Wendy Nather: Why the Cybersecurity Industry Must Rethink Its Approach

At the RSA Conference 2017 in San Francisco, one voice stood out among the crowd: Wendy Nather, principal security strategist at Duo Security. Her provocative ideas on the security skills gap and the industry’s overreliance on complex technology sparked a fresh conversation. As a former CISO and analyst, Nather brings a unique perspective that challenges long-held assumptions. In this article, we explore her most controversial thoughts and what they mean for the future of cybersecurity.

The Self-Created Security Skills Gap

Nather believes the security skills gap is largely a self-inflicted wound. “We wouldn’t have a skills gap if we didn’t make technology so hard to run in the first place,” she argues. The industry has built layers of complicated systems that require multiple degrees to manage. This, in turn, fuels a demand for more specialists, creating a vicious cycle.

“We created the skills gap problem ourselves,” Nather explains. “This self-feeding skills gap is a result of the complicated technologies we’ve created that need so much manpower.” She points out that growth is often seen as positive, but the real question is why so many people are needed. The answer, she suggests, lies in the unsustainable complexity of modern security tools.

CISOs are increasingly looking to reduce their vendor portfolios, a trend echoed by Dr. Zulfikar Ramzan, CTO at RSA Security, in his keynote. Nather references the Bank of America’s cyber-defense metric—a scorecard that helps organizations rationalize their security products. “It’s a practical matrix that considers what requires the most time and people,” she says, offering a way out of the complexity trap.

Killing ‘Baby Anti-Virus’ and Rethinking Passwords

If Nather could travel back 25 years, she would “kill baby anti-virus.” She laments that AV put the industry on a path where security is treated as an add-on. “We built an industry completely separate from what it should be securing,” she says. This separation has made it difficult to integrate security seamlessly into technology.

On passwords, Nather is equally blunt. “We should never have told people not to write passwords down,” she declares. This advice led users to choose simple, memorable passwords instead of secure ones. While she doesn’t endorse sticky notes on laptops, she suggests that a secretly stored written password is better than a weak one. Password managers, she notes, act as an intermediary, protecting users from “the terrible malignant growth of passwords.”

Building on this, Nather argues that the industry must stop blaming users for security failures. “Maybe we built the ecosystem wrong, maybe we’re building technology wrong,” she says. Users misuse complicated technology because it’s not designed for them. The solution lies in making security tools that people actually want to use, not just tools that organizations want to buy.

The Role of Technology, AI, and Vendor Rationalization

Nather criticizes the tendency to throw technology at every problem. “Too many people look at adding and refactoring technology as a solution,” she says. This approach ignores the need to learn from past mistakes. The industry, she notes, always looks forward but never back.

On multi-factor authentication, Nather calls for a clearer definition. With over 80 vendors in the access management space, the market is crowded. “We need to secure access in a more flexible way and we need to authenticate systems and applications, not just humans,” she explains. Machine learning and AI have roles to play, but Nather is cautious. “AI is led by our intelligence to build it,” she says, questioning whether it will ever replace human decision-making.

As a former CISO, Nather recalls how purchasing decisions were driven by analyst quadrants. “When I was a CISO and wanted to buy a product, I’d take it to my CIO and he’d want it to be in top right of quadrant,” she says. This reliance on analysts highlights the marketing noise in the industry. However, she warns that analysts are burning out, with too many vendors to evaluate in too little time.

Reducing Choices for Better Security

Nather believes that the industry needs to reduce choice to improve security. “To make security better, we may need to reduce our choices,” she argues. Drawing a parallel to cars, she notes that there are only so many types of engines. In cybersecurity, everyone is writing their own “magnum opus,” making it hard to secure systems in a repeatable manner.

“We need to find and stabilize the things we know work and everyone else will have to live with it,” she insists. This approach might mean fewer jobs, but it would also reduce the security skills gap. “Taking the choice away will make people sad, but it will make people safer,” Nather concludes. “Artistic license shouldn’t threaten the safety of the general public.”

For more insights on cybersecurity trends, explore our analysis of industry shifts or learn about best practices for multi-factor authentication. Wendy Nather’s vision challenges us to think differently—and that’s exactly what the industry needs.