RSA Conference 2012
RSA Conference is the big event of the year for enterprise security. All the biggest names of the security world come out to sell their books, lead a session or keynote, and sit on a panel (or 5). Everyone who sells a security product or service sets up a booth in the expo hall, or at least walks around meeting with clients and other vendors.
Long-time RSA attendees gripe about how folks leading the sessions are not presenting anything innovative or new. Dozens of vendors throw parties and receptions filled with free booze and food to connect with current and potential clients. Vendors give away hundreds of the latest hot technology (iPads and Kindle Fires!) and thousands of branded t-shirts. There are hundreds of security-centric sessions ranging from how to securely code an application, to legal aspects of security, to how to give a presentation to the board of directors, to a couple sessions this year titled, “Grilling Cloudicorns” and “Earth vs the Giant Spider." (Side note: My personal favorite session of the week was actually at Security B-sides. It was about how differently the movie Star Wars would have turned out if Darth Vader [the CSO for the Empire] had implemented a better security program.)
Unlike Blackhat or Defcon, the value of RSAC is not releasing new hacks
In the midst all of this noise, the astute observer can pick up interesting trends. RSA Conference does not make the news like Defcon or Blackhat with all the newly released hacks. RSA reports the news. RSA tells us what corporate security leaders are working on, what topics are most important to them and where they are spending their time and money. The news from RSA 2012 as I see it…
- We’re getting tired of talking about the Cloud, but we haven’t even begun to finish the conversation. The general tone I heard is that we’re tired of the Cloud as a buzz-word. We’re tired of having to discuss the same Cloud-y topics over and over. But the fact is, we need to keep doing it. The Cloud sessions were well-attended because for many security leaders, it’s where our organizations are going, and we’re not prepared to lead the way yet. So this love/hate relationship with Cloud security exists. We know we need to keep learning and pressing more into all the details of moving our services to the cloud, but we all hate to be trendy.
- BYOD is the phrase of the year. Some people call it “consumerization” of IT… but that’s so 2010. Bring your own device (BYOD) was 2012’s hottest topic, with long lines to get into those sessions, especially anything that dealt with the iPad or iPhone. This subject most reveals the lagging nature of security. The first iPhone was released in 2007, and the first CEO probably required his IT staff to support it about 15 minutes later. Yet we are still working on the right balance of corporate governance versus consumer freedom, and how we can enable remote access to corporate data without running the risk of this data getting into the wrong hands. The significant interest in this topic at RSA this year tells me that BYOD has reached the tipping point, and in a couple of years it will be expected in the same way VPN is assumed in all organizations today.
- Big data. Personally, I think this topic is cool, and this is probably my favorite trend from RSA. Analyzing big data is a relatively unexplored frontier. We’re doing an adequate job of aggregating logs and amassing large databases. But we’re terrible at figuring out how to parse this data and deliver real value to the business. This is a problem for all of us… the business, IT and InfoSec. There were a number of sessions where we could talk and learn more about how security can utilize big data to discover trends and better protect the environment. But there’s so much more to learn, we haven’t even scratched the surface.
A mathematician wakes up smelling smoke coming from the neighbor’s house? He runs outside and sees the house ablaze. Thinking quickly, he sees a fire hydrant and a hose sitting nearby. “A ha! A solution exists!” Having solved the problem, he walks back home to get some sleep.
I believe that the interactions at the RSA Conference are an important step on the path to putting out the metaphorical fire. The information security community has a great supply of both mathematicians and firemen. No, not everyone at RSA is creating unique solutions, but they do spend time at the conference exchanging war-stories, providing tips regarding what has been successful, and getting revved up for another year’s worth of fire-fighting. By getting involved in conversations with those who have been on the front-line, we can learn from each other’s experiences and improve the entire community’s ability to execute our strategies.
RSA 2012 is in the books. The crypto-geniuses have gone home and are again working on solving our most challenging technical problems. The rest of us have returned home with some new insights and an improved plan for implementing security in our own little corners of the world. RSA offers a unique value to each of us. I hope to see you there next year.
Cross-posted from Enterprise InfoSec Blog from Robb Reck