The annual RSA Security Conference was held last week at the Moscone Center in downtown San Francisco. The conference was bigger than ever, with 32,000 total attendees (many come for a day just to see the Expo) and 8,000 for the full conference. The meat of the conference is a series of one-hour sessions arranged in more than a dozen tracks focused on topics such as Analytics and Forensics, Application Security and DevOps, Law, Public Policy, Cloud Security … you get the idea. These sessions go over four days – Tuesday through Friday morning – and are broken up daily by a couple hours of keynote addresses, usually given by luminaries in the security space.
As you would expect with this many vendors, customers and practitioners all in one place, there are many things going on besides the official conference. Major vendors have suites in the surrounding hotels where they entertain customers, investors and the press; at the show itself, the press area is about the size of a football field. There are vendor events each evening, many deriving themes from the eclectic arts community in the Bay area. With so much going on, there is a lot to report, but I’ll summarize the major things I observed below.
Mood is better this year. Last year the general attitude was pretty bleak – breaches were everywhere, it was obvious the bad guys were winning. Many security professionals were having a hard time getting money for security spending. The bad guys are still winning, but this year I picked up a feeling that we are fighting back. Nothing shows this more than the fact that senior management is starting to pay attention, in many cases prompted by questions from their boards of directors. This year there was a completely new track named “View from the C-Suite.” The sessions in this track were devoted to strategies and techniques for how to talk to boards and senior management about information security issues. We all know this is a necessary precursor for getting the money we’re going to need for this fight.
There is a real tension between the large American tech firms and the US government. The Feds were all over the place at this conference, pushing the concepts of information sharing. After the Snowden affair, many people/companies/organizations/countries don’t want to hear it. How this will be resolved is not clear – but something has to give.
The NIST Cybersecurity framework lives! I was both surprised and pleased at the number of sessions and the number of people attending them. At Unisys, we have spent several months characterizing our internal IT security using the framework. There appear to be several different approaches, but based on what I saw, the one we have worked out seems to be pretty good. This goes hand-in-hand with being able to explain security posture to senior executives – so it certainly is timely.
The conference has evolved to be about more than whiz-bang technology. The legal, public policy, governance and privacy tracks consistently had hundreds of people in two or three simultaneous sessions. This is really good to see since these are necessary disciplines to complement the technology in our struggle against sophisticated and well-funded adversaries.
It’s becoming more and more clear that no matter what organizations do, they cannot keep sophisticated attackers out of their infrastructures. This is leading more companies/vendors/organizations to discover segmentation techniques as a viable way to hide and protect their most critical data. This is really good for Unisys – the Stealth booth got a lot of traffic.