The 2011 RSA Conference is only 3 weeks away so the entire security industry is gearing up for this annual gathering of paranoid geeks. As an analyst, I've been getting lots of email about what vendors will discuss at the event and I've also spent a bit of time perusing the conference web site.
This activity leaves me a bit concerned. Why? There seems to be a tremendous focus on cloud security at this year's event. All kinds of "voyage to the cloud" rhetoric, how security is the biggest hurdle, and then a plethora of tools, technologies, and services aimed at addressing cloud security.
Now don't get me wrong, cloud security is an important topic. There is a tremendous amount of brainpower and investment going into cloud computing. Yes, we will get to a cloud computing model over time and security is truly a stumbling block. This issues is being addressed by organizations like the Cloud Security Alliance (CSA) and NIST's Federal Risk and Authorization Management Program (FedRAMP). My issue isn't with the topic per se, it is with the prioritization of the topic. When ESG Research asked 611 European and North American IT professionals to define their top IT initiatives for 2011, 16% responded, "increase the use of cloud computing services." This was the 12th most popular answer, well below such things as, "increase use of server virtualization" (30%), "manage data growth" (24%), and "major application or deployment" (23%).
We certainly need to be proactive with cloud security, but let's not get carried away on addressing future risks when we are swimming in so many current risks. In the recently published ESG Research Report, "Assessing Cyber Supply Chain Security Risks Within the US Critical Infrastructure," 68% of cyber security professionals working at critical infrastructure organizations believed that the threat landscape is worse today than it was 2 years ago. When the entire security community gets together at RSA, shouldn't we be focused on why security professionals feel this way and what we can do to address this increasing threat landscape?
If I were running the show, here are some of the things I'd focus on:
1. Sophisticated and evolving threats. We all need a better understanding of our adversaries -- who they are, what they do, and how they think. A new piece of malware is created every 1.5 seconds. Shouldn't we dedicate security brainpower to this real problem?
2. Creating, monitoring, and enforcing security controls. The security industry is too hung up on products. We need more discussion on sound policies, processes, and controls -- not just the latest threat management widget Du Jour.
3. Security management. Closely related to number 2, we need better ways of collecting, analyzing, and reacting to an avalanche of IT data.
4. Identity. This issue gets more dicey each year. We need to talk more about the people and devices that interact in cyberspace and how to better control these relationships.
I understand that security vendors want to make money and that PR and hype are a big part of the technology industry. That said, we as a security industry must recognize that we aren't selling PCs, gaming software, or disk drives. If we can't secure our existing networks and databases, will any responsible organization ever more to cloud computing?