Not to be outdone by Anton, I thought now was probably as good a time as any to finally sit down and knock out some of my quick reflective thoughts on the week+ of RSA 2010. For those who don't know me very well, my RSA week is always a long one as it's preceded by ABA meetings (InfoSec Committee and eDiscovery and Digital Evidence Committee - see my after report here), as well as now including the annual MiniMetricon on the Monday that the conference starts. Add to this blogger responsibilities for meeting with vendors, surveying the expo floor, and attending a few sessions, and, well, the week tends to fly by.
Overall, I found this year to be quite positive and energetic. People seemed to be moving so frenetically that we all shared a common complaint: "gosh we're tired!" In part, I have to think this exhaustion was cumulative, not just from the conference itself, but as a result of dragging our sorry tails out of a miserable 2009 through the break clouds into the emerging sunshine of 2010. Based on my observations, it seems like 2010 stands to be a very good year... but I'm getting ahead of myself...
Here are some quick-hit areas that really stood out for me this year:
Slightly More Sane Vendor Rhetoric
I can't believe I'm going to say this, but I didn't find the vendor rhetoric to be, in general, quite so absurd as usual. Sure, there were you requisite headlines over "cloud" and a few desperate FUDsec calls over APT, but things could have been (in fact, have been!) much nuttier in the past.
Now, that being said, there were certainly a few loons in the crowd... I can't even remember the claim, but some company with a name along the lines of MI86 or something equally lame had a loud-mouth on-stage making sweeping claims about complete elimination of threats, and other such lunacy.
The people I felt bad for, though, were the IT Germany exhibitors who were across from the RSA live show (a pitch man backed by a guy doing beat box and another guy with this incredibly obnoxious electronic harp thing that was shrill and high-pitched) as well as stuck looking at the back of another vendors booth space (a 2-story white wall) where they were forced to look at 2 flatscreens playing a handful of ads over and over and over all day long - with sound! Mind you this was on the back of the offending vendor's booth, with nobody even staffing it... so, just plain noise in the face of another exhibitor. :) Anyway...
To close this out, one last vendor thought... where is the innovation? This year, as with the past two years, I was again disappointed in the quality of products available. Lots of point solutions, but nothing that really addressed the entire enterprise. *sigh*
Lots of Business Being Done
One leading indicator of the current economy has to be the sheer volume of business (partnerships, deals, handshake agreements, etc.) that were being reached during the conference. Last year, people drank hard because there was very little to be optimistic about. This year, people seemed much more contained in the libation department as they focused day-in and day-out on getting deals made. This attribute of the conference has to be one of the more encouraging signs for our current economy. 2010 certainly feels much more optimistic!
Earnest Enthusiasm for 2010
Along with all the business being done, people just seemed generally up-beat, in stark contrast to the dark cloud shrouding the conference last year. The weather was (mostly) gorgeous, despite the somewhat early season in San Francisco. Parties were peppy, receptions were generally happy, and all-told the general timbre was in a positive key and well-rounded note.
Improved Engagement on Key Topics
I was pleasantly surprised by the apparent new degree of engagement that we started to see this year, particularly from the public sector. The feds who spoke stayed on-message about their intention to focus on user awareness. One of our greatest challenges today is that the public at large simply doesn't understood, or necessarily even think about, security. The consistent message from the feds was a commitment to start addressing that problem.
Along the same lines, I also had good conversations with key parties about how we can help promote sane public policy that can help us make better progress. One of the topics discussed in these circles was breach notification and reporting. There are a reported 37 different bills circulating through Congress at the moment that would potentially standardize breach notification. It's imperative that we not only see this pushed forward, but in a manner that also mandates standardized reporting to a central breach data clearinghouse. I'm hopeful that we can get the ball rolling on this in 2010 and maybe even see measurable progress by 2012.
Lastly, I found it interesting that risk management support seems to be swaying again, if the standing-room-only attendance of Donn Parker's talk was any indication. Folks are burned-out on "risk" and all the fluffery that goes along with it. I've commented before on my concerns about current risk management approaches, so will skip that diatribe today, but suffice to say that people are frustrated, yet at the same time I think we're also on the verge of making some serious progress. If we can get standardized breach reporting, then that will go a long way toward resolving some of the larger issues.
Another B-Sides Success!
Continuing the work of prior efforts, B-Sides San Francisco was another success. Not only was it well-attended, but I was also told by RSA program committee members that it was also well-regarded by them (they realized that there were only so many slots for far too many proposals, and they liked that there was an alternative venue for speakers that also got them in town for the conference - hey, BlackHat, maybe you should take a tip from these guys?). I really don't have too much more to say here, but just wanted to highlight it as a first for RSA and a success. Check out the above link to access videos from the event.
Growing Circles
One thing that I found encouraging this year was that circles seem to be growing and cliques seemed to be softening, if ever so slightly. The security community is very small, but I'm starting to see more cross-over between different segments, which cannot be a bad thing. The more people we have engaged in the conversation, the more likely we are to find innovative solutions.
Hey Ben,
It's Drew (Ingrian/SafeNet key management, etc.), sorry we didn't get a chance o catch up at RSA this year. We should chat soon.
Regards,
Drew