Huge turnout at RSA shows hackers are winning

The high number of attendees and exhibitors at security confab are indication of troubled times

In the battle between enterprises and malicious hackers, the bad guys are clearly winning, judging by the sheer number of people and exhibitors at the RSA security conference going on in San Francisco, this week.

With an estimated 30,000 attendees and more than 400 exhibitors, RSA 2014 is the biggest event since its launch as a conference for cryptographers in 1991.

That's clearly a good thing for RSA, which by one analyst's estimates generates more than $100 million in revenues from the event. It's also a great thing for security vendors because it shows demand for their products is booming.

But the conference's growth is a also sobering reminder of the continuing challenges enterprises face in protecting their networks and data against malicious attackers. The RSA conference is not a Consumer Electronics Show or a Mobile World Congress. If demand for security products is increasing, it's because security tools are not doing the job well enough, enterprises are not implementing them properly or because hackers are finding new ways to breach networks.

Whatever the reasons, the security problems are continuing to grow for companies. It's one thing to have a home alarm system and another thing entirely when it takes guard dogs, perimeter fences, security grills, motion detectors and guns. Then it becomes an indictment of the entire neighborhood.

Year after year, vendors use RSA and similar venues to tout state-of-the-art security technology. Some of the products are enterprise tested and ready. Many are vaporware products fueled by hype from venture capital dollars.

This year is no exception. Two cavernous halls at San Francisco's Moscone Center are filled with vendors offering a dizzying array of products purportedly addressing every conceivable enterprise security need.

There are technologies for predicting, detecting, blocking, responding and mitigating attacks. There are tools that let enterprises measure risk, prioritize assets, control privileged users and monitor network behavior on a continuous basis.

Like every year, some products are touted as trend-setting, just like antivirus tools, firewall technologies, security incident management products, IPS products and data leak prevention tools were pitched a few years ago. This year, the buzz is about automated threat monitoring, network intelligence, data analytics and incident response.

Many vendors are using the breach at Target as a classic example of what could happen to enterprises that fail to implement their specific product or technology.

"If you have an intelligent opponent, it behooves us to make our systems better," says Sam Curry, chief strategy officer and chief technologist at RSA. The best way to do that, he said, is to combine traditional approaches with data analytics and selective automation of crucial processes.

Meanwhile, IT security practitioners have their own priorities. For them, the challenges are more about finding the budget and the resources needed to keep their networks and their data safe. For them, it's about secure design and development, reducing points of failure, and implementing role-based access control and principles of least privilege. It's about metrics and measuring security ROI.

It's also about people. A survey sponsored by Hewlett-Packard Co. and released at the conference shows that about 40% of available IT security jobs this year will go unfilled. About 56% of the 500 companies surveyed had no chief information security officer and only 32% offered a career path in the security field.

"What we see is a great increase in cyber offensive capabilities," on the part of hackers, said Jacob West, HP's chief technology officer. The lack of skilled professionals is creating a skills gap between adversaries and industry, he said. But that's not the only problem. The larger issue is the lack of security roles among application designers, developers, quality assurance teams and operations teams, West said.

For Greg Schaffer, CISO at technology investment firm the Circumference Group, information security is "ultimately about people, not about technology."

Enterprises can implement all the technology they want, but without the right people in place, the technology will do little to help, Schaffer said during a panel discussion.

In the information security space, "success is about incremental progress," he said. Like ants, cyber thieves will find a way to get inside even the best protected home. The key is in being able to detect and eliminate them, when they break in.

Some of the best minds in the industry are working on finding new, repeatable ways of detecting, blocking and responding to attacks in a more effective way. Some day soon they better start working more effectively.

As Gary Gagnon, CISO at MITRE, a technology research firm, said the increases in security budgets that enterprises have seen in recent years cannot be sustained. At some point, enterprises will need to find a way to bend the budget downward again.

Meanwhile, hackers keep breaking into systems, and no one can really say why that is happening, despite the billions of dollars spent on products like the ones showcased at RSA.

This article, Huge turnout at RSA shows hackers are winning, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingdata securitysecuritydata protection

More about Consumer ElectronicsHewlett-Packard AustraliaHPIPSRSATopicWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts