RSA 2013 launched today. I bounced out of bed ready to be inspired. RSA2012 was good and gave me a lot of inspiration. This is why I come to RSA. To learn and be inspired, so we can deliver better services for our clients. So, how was the first day?
My first session today was the Security Leadership Seminar. This was a decent seminar. The first speaker, John Iatonna from Edelman, Inc. was a little dry. At one point he said how a security leader needs 45-60 days to acclimate to a new position. I found this too long. He seemed like your typical, “metrics and meetings” leader who has lots of ideas and concepts, but not a lot of insight or inspiration for a team.
The next presenter was Justin Peavey, CISO for Omgeo. He was quite good. He talked about the skills necessary to build an information security team. One of his core points was that some skills can be taught, and others must be native. His example was how critical thinking skills cannot be taught, a person has them or they do not. Whereas technical acumen, such as running a SIEM or performing a penetration test, can be taught.
I agree with Mr. Peavey but would add one critical dimension to the idea. While you can teach people technical skills, they have to want those skills. Information security has a lot of “big talking” people who love the security “lifestyle” (particularly the pay) but are not really passionate for the industry or the technology. As such, it is very difficult to teach them technical skills.
The next speaker was Derek Brink, Vice President and Research Fellow for the Aberdeen Group and he spoke about the role of the CISO in decision making. He was a bit rough around the edges as a speaker, but he made a lot of good points. I really liked his presentation of the “Servant Leader” concept. The basic concept is that a good leader serves his/her people and creates an environment for them to flourish.
This is not his unique idea (I have heard it elsewhere before) but it was good to get this message to security leaders. The security industry has a profound dearth of competent leaders. Instead, we have a lot of leaders who were promoted above their ability, trying to ram security down their company’s throat and whining when it does not work the way they were told it would.
Another concept I liked (for obvious reasons), which both Mr. Peavey and Mr. Brink mentioned was building collaborative relationships with security partners. They both warned against any vendor or partner who is just a “yes man” and does whatever you want. An ideal partner should complement and challenge you, as well as be able to respond to your wishes and expectations. Moreover, they echoed the value in outsourcing security functions to keep capital expenditures low. This includes outsourcing security functions to groups within the company, which I would be a little skeptical about such an action, but open to the idea.
This was not the most eye-opening seminar, but it was reassuring to hear others echo a similar message we deliver to our clients at Anitian.
During the break, I got asked to do an interview for RSA. That was fun. I was all made up and put in front of a camera and green screen. They asked me what superhero I wanted to be. Naturally, I said I wanted to be Captain James T. Kirk of the USS Enterprise. I said he was an inspiring leader, who also got all the alien babes and could go back in time. Who would turn down that job?
They also asked me why I was in information security and what inspired me. I thought about my father, who passed away last year and his impact on me. I also thought about the Anitian team and their loyal dedication to our mission to make security more practical and pragmatic. I also thought about some of historical people I admire, such as Tesla, Turing, Henry Ford and Abraham Lincoln. But it was my daughter, Alexavia, who really inspires me. I want to make a better world for her. I want her to inherit a world where people have the freedom to innovate and create, without fear of hackers and criminals. When I said that, the camera men were deathly silent for a few seconds, and then said “wow, that was amazing.” I guess I said the right thing.
This was one of my favorite events last year. It showcases 10 up and coming new security companies. A quick run down of each:
Wickr provides a mobile security ecosystem where email, texts, pictures or other content can be secured and set to “self-destruct” after a certain time period or upon command. Their motto is “leave no trace” suggesting you can send content all you want and then make it disappear. Their app is interesting, but their speaker really turned me off. It was this blonde woman wearing sunglasses trying to look cool. It came off as juvenile. Note to women in IT: you do not need to act or dress like a bimbo to get noticed, and likewise, the people who will notice you when you act like a bimbo, are not people who you want attention from.
Next up was Victrio, which makes a software that can detect fraud among callers. Intended for call centers, it uses audio fingerprinting to determine if a caller is the actual customer or a fraudster. It was an interesting application, but has a limited applicability. What is weird is that last year’s Innovation Sandbox has almost the exact same company as part of the group: Pin Drop Security. I guess RSA organizers really have a thing for phone fraud detection start ups.
