Final thoughts on the RSA Conference

The RSA Security conference 2014 has come and gone, and based on my experiences in San Francisco, it certainly appears we are in an “industrial revolution” as information security activity, innovation, and investment continue to grow. Early indications are that this was the biggest RSA Conference of all time. 

Here are a few of my final thoughts on the show and the current state of cybersecurity:

1. The IT security skills shortage is finally influencing the industry. I gave a presentation on the IT security skills shortage and there were roughly 400 people in the audience. While I’d love to believe that it was because of my oratory skills, it’s more likely due to the fact that everyone in the industry – users, vendors, researchers, academics, government agencies, etc. – has been impacted by this issue. After years of playing the role of Chicken Little, however, I finally see the industry responding to the skills shortage issue. Vendors are focused on ease-of-use for product deployment.  Some have hired GUI experts. Companies like Cybereason, McAfee, and NetCitadel are pitching security operations automation. The industry finally realizes that we need to make security professionals more efficient and help them work smarter; not harder.

2. There are two sides of endpoint security to consider. The endpoint security market is going through a period of transformation as vendors see new incident prevention, detection, and response opportunities. This trend is the catalyst for lots of financial activities and innovation – Bit9 acquired Carbon Black, Blue Coat partnered with Guidance Software, Cylance grabbed $20m in its B round, FireEye bought Mandiant, Trend Micro introduced endpoint forensics, etc. Lots of other vendors, including Cisco, IBM, and RSA Security, have also thrown their hats in the endpoint security ring. Good move, as this is a $4 billion-plus market, but I had a lot of discussions at RSA about a completely different model. With BYOD, mobility, and IoT, the majority of endpoints may be completely unmanaged in the future. What then? As this happens, we’ll need better security instrumentation of endpoints (i.e. TPM, TXT, etc.), better standards (i.e. NIST SCAP, SWID tags, FIDO, etc.), and granular network access control (i.e. Trusted Network Connect endpoint compliance profile, Bradford Networks, Forescout, Great Bay, etc.).

3. The NIST Cybersecurity Framework is already gaining traction. Many security vendors told me that they are already seeing demand for Cybersecurity Framework assessments and are being asked about how their products/services will align with the Framework in the future. On the supply side, government integrators like Booz Allen Hamilton, CSC, Leidos (SAIC), Lockheed, and Raytheon want to ride NIST Cybersecurity Framework momentum to penetrate the private sector. They are already dedicating vast resources toward this push.

4. Managed services are a growing part of the industry. By all accounts, MSSP and SaaS security are growing twice as fast as traditional security product sales. You’d think this would be focused on mid-market customers, but enterprises are also looking for security help in all areas. Venture capitalists generally eschew investing in security services firms since they don’t get the multiples of product companies, but given the current security market and managed services growth, Sand Hill Rd., has its checkbook out for startups like Convercent and SkyHigh Networks. Established players like HP, Proofpoint, and Symantec are also well positioned here.

On a final note, I have to give a shout out to Webroot. Not only did the company announce BrightCloud, a threat intelligence and endpoint breach protection solution at RSA, but it also hosted a great private party featuring Lee Ritnour, one of the best jazz guitarists in the world. I love cybersecurity banter as much as anyone, but it was great to take a break from the RSA hype and watch a true maestro perform.