In my blog yesterday, I outlined the hot topics I anticipate at this year's RSA Security Conference. Since the show is dominated by security vendors, the show hype will focus on products, services, and various technologies.
So what's missing? A broader discussion on cybersecurity issues, trends, collective efforts, and best practices. Yes, these subjects will get some attention in presentations and break-out sessions but the show floor and cocktail party banter will lean toward a myopic security perspective around bits and bytes.
In my humble opinion, this is a crying shame. I certainly understand the profit-oriented mentality in play at RSA but it would be nice to see a broader cybersecurity perspective. Aside from the latest security technology widget, the security industry should take this opportunity to discuss:
The cybersecurity skills shortage. Okay, this is one of my pet subjects and there are a few presentations (including mine) about the cybersecurity skills shortage on Monday. By now, everyone seems to understand that there aren't enough skilled information security professionals for hire but few are moving beyond the obvious to discuss the ramifications. When security departments are short staffed and lack the right skills, they spend their time putting out fires rather than learning the nuances of the latest security point tool or threat management gateway Du Jour. The reality of the cybersecurity skills shortage should drive every security vendor to concentrate on automating manual tasks and easing security administration/operations. I've seen a few vendors like Lancope, LogRhythm, Narus, and TraceVector see the light while others continue to push products and services that few have time for.
Privacy. Does anyone else find it ironic that Facebook, Google, and Yahoo are pushing the feds to limit NSA surveillance programs? After all, these firms make a ton of money by spying on their own customers! The USA is years behind Western Europe in terms of privacy protection as Washington continues to favor financial services firms, database aggregators, and credit reporting services over the privacy of its own citizens. Washington seems to be ignoring the sage advice written by Louis Brandeis in 1890: "Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual ... the right 'to be let alone." The security industry tends to talk about security controls to protect privacy but sidesteps the fundamental issues around privacy. It's time for the industry to take a stand with a more open and integrated discussion here.
Security standards. The next-generation of security technologies need much tighter information sharing, common policy management, cooperative policy enforcement, and pervasive interoperability. This type of collaboration demands a security software architecture based upon open standards - period. There are a few promising developments here including the recent publication of the FIDO specification, new standards from the Trusted Computing Group (TCG), and contributions like CybOX, STIX, and TAXII from DHS and Mitre. The entire industry needs to buy into efforts like these to make information security more integration friendly and thus more useful.
Automation. Even the most sophisticated organizations remain hamstrung by manual security processes for continuous monitoring, risk management, and incident response. A few vendors like Bradford Networks, Cybereason, Forescout, Great Bay Software, and NetCitadel designed products with this in mind but many others still address enterprise cybersecurity requirements as if there is a limitless combination of time and security professionals available to learn, configure, and operate their security technology tools. Last April, I wrote that enterprise security is experiencing "death by a thousand cuts." Automating security processes and operations is the only solution to this problem.
As the saying goes, "information security is a process, not a product." Unfortunately, the security industry tends to eschew this truism each year at the RSA Conference. I may be an idealist, but shouldn't we balance our capitalism with a bit more altruism? Our customers would surely appreciate this effort.