RSA Observations Part I

I’ve been to about a dozen RSA Conferences in my career.  Some were really geeky, some were nothing but hype, but last week’s event stood out as truly valuable.  Yes, marketing rhetoric was in the air as always but under the spin was some truly good dialogue. 

In the first blog of my RSA review, here are some my observations:

1.  Security substance.  Beyond the hype, there was a lot of discussion about real universal security issues.  How should large organizations address new threats, sophisticated malware, and targeted attacks?  How can we get better situational awareness?  What about risk management?  These are the real topics that need a lot of air time.  I was particularly impressed with HP’s Security Intelligence and Risk Manager (SIRM) announcement.  There are similar products in the market but this announcement helped vault HP’s security profile.  HP’s enterprise and industry experience is a welcome addition to this space.

2.  Policy, policy, policy.  In the near future, security enforcement will be based upon granular policies around users, devices, network location, time-of-day, etc.  Cisco TrustSec and Identity Services Engine (ISE) are built for this purpose.  What we need is some type of publish-and-subscribe policy management architecture with distributed enforcement for all controls.  

3.  Mobile security mania.  There are nearly 100 companies offering some type of mobile security and/or MDM product.  It seems to me that mobile device security is a close cousin of endpoint and network security so my guess is that companies like Check Point, Juniper, McAfee, Symantec, Trend Micro and Websense win in the end.  Still, mobile devices are at a series of strange intersections.  My phone and iPad are consumer devices used for corporate applications.  In the case of phones, I own it, pay a monthly fee to a carrier, and use it for business purposes.  Everyone wants a piece of this business but how do you manage all of these players.  Additionally, what are the legal issues for all parties?  We need to secure these devices but I am not at all convinced that we know how this will play out.

4.  Cybersecurity meets information security.  In the past, the cybersecurity community (i.e. the Beltway and the Feds) acted quite indenpendently from the information security industry and security professionals.  Washington had its own language and chumy organizations that remained foreign to the Silicon Valley security crowd.  Given the synergies here, these two groups are slowly coming together.  I ran into Melissa Hathaway and Richard Clarke and I know lots of other folks were making the rounds.  SAIC had a booth and participated on several panels.  This is a very positive development for everyone.  The cybersecurity crowd has great experience and resources that have been invisible to the security community at large.  Alternatively, Washington needs to move beyond its bubble to work with and recruit external security expertise.  I hope this trend continues, we all need to learn from each other.

More soon.