Important and Banal Topics You’ll Hear at the RSA Security Conference

Just 3 weeks until the annual RSA Security Conference geek-fest in San Francisco. Should be a good one since the economy is doing okay, VCs are throwing money around and organizations are increasing security budgets. Oh, and let’s not forget that the NY Times and Wall Street Journal just reported major security breaches.I’ve attended the RSA show for the last dozen years or so. Over that time period, the show has morphed from a down-in-the-packets security technology expo to a run-of-the-mill industry trade show chock full of hype and cluelessness. Heck, vendors and PR pros provide their marketing collateral by distributing USB thumb drives throughout the Moscone Center! That’s like handing out packs of Marlboros at an Oncology convention.So the RSA Security Conference isn’t Black Hat or Defcon, but it is an opportunity to talk with security vendors about security products, trends, requirements, and innovation. Of course, these discussions can also be filled with nothing but buzz words. With that, here are some of the “big topics” I expect to hear about at RSA and my humble analysis of each.1. Mobile security. The good news: This discussion is very timely as many organizations are struggling with mobile policies, security controls, and monitoring of mobile devices. The bad news: Much of the mobile security discussion will focus on basic stuff like anti-virus, network access, and remote wiping of devices. Important but boring. IMHO, the security industry should be having a bigger discussion. How do you secure the new applications and business processes popping up because of mobile devices? Are mobile application developers writing secure code? Is anyone testing this? How does mobile computing security integrate or change existing security processes and best practices? The security industry must be part of a broader discussion on mobile computing rather than figuring out how existing controls work in a mobile world. 2. Big data security analytics. Recent announcements by IBM and RSA are a great start but I’m finding that the security community at large really doesn’t understand what’s going on here. Rather than throw around big data buzz words like Hadoop, MapReduce, and Pig, I hope that the industry will focus on user education. In other words, answer the following question: What problem does big data security analytics address and how? 3. Next-generation firewall. With all due respect to Palo Alto Networks, next-generation firewall discussions are really about product features and packet processing rather than any radical departure from the status quo. Yes, PAN nailed a requirement, executed well, and deserves its success but the real discussion should be about next-generation enterprise network security rather than a gateway appliance. To me, this is where everything comes together: network security policy, context, enforcement, network behavior monitoring, PCAP, etc. I’m hoping to have this discussion with PAN as well as Cisco, Check Point, Fortinet, Juniper, McAfee, Sourcefire, etc.4. Advanced Malware Detection/Prevention (AMD/P). Another extremely worthwhile topic. My guess is that a multitude of vendors will announce AMD/P gateways to compete with FireEye. Okay but AMD/P discussions should extend beyond blocking/prevention and highlight security intelligence, analytics, incident detection/response, and lessons learned.In 2005, it was cool to talk about the hot threat management point tool Du Jour. In 2013, these discussions make you look like a newb. Vendors should ask themselves one question before deciding what to underscore at RSA: What do CISOs care about? Hint: They care about the whole enchilada not just the salsa.