Thinking Security: RSA Conference 2020
This is a special blog about the RSA 2020 Conference.
The IT security world met again in San Francisco in February at the RSA Conference 2020. The Coronavirus (COVID-19) impacted this year’s conference, with several vendors and many delegates choosing not to attend. Even through that, the conference was huge and diverse and excellent as usual.
This year’s conference theme was “Human Element”, highlighting the fact that people and their security mindset are usually the weakest link – and that education of that large part of your business is important to keeping your company secure. As one presenter said, “If I could just stop people from clicking on things that they shouldn’t, my job would be a lot easier.” But just as security isn’t solely about one topic, the RSA conference isn’t either – there are many tracks (24 in all) and sessions focused from developers and cryptographers up to the C-suite.
Unisys had a big presence at the show, most notably with its “Capture the Flag” hackfest, which took place in the Moscone Center’s North lobby. Each of the contest’s two sessions (accommodating 32 attendees each) was sold out, and no one succeeded in hacking Stealth. As a result, Unisys donated the $10,000 prize to Women in Cybersecurity (WiCys). As one experienced hacker exclaimed, “Wow, this is hard!”
Unisys also had a booth on the Moscone South Exposition Floor that was heavily attended.
My area of DevSecOps was again a big theme of the conference. (One track was designed exclusively around this topic, with parallel tracks on Open Source, Product Security and Risk Management & Governance.) This year I saw some very big companies giving presentations on how they were instilling the security mindset into their associates. (Last year, smaller companies were giving those same “case study” presentations). DevSecOps is an ongoing journey toward process maturity, so many companies had roadmaps on where they had been and where they still had work to do. They documented their educational and awareness processes (E&A), how they pick champions, and how they implement security in their development processes and pipelines. One new topic on which I saw a good presentation was “CPSO” – Chief Product Security Officer − the C-Suite representative for how everyone thinks and develops the company’s products.
I attended an interesting presentation on setting Key Performance Indicators (KPIs) around DevSecOps. The speaker showed a framework around the three types of KPIs – Organizational, Team and Individual − and how each can be used to show progress and increase security “inertia” within a company. They also can show maturity and accomplishment along the journey of secure development. This is a good way of THINKing about progress – how to show progress is just as important as making progress towards a goal.
I also attended an interesting presentation on the Global Data Privacy Regulation (GDPR). The presenter showed a common set of nine features and discussed how it summarized all of the separate rights the regulation covers. It was an excellent example of how to THINK about security by breaking down a complex piece of legislation into manageable and actionable parts.
The RSA Conference is a great conference to glean innovative ideas for boosting all areas of security, including the security mindset. It’s the best security conference of the year for many roles in our company and our clients, because it helps us and them to THINK security.