Editor’s note: Keren Elazari, cybersecurity analyst, author and researcher, will give the closing keynote address at CSX Europe 2018, to take place 29-31 October in London, UK. Elazari recently visited with ISACA Now to discuss the hacking “ethos,” whether data privacy should be considered a right or a privilege, and more. The following is a transcript, edited for length and clarity.
ISACA Now: What prompted you to take an interest in cybersecurity research and analysis?
In one word: Curiosity. Always asking more questions, always poking fingers into things I don’t understand – I believe that is the quintessential hacker mindset and that is what has always defined who I am. Even as a child, I was always really interested in technology and curious about how things worked. I would break things, take them apart, crawl under the table to disconnect the cables and see what would happen if I put them somewhere else.
An important milestone for me was the movie “Hackers” that came out in 1995. I always talk about this movie as my inspiration, because it really gave me a context for hacking: hacking as a calling, a life choice. It showed me a hacker could be a hero of a story, and that hero could be a high school girl just like me! In the movie, it’s Angelina Jolie, pretty much the coolest person in the world from my point of view. Everything was exactly right for me in that cultural moment; it was exactly what I needed to see and hear to understand it was my calling. That’s why I am proud to call myself a hacker. My idea of a hacker is perhaps, somewhat romantic, but I consider the friendly and ethical hackers out there in the world as a vital part of culture, society and the economy, pushing forward the evolution of technology and acting as a much needed “immune system” for the information age.
I wear many professional hats: strategic advisor, business analyst, academic researcher and author. I’ve worked as a security architect, risk management consultant and product manager; yet in any role and organization, I’ve always held that hacker–hero ethos at heart.
ISACA Now: In what areas must the cybersecurity workforce make the most strides if organizations are going to be equipped to deal with the evolving threat landscape?
Despite widespread automation of technology and defensive security solutions, I do believe there always will be room for humans in the equation. As AI, big data, algorithms, automation, machine learning, and adaptable technology become more prevalent, 70-80% of cybersecurity tasks will be automated and drilled down to a science. That means defenders must become more like data scientists and feel at ease with managing and utilizing such tools and leveraging them to gain a better understanding of threats and the security posture of organizations.
It also means, that the hard-to-find, 20-30% of threats and security problems will become harder to identify. This is where the ART comes in. This is where the tasks human defenders will deal with become less methodical and more creative, more hacker-like, more innovative. In order to make the alchemy of science plus the art of security work in harmony, we must also harness the hacker mindset and invest in skillsets like digital forensics, incident response, threat hunting and red team testing. Those are the skills we should cultivate and in which we should invest today to be ready tomorrow.
ISACA Now: What are the biggest barriers that must be dealt with to improve diversity within the cybersecurity workforce?
First, I’d like to say that there’s no doubt in my mind that the community and the industry is changing and maturing, becoming more diverse and open to other voices and perspectives all the time. This is incredibly exciting to witness, as I still recall going to my first hacker event in Tel Aviv back in 1999 and being the only young lady in a set of 200 guys and one woman (who was the lead organizer).
Now I see more and more women, more people from all walks of life, genders, backgrounds, ages, finding their place and their voice in this community. One metric of this change, and one way we can do even better, is by featuring and curating content from more diverse speakers at conferences.
Another aspect is for the HR departments and managements of organizations to find ways to create onramps, entry level programs and skill building initiatives – not just to get more women into the community and industry, but generally to create multiple pathways for more people to join our forces.
ISACA Now: What concerns you most about how cybercriminals can impact the world of politics?
While in 2018 it’s no surprise to anyone that criminals and certain nation-states have been using cyber-based capabilities and technology to influence and manipulate the geopolitical landscape, there is little being done to prevent this from happening again. This is a global, cross-border problem with very few organizations that can work together to prevent it.
Should it be dealt with by INTERPOL? Or the FBI? Perhaps NATO? I don’t have the answers to that. This is not just a US issue, as it’s not affecting just the US elections (we have seen such attempts, for example, during the 2017 French presidential elections, across Latin America, and elsewhere). In 2018, it should come as no surprise that politicians who wants to influence the world and have talented hackers in their country would try to harness them to use that power to shape the world to their liking. We shouldn’t be so shocked to know that; it’s a reality. What’s more urgent, in my opinion, is how to work together between nations and borders to protect democracy.
ISACA Now: Data privacy has emerged as a major issue not only in the EU, but worldwide. What aspects of data privacy do you expect will be most challenging for security practitioners as the number of connected devices in use continues to explode?
As we connect more elements of our lives and make them smarter, we also are allowing data collection about individuals to occur in a scope never before made possible. I believe we must reconsider our notions of secrets, of personal privacy and corporate transparency, and the way technology and big data fuels the next wave of innovation.
That means our future may be defined not just by our efforts to balance technology’s benefits against the risks it brings with it, but also by how we evolve our notions of privacy and digital access to information. I think we must ask ourselves: Is privacy a basic human right? Perhaps in the “information age,” we should consider privacy a privilege one must work hard to maintain.