RSA 2011: In Summary

If there was any room for disappointed in RSA, it was with the continued lack of true innovation displayed by vendors, and the apparent continued presence in a tech rut that we find ourselves these days. I'm certain there must be innovative ideas out there for attacking the security space, but those ideas simply aren't making it to the show floor.

Themes

As far as I could tell, there were a few themes this year (some interesting, some note):
* Cloud: Whatever that means. This non-event "event" is starting to remind me of the move to outsourcing in the late 90s. There are concerns, but most of the technology is merely being migrated to virtualized platforms. There's not much in the way of "new" here. The need for good lawyers, however, is imperative. *Everybody* seems to have a "cloud" solution of some sort these days.
* Sandboxing: I saw several solutions that incorporated sandboxing, whether it be for protecting the browser, improving AV, automating malware analysis, or even hosting an embedded OS on a USB pendrive in a sandboxed environment. All of these solutions are built on the back of maturing (or mature) virtualization capabilities, and I think we'll continue to see good innovation here for the next couple years. I'll be rather disappointed if we aren't all running sandboxed browsers by this time next year.
* Mobile: It seems like every time a new platform comes out, that we must then start from scratch with security. Why is that? Anyway... mobile security is a huge hot-button topic this year, thanks to the boom in smartphones and tablet devices. iOS and Android are, of course, the big targets of opportunity, and of course riddled with holes. McAfee seems to be starting to make a strong name for themselves in the space, and I'm sure we'll continue to see vendors racing to fill the void. On a related note, please check out the OWASP Mobile Security Project as they have a lot of good work started that should produce tangible results later this year. Better yet: join up! :)
* Urgent Calls for Public/Private Partnerships: I've been fascinated to hear an increasingly desperate tenor in the pleas from the public sector for improved public/private partnerships. I'm not fully sure I understand the motivation. It's not that I disagree, but that these sorts of relationships seem to have had limited benefit in the past. On the flip side, we're already seeing a reasonable amount of partnership, such as around smart grid and crypto research. Nonetheless, this seemed to be a theme at the conference.

Good Times
There have been several negative responses to RSA from various "known" names in the industry. In a couple cases, people who had never attended before left feeling like they'd wasted their week. I must admit that I felt this way the first time I attended, but each year thereafter has gotten better. RSA is a *huge* conference, and it thus takes a couple years to get acclimated and start realizing all the benefits.

Most of us don't go to RSA to be speakers or to meet with vendors. Instead, RSA is where you go to meet people, catch-up with friends, and to get business done. The talks each years are fine, but it's not a hacker con, and thus nobody should expect a lot of whiz-bang presentations. At the same time, if you're open to learning about other aspects of the security industry, then this is a great place to be.

As mentioned, I enjoyed several of the receptions this year, as well as attending my first speakers' dinner (I didn't go last year and regretted my decision). I also greatly enjoyed getting a chance to meet with various people and organizations all week. Overall, I thought this year was very positive, and that it lacked the economics-induced black cloud of the past two years.

The other event that made this year fun was participating in the annual Brazilian Jiu-Jitsu Smackdown on Thursday evening. I skipped last year (another regretted decision), and so was eager to join this year. It was a lot of fun! My first time joining 2 years ago was a major beat-down for me, a fairly inexperienced white belt. This year, however, as a more confident, better-skilled blue belt, went much better, and was overall far more enjoyable. Good stuff!

Talk Summaries
Admittedly, I didn't get to very many talks this year, which isn't necessarily a good or bad thing. I did, however, make it to both of my talks, which I suppose is the important thing. That said, I did attend a few talks, including Mr. Clinton's closing keynote, and wanted to highlight what I heard or how it went.
* Mogull's "Everything DLP" Talk: Rich literally turned off his slides for the majority of the talk and just went through everything you might want to know about DLP, engaging in conversation with the audience, in what I think was a great talk. Take note, speakers: you do not need slides to have a good talk. Moreover, dumping the slides shows you know your topic very well!
* Rothke's Social Media Talk: Ben covered some interesting points on how we're basically all screwed and privacy is a lost illusion. Sad, really, but true. On the bright side, we're pretty much all equally SOL. Ok, so it wasn't quite that bad (or was it)? :) I liked the talk, though.
* Risk Mgmt Smackdown Panel: Let me start by say: Oh, sigh. Poor Alex Hutton. What do you do when the main opposition insists on reading statements rather than engaging in an actual discussion? More importantly, who in the world rejects all analogies outright on the basis that what we do is so special that nothing comes close to comparing? And, lastly, how relevant, really, are studies of "cyber criminals" from the 60s, 70s, and 80s? I mean, seriously. *sigh*
* GRC-201 Panel: I led a panel titled "Reasonably Foreseeable, Legally Defensible" consisting of Dave Navetta (InfoLaw Group), Serge Jorgensen (Sylint Group), Raf Los (HP), and Dan Houser (ISC2/Cardinal Health). For me, this was a lot of fun. I did everything I could to get the panel and audience pumped up first thing in the morning (we had an 8:30am Wed. start time), and then literally stood in the back of the room and let the panel talk. We had decent audience participation and I was overall quite pleased with how it went. Hopefully attendee reviews will agree! A hearty "thank you" to the panelists for a job well done!!
* LAW-403 Talk: The last talk slot of the conference, Dave Willson (NEK) and I gave an ethics talk on the reactive use of force in cyberspace. The talk was originally proposed by Randy Sabett, who was supposed to be the lead speaker. He had to bail for work reasons, so I recruited Dave to join since he had just retired from 20 years in Army JAG doing cyberlaw, and is now working in similar areas. Overall, I think the talk went ok. We had a lot of audience participation, which is definitely a positive, though it disrupted the flow of the talk. We'll see how the attendee ratings are for the session. Dave and I recorded a 20-minute version of the talk the previous afternoon for RSA (no idea when/where it will post), which went very well. For both sessions I tried to adopt an interview style with Dave as the SME in the room. I think that technique was generally effective (certainly for the recording). It was very hard to bring adequate energy for this final talk of the conference.

My Other Posts on RSA 2011

Here are my previous posts on RSA 2011:
* "RSA 2011: Books! Talks! (and where I'll be)"
* "RSA 2011: (dis)Innovation Sandbox"
* "RSA 2011: Imation Expands Offerings"
* "RSA 2011: Meet Federated Networks"

Miscellaneous

In case you're curious, I popped-up in a couple other places during the week, including:
* Tripwire Blog: "Top security issues for 2011: Data loss prevention and internal threats"

Also, as I mentioned before the conference, I had two (2) books come out to which I contributed. Both were from the ABA Press.