, is more sophistication around the human training element. Really the key as opposed to God knows how many vendors are in this, this building right now. I mean I, I feel so much for the buyer trying to sort it all out. Right? And there's big players in the established solutions that have been around forever. And then of course he get a spice with the startups that are cutting edge and doing new things when in fact all that goes out the window. If I can call the person up and say, you know, your house is on fire, please give me your, your password or your front door. Cause I gotta get the kids out. I mean I'm exaggerating to make a point, but is enough appreciation going into the human factors of training? Not on the technology side, but really the motivators for people to do things, um, to, to, to make, to try to please. Right. That's another great motivator to try to please. >>Well, right. Cause people like to be wanted. They like to be acknowledged. So they like to feel they're doing good. But again, it boils down to the people, the process and the technology. You can't have one without the other. You can't just focus on the people without focusing on the technology. But if you leave them as separate entities and you don't deal with the process in the middle, that glue, you're gonna leave yourself open. So they have to work hand in hand all the time. It's something that's a, it's a one plus one if you'll stand right at that perspective. So yes, you really need all of it together. >>The other thing that we hear over and over and over, right is just zero trust. The whole concept of zero trust. It's been around for a long time, which, which you know, you just assume that the bad guys are going to get in. Right? So then how do you try to find them quicker? How do you try to limit what they can get once they get in? So it's a really different kind of point of view to take a zero trust attitude on the assumption they're going to get it at some point and then try to mitigate the damage after the fact. >>So I look at zero trust from a little bit of a different perspective. I think zero trust is pertinent. Everyone should be using it because again, you're authenticating yourself, you're giving access only to that person for that specific task. But again, in organizations, if they say we're locking down everything all the time because we want to be secure, the employees are going to say, this is ridiculous. We don't have to be locked down for ABC. It makes no difference to us. What I say to organizations that are don't lock down things that don't need to be locked down, and when you do lock down something, it's important to have that three 60 dialogue with your employees. Explain why. Make them part of the solution, not part of the problem. If everyone's saying, Hey, you human, you're the weakest link. >>People are going to take offense at that and say, look, we know what we're doing. But if you make them part of the solution, Hey, we're in this together, let's make this part of the culture and they act as that with an organization you're going to have, they'll kill piece of ness so becomes just an ongoing everyday life living thing. Right. You brought that up. The windy neither from from Cisco is one of the keynotes on the first day and she was phenomenal. The basic, her basic premise was we as an industry have been to a kind of a not inclusive, exclusive like we own everything. We have all the control, we have all the answers, we know everything and her whole gist was no you don't. You don't have the context necessarily to make risk trade offs a benefit trade off. You don't necessarily have the context to see the softer stuff and really what you're saying really embrace everybody as part of the solution as opposed to trying to Creech people to do certain things and do and not do other things. >>I'm a little bit of both, right? Proper balance but also look at organizations today in the past would be, these are our solutions. We found out this Intel, you figure it out on your own and that it wasn't helping anybody. The idea now of sharing of information has become widely embraced certainly in the larger security companies at large and they really understand the value of it. So when I talk about, yes, you do have to lock down certain things and people do have to understand where the end points are, but they also need to understand that they are part of the solution and where the ends in the beginning. Let's shift gears a little bit from the people who back to the machines because the other thing that's happening really, really fast, right? As IOT. Yes, a lot of more edge devices, a lot of sensor devices. >>We saw what happened with, with some of the Alexa devices that was not very, was not very good. Um, so as you talk to your clients and, and, and, and people that read your book, how do you get them to think about IOT? How do you get them to think about this kind of machine to machine though? Of course that five G, which will just accelerate it at a, at a whatever, a hundred X, uh, speed to think about working. That is because we want API to API communication. We want machines to, to interface with each other. We want to remove that kind of human integration point a lot of times. But now you just opening up a boatload more of attack surfaces don't necessarily have the smartest machines is and often they can be compromised in ways that maybe people didn't think through before they connected them onto the internet. >>Well, it's also interesting when you talk about five G, it's not that we can do things at speed that speed, it's also bad actors could do things at that speed sales. So understand the portals of what your connectivity is, your third party software to whose, who has access, where are the access points, how are you going to protect those access points because the speed is that much quicker. We have to be that much more diligent. So yes, they're massive. Haas, really good positives. But there's also some negatives. So if we have to be diligent around those, it can be fabulous, but it could also be really, really dangerous for us. Sure. And it's coming right? It's coming. Right. So give us the, give us the 401 on the book. What's the, you know, kind of the top level themes for people to run out and get this? I saw some great reviews on Amazon. You're selling it upstairs, you know, what are kind of the really key takeaways here? >>Well, the key takeaways are really, again, cybersecurity is the umbrella over all of the technology. When you think of technology, cybersecurity is part of it. And when you look at cyber security, that comes from many different elements. It's not just a technology play, it's also a human element play. And the humans are an essential part of cybersecurity, whether you're securing for or securing too. It's just an interplay of both. So cyber mine's really touches upon all those concepts and all the latest and greatest emerging tech out there, as well as blockchain, AI, IOT, cyber warfare. Uh, think about it. It really just travels through. And I had some really amazing interviews with some top of the minds within the book that really adds tremendous value to it and grateful for them. >>Great. Well, I'm glad to finally get my own copies so I will be able to dig in and next time we talk I'll be digging deep into this book with you and getting a little bit more of that insight. I look forward to hearing your thoughts. Well, thanks. You're, hopefully you can kick your feet up a little bit tonight, but probably not. I'm sure you're busy, busy, busy. Well, thanks for stopping by. All right. She shear. I'm Jeff. You're watching the cube. We're at RSA 2020 at Moscone. Thanks for watching. We'll see you next time.