This year marked my fourth RSA Conference – I’ve attended three in San Francisco and one in Singapore – and each year there are some stand-out issues and themes that dominate discussion.
In my view, there were five clear themes that stood out this year. They were a shift in focus from detection to prevention, the balance between the right to privacy and the need for security agencies to access encrypted data, the importance of a risk-based approach, the ongoing skills shortage, and that no one really knows how to secure the Internet of Things.
1 - The detection/prevention pendulum
Over the last couple of years, the biggest buzzword in enterprise security has been “security analytics”. There was a belief, or perhaps resignation, that system breaches were inevitable so security professionals needed to get a better understanding of what was happening inside the enterprise by using SIEM tools, machine learning, artificial intelligence and other tools to detect anomalous behaviour.
This year the inevitability of being breached was challenged. With so many major breaches reported last year – the US Office of Personnel Management, Anthem and Ashley Madison were common examples used by many presenters – organisations realised these incidents may have been preventable, or the impacts significantly reduced, had better defensive measures been in place.
This year, many speakers spoke about the importance of the end point, both as a line of protection but also as an intelligence tool to detect what adversaries were targeting in order to better align defenses.
2 - The balancing act between security and privacy
The timing of the FBI and Apple battle over access to the encrypted data of the iPhone 5c used by the San Bernardino terrorists ensured this was the most spoken about topic for the conference. In hallways, conference rooms, bars and restaurants across San Francisco, it was almost impossible to have a conversation where this didn’t come up.
There was no middle ground in the discussions I was privy to. People very firmly aligned themselves on either side of the debate with little chance of reconciliation or compromise.
The only consensus I heard was that this fight was critical and that it would not be resolved until the matter was played out in the Supreme Court.
3 - Risk-based information security
This wasn’t a particularly new theme this year but was has changed is an understanding that no one really understands how to accurately quantify information security risks.
Insurance companies are coming to understand that while the cloud delivers many business benefits, a breach at a major service provider such as Microsoft or Amazon, however unlikely, is not impossible and that such an incident could result in insurers paying out to thousands of clients for one incident.
CISOs and CSOs are starting to look for staff that can see a technical risk but translate that into a business risk that can be better quantified and described to the c-suite and board so they can make decisions.
The days of CISOs and CSOs saying “there’s a major threat out there” and getting more money to combat it are soon coming to an end unless those threats can be shown to affect the business.
4 - The skills gap
During the opening keynote, RSA executive director Amit Yoran told people to “stop whining” when it comes to the skills shortage in information security. His advice was to address the issue head on and start identifying and training your own talent.
5 - The Internet of Things
Almost every single person who spoke about IoT mentioned the same Gartner study that predicts there will be in excess of 20 billion IoT devices connected to the Internet by 2020. Interestingly, that definition covers everything from cars to household appliances to remote sensors. And the way different device classes can be secured varies greatly with different experts and vendors touting everything from working with device makers to embed security on to every one of those endpoints through to securing data aggregation devices through to relying on constantly scanning network traffic and using AI to look for anomalies.
The other issues I’ve mentioned are all more immediate but the IoT looks to be the biggest sleeper issue in information security today. No one I spoke with had any way to quantify, with any degree of confidence, the actual numbers of devices, volumes of data or even what sorts of devices might require some level of hardening and monitoring.
My gut feeling is it will take a serious, in the wild, breach for IoT to get some serious attention.