Thinking Security: RSA Conference 2017
This is the 24th blog in a series about security and how security is about how you think.
I recently spent a week at the largest IT security conference in the world – RSA Conference 2017. It is a gathering of the entire IT security world that is held annually at the Moscone Convention Center in San Francisco. This year, conference organizers reported that a record 43,000 people people attended the event.
The conference slogan is “Where the world talks security.” It is a very big conference, and most of it is the exposition floor (the “shopping mall” or “hardware store” of security) where many IT security practitioners come to look, shop, ask questions, and evaluate the products (the tools of the trade) that are available in information security. This year, there were more than 550 vendors of all sizes (from the RSA and Microsofts of the world, all the way down to many startups). On the expo floor, I saw the standard “dashboards” of security intelligence so that companies can quickly visualize where they are secure (or not). Some products also tried to visualize “threat intelligence” (an upcoming topic merging technology and business risk to quantify security). There were also products for many different operations within security – authenticate, validate, evaluate, update, and monitor.
But there is also a conference within a conference – over in Moscone West – sessions, panel discussions, and deep dives that were given to full conference attendees. Sessions in the various tracks (25 in all) on topics such as “Governance, Risk, and Compliance”, “Protecting Data and Applied Cryptography”, “Cloud Security and Virtualization,” along with “Human Element” were given for a wide variety of interest levels. This part of the conference allows attendees to enhance, refine, and/or mature their and their company’s security mindset.
Why was I there? To increase my security mindset, and to understand why others were there (because our clients were there too). To ensure that ClearPath Forward fits into the products that were there (dashboards, etc.) and to ensure ClearPath Forward stays as the state-of-the-art in security. It was also to try to understand what problems and concerns our clients are trying to solve and see where new opportunities could be in the security marketplace.
One mechanism that many think is part of the proper mindset is the checklist The common misconception is that the checklist itself can ensure security. Checklists are used to capture knowledge so as not to repeat mistakes (I heard this concept mentioned in a few talks). What’s really more important is the thinking *behind* the checklist and constantly updating any mechanisms that we use with what we know and learn. It is very hard to document a thought process, and transferring from one person to another or from one business to another is even more difficult. Even with security frameworks such as PCI DSS, ISO 27001, and the NIST Cybersecurity framework, it’s very tricky to provide specific guidance that will work in all situations and all businesses.
What I learn every year (and hope others do as well) is how to update my security mindset. How to add, shape, archive, and learn information about the platforms, architectures, and attacks of the modern security world. That enables me and others to then go to the shopping mall / tool store (the land of pens, t-shirts, tchotchkes and “Can I scan your badge?”) and be able to pick and use the right tools to help with our company’s information security.
The RSA Conference is a great conference for the IT security industry. But I think that a better tagline for the conference would be “Where the world THINKS security”.