RSA Conference 2016 was very interesting this year to say the least. As someone who works with a network of partners and resellers, seeing the buzz and emerging technologies firsthand reinforced for me the focus of the security market: trust. My perceptions may surprise you, so let me start by saying that I believe traditional hardware and box-based resellers have a big challenge ahead of them in 2016. Here’s why.
The big buyers and users have security product fatigue and depleted IT budgets. And they believe there’s nothing available to keep the bad guys out, protect their data, or secure infrastructure systems. Since it’s pointless doing the same thing over and over and expecting different results, the new security focus I saw in RSA was on strategy and approach. Security and IT infrastructure vendors that provide services instead of focusing on selling product will win.
Battle Bots Round Encryption: Business vs. Government
There is mutual agreement and consensus that no security technology is as important as encryption. The recurring discussion that continues to resurface every five or so years is how best to handle that power, because with great power comes great responsibility, à la Spider-Man. The recent Apple vs. FBI standoff reminded RSA attendees of that, and all sessions made reference to or addressed this hotly debated topic. No answers were provided, only additional questions about where the lines will be drawn.
The comment that summed it up best was made by Brad Smith, president and chief legal officer for Microsoft at the “RSAC 2016 Keynote Speakers Talk Apple, Encryption and the FBI” “We can’t advance without trust but the world will only trust technology if the law can catch up.”
Everything Old Is New Again
Another prevailing discussion heard at RSA 2016 was that technology wasn’t the problem, people were. First responders in IT security all agree with that statement, but the focus continues to be on the next shiny new object that will solve the industry’s security problems. Why? Because the security industry focuses on responding to incidents instead of preventing the attacks.
The next generation of security technologies will not assist people with the threats they face today because hackers continue to harass us with their creativity, patience, and persistence. If one avenue doesn’t work, hackers focus on another weak link, or hone in on a different target, another way of locating another potential door to kick in. These individuals, organizations, and nation states don’t play by the rules that security analysts live by. Until the game changes we won’t win.
A new perspective is starting to resonate, instead of waiting for the bad guys to break your door down, why not hunt the attackers down or set traps and ambush them before they get in? Let’s go backward in time for just a moment — dig a moat and fill it with alligators, build a trebuchet to greet attackers with flaming balls of tar, and position expert archers on towers to greet the uninvited — we’ve returned to Castle Protection 101.
Has Work Smarter Not Harder Lost Its Luster?
Threat intelligence is the current buzz and everyone claims to provide new information you need. But will the data provided by the plethora of vendors really help you make decisions about your security to keep bad guys out of your systems? How much does that information cost you monthly? Annually? Are these threats validated or will the volumes of information keep you so distracted and mired in research that an army of Trojan horses can slip in? The defensive approach seems to resonate, and negates the need for many of the sampling, analysis, and reporting services out there.
The Fluffy White Thing (a.k.a. The Cloud)
It has been around and visible at RSA for at least five years, but the emphasis placed on it by vendors and breakouts significantly increased this year. The Cloud and Virtualization Sessions boasted 15 tracks alone. Everyone seems to have a cloud play, but do they really? Rich Mogull wisely commented in his blog post “Securosis Guide: Escape from Cloud City” that few products are truly cloud native and ready for those cloud architectures. According to him, “Running as a VM isn’t the same thing as being cloud native.” This is an important point to drill down on, when you’re talking to any vendor that professes to be cloud-based. As a cloud security vendor, we understand the challenges companies face when making the decision to secure their assets and take the leap into the cloud.
What did you think about RSA? We’d love to hear your comments in the blog or via email.