Thinking Security – RSA Conference 2018
This is the 35th blog in a series about security and how security is about how you think.
This blog is about RSA Conference 2018 – “where the world talks security.” It’s the annual meeting of the IT security community, held this year in mid-April at the Moscone Convention Center in San Francisco. For me, it’s a week to get outside of the normal day-to-day work environment, work on my security mindset and recharge my security “batteries” for the rest of the year.
There were an estimated 50,000 attendees for the week (according to the conference). Most were there to go to the expo floor and look at all of the new products that can help them be secure. The Unisys booth on the floor highlighted our Unisys Stealth® products and TrustCheck™ managed security services.
Others were there as full-conference delegates for the sessions and keynotes about trends (e.g., blockchain, cloud, the increasing use of microsegmentation) and immediate global concerns (e.g., GDPR, the European Union Global Data Protection Regulation and orchestrating cyber-resiliency in an uncertain world).
The theme of the conference was “Now Matters,” which was a “call to arms” by many in the security community about awareness and diligence. It was also a plea to get everyone to communicate intelligence and information about what they’re seeing with regard to security, so that the whole industry benefits. It’s similar to the injunction, “if you see something, say something” when it comes to IT security.
DevSecOps was another popular topic at the conference. This is the concept of ensuring security in the high-velocity world of DevOps/Agile methodology. It involves putting the security responsibility into each developer’s hands (rather than in those of a separate team), ensuring that security concepts are embedded into the day-to-day lifestyle of Agile. A number of participants offered tools and processes, such as automation of static and dynamic code analysis, as well as the education of developers, as partial solutions.
One of the talking points that I heard in several keynotes was about the lack of “silver bullets” in IT security – not one miraculous product or one better process to stay secure. It’s about knowing EVERYTHING about your business and IT infrastructure. One analogy that I like is that IT security is a puzzle. Each person and company has a different puzzle – each of a different size and difficulty. It’s all about minimizing digital risk and the probability of a data breach or event.
I like the puzzle analogy because it really describes how I think about security in general – a number of different areas that have to work together holistically. Several components in multiple areas – authentication, network segmentation, monitoring, workload and infrastructure management, compliance and risk management, and, most importantly, people who run the business – all have to fit together to form the complete picture.
The emphasis on physical security was one of the things that I noticed most intensely as I walked around during the week. There was a considerable police presence around the Moscone convention center. There were a lot of police officers walking around and helping control the automotive traffic around all of the construction. But why were they there? Was it because, as everyone knows, we IT security professionals are rebels who live on the edge?
Actually, the police were there for risk management. Having all of those attendees in a very small area (Moscone is a big convention center, but downtown San Francisco is compact) is a larger risk for something to go wrong, because it would be multiplied by the number of people present. Furthermore, for an attacker seeking extraordinary publicity, the biggest IT security conference in the world is an attractive target. Each police officer was an “endpoint” in the overall risk management framework of San Francisco (a piece of their “puzzle”). Their job was to look out for and say something about anything suspicious. Each officer had a radio on them so that they could communicate instantly to the other endpoints (other police) and upward to the monitoring infrastructure of the city.
The job that the San Francisco police did at RSA is very similar to the job that the network products and the security administrators serve in the IT security industry – they are the digital police of the Internet. The job is to protect the infrastructure of their company (of all companies, actually) and guard against successful attacks or breaches. They must also communicate with others – within their own company and, hopefully, within the industry to make us all more secure.
The RSA Conference is where we learn, practice and talk with the other digital police officers. After all, it’s how you THINK about security that makes you a good digital cop.