The annual RSA Security Conference is an opportunity to take the pulse of the enterprise security business. While other technologies wax and wane with consumer popularity, corporate security is one of those must-haves where last year’s impregnably secure business looks like this year’s Swiss cheese.
After attending keynotes, briefings and walking the exhibition floor, here is my list of the top 10 trends that emerged from 2014 RSA Conference.
1. Ghosts in the Moscone Convention Center: The biggest drivers for this year’s event took place outside the confines of the Moscone Center. Edward Snowden is ensconced in Russia, but his trove of National Security Agency documents and the accompanying revelations have had an influence far beyond anything taking place on the keynote stage. The security vendors, academics, standards committees and government security agencies have long had intertwined relationships. Those relationships were built on trust, or at least on an implicit understanding, that the rules of the road meant setting boundaries on protecting national interests and protecting individual privacy. The Snowden debacle created a lot of rifts within the industry and between the industry and public, which requires the rebuilding of a lot of fractured trusts. This year, the RSA conference and company are in recovery mode following speaker walkouts and alternative conferences taking place only a few blocks away.
2. This year’s security box score: One of the ongoing topics at the RSA Conference is trying to guess if the good guys or the bad guys are winning the security battle. The past year has not been a stellar year for corporate security and was topped off with the Target (a prescient corporate name if there ever was one) data breach that exposed credit data of an estimated 110 million people. Despite the many billions spent on security, tales of digital break-ins, identity theft and corporate digital espionage provide a daily reminder of the leaky ship that is today’s corporate technology infrastructure. The bad guys tend to be the fastest innovators.
3. Stop selling more boxes to solve every security problem: From the early days of corporate firewalls through authentication services, the tendency in the security business has been to cook up a new box to solve every new problem. This made some sense when digital security was mostly about building a moat around corporate offices and directing people and resources to deepen and widen the moat. That corporate fortress model has withered as mobile devices, mobile workforces and employees anxious to use the latest cloud-based service have become the norm. While there were still a lot of new boxes on display on the show floor, the days of CIOs and chief information security officers (CISOs) willing to manage many multiple security vendors and systems are clearly ending
4. Maintaining security in the cloud computing age: The cloud is all the rage in corporate computing. In large part, enterprises are intent on building hybrid cloud environments where legacy apps still live in corporate data centers but the new stuff resides in a public cloud. This mix of private, hybrid and public cloud does not make digital security and privacy protection easier. Traditional security vendors are racing to extend their traditional security products to this mixed cloud model. I went to several briefings and I thought Trend Micro and their “collapse the console” idea of an overarching private-to-cloud corporate security model is a good example of a company that understands the need to meld the old with the new. Security vendors that can extend their current services to embrace a cloud strategy will be the winners here.
5. Security Goes Open Source: I went to a Cisco press conference at RSA where the company talked up its OpenAppID capabilities, which as the Cisco blog explains is an, “open, application-focused detection language and processing module for Snort [intrusion detection system] that enables users to create, share and implement application detection.“ This means that Cisco’s acquisition of Sourcefire (and Snort’s creator Martin Roesch) will be instrumental in moving Cisco’s newly found admiration for open-source products from rhetoric to reality. The open-source model is having an enormous influence in many other parts of corporate computing, including hardware, networking and the traditional software stack. Security with its traditionally secretive nature has somewhat resisted the open-source movement, but that is changing.
RSA 2014: 10 Takeaways From a Show Overshadowed by Fractured Trust
6. Build a hacker’s lab: The bad guys are clever, organized and ready to develop new ways of hacking into your network. You are still confined to maintaining your existing security fences and calling on outside resources when needed. Maybe the best advice I heard was similar to what I’ve heard about companies considering cloud computing: Assign one of your employees to create a test bed for new services. It is almost impossible to have a staff that can investigate new technologies in their (few) off moments from their regular job. Having an on-staff hacker is a lot different from having an on-staff cloud developer, but once you set a couple of ground rules and create a hacking playground aimed at your company innards, you’ll soon be learning about all the new hacking techniques and vulnerabilities you did not realize you had.
7. Invest in people and processes: One of the better keynotes was from Hewlett-Packard’s Senior Vice President Art Gilliland, who explained where you can invest in security to get the biggest bang for the buck. It is not in adding new boxes to an already overburdened infrastructure, but rather, it is in investing in security training and processes that provide a big sweep approach to corporate security. I heard this several times during the conference from attendees who felt that adding new boxes and managing security software upgrades is important. But this takes away from developing a comprehensive approach and encourages scurrying about to put out fires.
8. Learn how to express digital security issues in business terms: I attended an AccessData CISO briefing, and one of the key takeaways for me was a discussion of how to talk to your CEO or corporate board when they want to know the state of security in your company. CEOs want to know the level of risk, the costs associated with lowering those risks and a straightforward discussion on the state of corporate security. CISOs talking acronyms, buzzwords and the inability to translate security technology into business terms are blocking their chance for promotion to the upper corporate ranks.
9. The cloud as a solution instead of a problem: The more I sat through sessions on the latest threats, advanced attacks, new zero-day exploits and the sophisticated worldwide digital criminal elements, the more I realized that the tasks facing the modern CISO may be impossible to accomplish. Security budgets are not boundless and the pool of security specialists available for hire is limited. While moving more of your infrastructure to a public cloud provider is not the answer to all your security problems, those cloud providers have more security resources than you can marshal. Using the public cloud platforms to augment your digital security and allow you to focus on protecting the corporate crown jewels is an upcoming trend.
10. Pay attention to what went on at TrustyCon: On Thursday, I went over to the TrustyCon conference being held in a movie theatre a block away from RSA. I found the speakers well informed, passionate about the need for trust in a digital world and an audience leaning into the presentations. The presentations reminded me of the early days of RSA before the vendor presence at RSA gave the event a much more commercial feel. Instead of belittling the TrustyCon event, the RSA Conference organizers would do well to watch the presentations on YouTube and work at injecting some of that passion for digital trust into next year’s RSA. The TrustyCon event was sold out and the organizers donated a $20,000 check to the Electronic Frontier Foundation—a real nice touch in a world of vendor-driven events.
Eric Lundquist is a technology analyst at Ziff Brothers Investments, a private investment firm. Lundquist, who was editor-in-chief at eWEEK (previously PC WEEK) from 1996-2008, authored this article for eWEEK to share his thoughts on technology, products and services. No investment advice is offered in this article. All duties are disclaimed. Lundquist works separately for a private investment firm, which may at any time invest in companies whose products are discussed in this article and no disclosure of securities transactions will be made.