With the end of Tony Blair’s speech, RSA 2012 came to a close. Mr. Blair’s speech was interesting, albeit marginally relevant. Mr. Blair is a personable figure who can be rather funny at times.  However, the attempt to tie world politics with information security seemed tenuous.  Mr. Coviello’s post-speech questions did not help much.  They were limp and elicited no real insights.

It has been a few years since I have been to RSA, but I do feel like I got a lot out of the show.  Security is happy, vibrant and sometimes laughable….read on.

Tension Between Practitioners & Salespeople

I noticed that on Friday the tension of the show went down precipitously. I attribute that to the lack of sales people and marketing people gyrating and machinating in the Expo hall.  There is an palpable tension between the security practitioners and the sales and marketing people.  The sales people were all fear, all the time. Whereas the practitioners were decidedly pushing an agenda of practical, pragmatism (which aligns with Anitian’s consulting philosophy.)

Sales people want to sell, and they will say just about anything to get you to buy their stuff.  I recognize that companies are always going to inflate their value and capabilities, but outright misleading people and lying to them is wrong.  Take note, security sales people, if you have to resort to lies or FUD to make a sale, you do not have anything of value to sell.  Moreover, just because you say you do not sell fear, does not make that true.

As for the practitioners, we need to keep pushing the message of reason and pragmatism.  It is a good message, even if it is boring.  Sensationalism is destructive to overall security practices.

Big Data is a Big Word

Big Data was everywhere at RSA, and upon reflection, this may be a good concept.  Big data is a big problem.  Working toward tools and methods to analyze data and detect attacks is a good idea.

Apple iOS is Secure

I quite enjoyed Charlie Miller and Dino Dai Zovi’s iOS internals discussion. It was very technical and very interesting. After hearing the intimate details of Apple’s security, I am convinced it is a strong platform for enterprise mobility.  I wish they would plug some of the holes, like device encryption, but there are third party options for that.

The Great Anonymous Freak Out of 2012

I think it is funny that a completely leaderless, agenda-less group of people around the world have created such a massive freak out among so many people.  If Anonymous does have a leader, I am sure he cackles everyday at how much intense obsession his group gets from security and government people.

First, I do not condone hacking or criminal behavior to make a point. But I do admit to a level of admiration for Anonymous and Lulz Sec.  They have adopted missions, taken on big foes, and brought them down with some good old fashion hacking. Their exposure of HBGary and Stratfor feels like just deserts because it shows how these blowhards were nothing more than scam operations designed to manipulate money and attention from the hordes of minions obsessed to insanity with “security.”

However, for every moment people spend obsessing over Anonymous they have lost a moment where they should be obsessing over their firewall, IPS or antivirus agent.  I think it is time to let Anonymous have their fun and quit worrying about them.  Also, I think we should also note that for all their efforts, they have done some good. Exposing hypocrites and fraudsters is needed in our world. Say what you will about the tenants of Anonymous, at least it’s an ethos (to paraphrase from the great Walter Sobchak.)

Language of Security

I notices more and more people are discussing the language of security.  This was validating for me, since I have long believed security and language are intimately related.  I recently discussed this topic in my Cult of Palo Alto Networks blog entry.  One thing that caught me was the different words different people use.  Practitioners tend to speak in terms of “risk” “compliance” “vulnerabilities” and “controls.”  Whereas sales people tend to speak in terms of “attacks” “threats” and “protection.”  It seems obvious to me that sales people use words designed to invoke emotional responses, whereas practitioners tend to speak in ways designed to invoke thinking and reason.  This is a generalization, of course, but it is not a new idea.  Marketing and sales is supposed to appeal to our senses and emotions as a method to compel action.  However, emotions and security have a very close and sometimes uneasy relationship.

David Brooks noted how emotion is how we attribute value to a relationship.  Without emotions, we could not form complex trust relationships.  Complex trust relationships are at the heart of good security.  The ability of people, organizations and systems to form, maintain and monitor trust relationships is part of building a sustainable and secure infrastructure where innovation can take place. And we need emotions to be able to ascribe value to those relationships.

However, emotions are a double-edged sword.  Emotions can be easily manipulated.  Fear is a particularly powerful emotion.  An emotion the security industry, as well as a lot of politicians, have become very adept at using to manipulate behavior in groups and individuals.  Entire security products and efforts leverage fear for maximum sales.

As I sat listening to some of the key notes, I noticed that the language of many of these leaders is decidedly fear-based.  Mr. Coviello’s introductory key note was particularly laden with terrifying words and war imagery.

BYOD

Yes, bring your own device is the buzziest of the buzz words. After listening to product pitches and practitioners talk, I am warming up to the idea that BYOD can be successful. However, I maintain that it is very difficult and expensive to do BYOD correctly.  The sessions on BYOD were clear that effective BYOD begins with sound strategy and planning. I agree. However, the lure of new gadgets and toys often leads companies astray. So, before you go down the BYOD path, step back and make a plan which includes addressing the human and organizational culture elements of BYOD.

The Security Industry is Still Young, Attractive and Strong

While some of us conference attendees are sprouting middle-aged bellies, gray hairs and wrinkles, the industry as a whole is still young and vibrant. That is simultaneously reassuring and terrifying.  Reassuring in that there is still a huge well of innovative thinkers out there.  You can sense their presence and energy.  The next few years promise to be interesting as security is no longer an awkward teenager, but a strong adult.

It is also terrifying for the same reasons. As security matures, it also is getting cocky.  The Expo floor vibe was a gargantuan dump truck full of attitude.  From the ditsy booth bunnies to the self-assured hacker wannabes, the egos were bigger than the shiny booths and clever marketing gimmicks.  Every booth had an army of super perky, super happy, super young, super annoying people ready to, like, be my BFF…or at least until they could scan my card.

Overall, there is still great promise in security.  While I belittle the happy people in the booths, the fact is our industry is happy and happy is good.  The booths at a lot of other industry events the past few years are nowhere near as happy.

So, drink up and enjoy this time, infosec professionals.  The time is now.

Andrew Plato

Share This