Next was SpotFlux which does something. I honestly had a hard time figuring out what this company does. The presenter fired off a lot of buzzwords and then nonchalantly dropped how he has a box at his booth that can exploit any smartphone out there. This mysterious device was just specially built wifi access point that does a basic man-in-the-middle attack, which is nothing remarkable or special. After some research, it turns out these guys offer what is essentially a managed VPN on your phone that scans your network communication for bad stuff. This company, their product and their presenter were not very compelling.
Next was SkyHigh Networks, which provides a cloud management service. This service purports to identify which cloud services your company is using and then provides tools to control that access. I had a hard time seeing how this product could work and actually enforce these rules.
Next was Silent Circle, which provides an ecosystem product that provides ultra-secure voice, video and data communications. Again, this product is essentially a sophisticated VPN style technology. It allows you to connect with others and send content completely encrypted. It is cool, but seems cumbersome.
Then came Remotium, which offers a virtualized environment to run apps on a smartphone. This is kind of like Citrix for a phone, which makes sense since the founders were behind the Xen virtualization platform. This company won the honor for the most innovative company. Their product is interesting. It is a little like Good Technologies, in that it provides a secure environment to run apps. However, Remotium claims they can support any app and jailbreaking has no effect on them, since everything is run in a sandboxed, virtual instance. Their product is cool and offers some real benefits. I would be concerned about the performance hit this service would take.
Next was PrivateCore, which provides a fully encrypted virtualization system. It took me a little bit to understand what these guys do, but once I got it, I was impressed. This was my favorite, since it has such profound implications. These guys claim they can fully encrypt a virtual host memory and data, without any impact on the hypervisor. Moreover, any traffic out of that can be secured as well. This is a huge issue, because one of the key problems with putting virtual systems in the cloud is that anybody at the cloud provider can see your data, which is a serious problem if that provider is hacked. This would eliminate that problem. The presenter was not the best communicator. He reminded me of Turkish (Jason Statham) from Snatch (“Protection from what? Zee Germans?”) I suspect this company did not win because people had a hard time understanding what they did. This is an innovative product, which may attract the attention of VMware.
Next was Nok Nok Networks, which wins the award for the dumbest name for a company. They publish an open authentication specification. Think of them as basically one big broker for identities, with a proprietary authentication protocol. This company is a little esoteric and I have a hard time seeing how they will be successful. They claim to be funded by several big infrastructure companies. I suspect they are basically an R&D sharing firm that hopes their specification takes off and then those funding companies can control it. If the specification does not take off, which seems likely since there are already a lot of decent authentication protocols out there, then they have nowhere to go.
Next was LightPoint Security which makes some dumb browser replacement that promises do something great. Their product sounded half-baked, their presenter was terrible, and they could barely describe what it is they do. This one was a complete dud.
Last was Bromium, which comes in second place in the dumb name competition. This is essentially a virtual desktop product. Which I see no reason why you would use them, when you can have virtual desktops in VMware. Their presenter was good and had a lot of personality. He cited a lot of good data and examples, but the basic premise of their product seems very flawed.
After each of the companies went there were three presentations from various security people. These were all pretty bad. I especially disliked the presentation on Active Defense from Dmitri Alperovitch of CrowdStrike. Maybe it was his style, but he came off as really condescending and simplistic. His presentation was full of buzzwords, and was short on substance. There is nothing wrong with his company, Crowdstrike. He just needs to work on connecting with an audience more and using less buzzwords.
I left the show around 5:30 a little disappointed. While the day started good, it ended a little weak. I kind of wish I had went to the Advancing Information Security Risk Practices, which was at the same time as the Innovation Sandbox. Oh well.
I missed the social events tonight. Apparently, the big event tonight was some person who calls herself “Security Barbie” organizing a mixer with IOActive. I kind of wanted to go to that, for the same reason people watch Honey Boo Boo. Alas, I probably would not have fit in with that crowd. Besides, I needed to Skype with my daughter.
I remain hopeful and the show is still young. Tomorrow should be interesting. Lots of key notes and I have some interesting meetings lined up.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com