Here it is, the aftermath of the biggest security conference of the year, and my mind is still reeling. There have already been several RSA-related posts from various other bloggers, but this is really my first substantive effort (of a planned 3 total). In this piece, I plan to address at a high level several themes and misconceptions that seemed to be circulating or self-perpetuating last week.
Themes
Overall, I saw three major themes during the conference (four, really, but I'll leave that for the next section).
1) Mobile - It seems like this was the hot topic of the year, especially with all the buzz around "bring your own device" (BYOD) policies. It's definitely a challenging area, and one rife with exploits. It seems in many ways like we started from square one again, despite having a couple decades (at least) of good experience on how to do things like develop reasonably secure applications. It was interesting to me to see that the Cloud Security Alliance is now adding a project area around mobile ("gateway to the cloud"). In some ways, that seems like jumping the shark, but hey, maybe they'll have success.
2) "Big Data" - Every time I hear this phrase, I hear it in my head as comedian Jim Gaffigan in sing-song falsetto a la his classic "Hot Pockets" bit (see video below). Is this really a new area? No. Is there really anything interesting or unique here? No. We've been dealing with "big data" for a long time. Data mining, data warehousing, and business intelligence are all mature product areas that evolved to work with very large data sets. That it's "new" to infosec is... meh. Nonetheless, it was a major theme this year, and one likely to persist throughout 2012.
3) Risk Management - It seems like everyone wants a piece of the risk management puzzle these days, and for good reason. Security really is about reducing information (and/or operational) risk, which can then be used to peg solutions to improved business performance or reducing business exposure/liability. However, as I'll discuss below, "risk" as a term is becoming increasing abused and misused. Just because you address risk factors does not mean you are the risk management solution. This is not just an issue with semantics, either...
Misconceptions
1) "Everything Is Risk" - As noted above, a major theme for RSA this year was tying every single product to "risk" - right or wrong. This trend first emerged last year as major vendors began recasting their image from treating threats or vulnerabilities to being about managing risk. Unfortunately, this is a major misconception and an outright lie. If you cannot articulate in real terms the impact side of the risk equation, then you're not address risk. You might be address risk factors (e.g., threats, weaknesses), but you're not speaking about "risk" and you're not managing it accordingly. I hold little hope that we'll be able to wrest control of this term from the PR forces, but I am hopeful that we can at least steer vendors toward also talking about impact as it relates to the threats or weaknesses their products address.
2) "Security Is Failed/Dead" - This was a strange theme this year, and one that I thing directly derives from RSA experiencing a major security breach last year. The funny thing is that it's not true (not even close). The vast majority of breached organizations are still in business today. They survived. So, why the fatalistic viewpoint? Chris Hoff has a fairly good, ranty piece on the topic that's worth reading. To me, I think it ultimately comes back to a new spin on FUD in order to drive product sales. I couldn't help noticing that Art's opening keynote had numerous veiled references to their products, all in context of how security has failed, but how we will overcome. If you think security is dead or failed, then I don't think you properly understand the role of security (or risk management, for that matter). The focus should be on business survival, legally defensible practices, and risk management. Minimize the negative impacts from inevitable events and you win. *shrug* Seems straightforward to me...
3) "Government Will Help Solve Problems" - A major topic in the past few years has been a call from the US Government for more "public/private partnerships." As I look at many of these initiatives, it strikes me more as fishing expeditions. They come up with a dream list of requirements, and then private industry does a lot of the heavy lifting. Ok, that sounds cynical, but the point here is this: We don't look to government to solve problems or innovate. We look to government to regulate when market forces aren't adequate, and to help ensure as level a playing field as possible. Anything more than that strikes me as a pipe-dream. Their motives are vastly different than the commercial world's. We should be very careful what we wish or ask for with respect to government intervention.
Down-trending Topics
1) Cloud - Has this topic finally become passé? So it seems. Cloud is everything and everywhere. I still think there's a lot of confusion (thanks in large part to marketing/PR efforts) about just what actually qualifies as "cloud." That said, it's here, it's going to stay, and we need to make sure our GRC programs are in the critical path for dealing with cloud-based solutions. I'll be surprised if this doesn't rise again soon, at least in other incarnations or evolutions. In related news, there seemed to be some interesting security solutions on display at RSA for managing cloud-based data and apps, which I found encouraging.
2) Point Solutions - I've noticed a heavier emphasis on integration and risk management lately, even though the majority of solutions still appear to be point solutions. We need to get away from these specialized and difficult-to-integrate tools in favor of stitching together a well-integrated, well-functioning enterprise security space. Hopefully the down-trend away from point solutions will continue.
3) Ubiquitous Encryption - I didn't hear much explicit discussion of encryption this year, which I take to mean that it's either another passé topic, or it's become so mainstream that we don't have to think about it much any more. In many ways, the only times I heard much about crypto was in regards to protecting data in the cloud, berating broken SSL Certificate Authorities (really, Comodo? "high assurance"?!?), and with a few point solutions (e.g., encrypted removable media). Overall, though, it seems like there's been far less emphasis here of late. Perhaps the PCI DSS requirements have finally sunk in.
Stayed tuned for more thoughts in 2 additional posts on RSA 2012...
