With the Winter Olympics in full-swing, the cybersecurity community anxiously awaits another global event, the 2014 RSA Conference. Like Sochi, the RSA Conference comes with its own controversy, but I still anticipate that most of the global information security glitterati will be in San Francisco two weeks hence.
In spite of the RSA/NSA imbroglio, I for one wouldn't be surprised if this year's RSA Conference exceeded last year's attendance records. Why? The year 2013 pushed cybersecurity further into the spotlight as it featured the President's executive order, an orchestrated cyber-attack on South Korea, the Mandiant APT1 report, the NY Times and Wall Street Journal Breaches, Edward Snowden, and Target (to name a few).
These and other events have escalated the status of cybersecurity issues making them top priorities for national/state governments, law enforcement, and corporate boards of directors. In fact, soon-to-be-published ESG research illustrates that:
62% of organizations worldwide will increase their spending on IT security technology in 2014. This was the second highest spending increase behind cloud computing services at 72% (and cloud security investment will likely pull a lot of associated security spending).
Survey participants were asked: "Which business initiatives will drive the most IT spending in the next 12 months?" More than one-third of organizations (34%) said, "Security and risk management initiatives." Once again, this was the second highest response, this time behind "cost cutting initiatives" at 39%.
When asked to identify their most important IT priorities for 2014, 32% of organizations said, "information security initiatives" (the number one response).
Clearly, cybersecurity issues are top of mind which should drive a lot of foot traffic, product announcements, and cocktail party banter at RSA.
Yes, the RSA Conference should be lively but I think it's important to internalize this market data as it articulates a few more sobering message -- the security stuff we crowed about at RSA Conferences past isn't really working so organizations (i.e. our customers) have to spend more and place a higher priority on cybersecurity defenses in order to protect their businesses (and our data).
To be clear, I'm not blaming the industry but we all have some accountability here. This means eating some humble pie, admitting past mistakes, and work more collectively as a community to address these shortcomings. We need to remember that security is a process and not a product, and it's incumbent upon the industry to help customers improve this process.