Over the past few years, I have chronicled the RSA conference with snark, praise, cynicism, and strained pop culture references (in 2017 it was the Road Warrior.) This year, I will depart from this, to reflect on what is happening in security.
Okay, maybe a little snark.
In another departure for me, I spent most of RSA outside the actual event. I attended the AGC conference on Monday, as well as many other meetings, parties, and events. Many people have said, this is the only way to do RSA. Or in the parlance of WOPR, the only winning move is not to play. (That’s from WarGames.)
RSA’s sessions and keynotes are infuriating. It is the same people, saying the same things, with the same tone, set to the same music. RSA’s theme this year was “Better.” Better than what? A swift jab in the liver? RSA adamantly refuses to change the tone, message, structure, or speakers of the show. The only thing that got an upgrade this time around was the expo hall. Otherwise, it was the usual cavalcade of banality.
This is why all the interesting content has moved to the periphery of RSA. Inside the confines of RSA, there is no room to expand the conversation.
Those confines are overcrowded as well. Complexity is killing security. There are too many products, too many vendors, too many attacks, too much data, too many self-important blowhards writing blogs, too many opinions, and way too many bad ideas being hawked as the next big thing. How many times do we need another self-proclaimed uber-hacker guru on stage telling us “the key to security is blah blah blah?”
Nobody outside of the NSA or US Cybercom should spend 1/1000 of a microsecond thinking about attribution. The key to security is not another grand idea about the arcane nuances of risk management. The key to security is not another panel discussion between four vendors vomiting marketing nonsense.
I am not sure any of us know what the *key* to security is, but I am absolutely sure it is not more complexity. Simplicity is desperately needed. We must solve actual, tangible business problems.
All this complexity has CISOs and business leaders seriously fatigued. I observed a broad range of behaviors and reactions from people in leadership roles who are fed up with security.
On one extreme, there are the emotionally insecure CISOs who constantly badmouth vendors and beg for us to understand their selfish needs. This group is antagonistic, self-absorbed, hostile, and (unfortunately) getting far more mindshare than they deserve. The weakest dinosaurs have the loudest howl on the downward spiral to extinction.
The more well-adjusted leaders are keeping their hostility in check and bypassing all the products and promises. They are looking for fully orchestrated solutions rather than yet another silver-bullet point solution. This is a big conceptual change that I will discuss later in this blog.
But most of the leaders are lost. Adrift on a sea of fear, uncertainty, and doubt. Bouncing from one vendor to the next, perpetually seeking out silver bullets to load into water pistols.
This is why we have caturday!
Is that a Cute Kitty?
The expo was as loud and noisy as ever, but there were fun things to do. Moscone is looking a lot better. The new expo hall layout was much better.
Also, there were puppies (at ThreatQuotient’s booth) and kittens (at TinFoil security). Yeah, it’s a gimmick, but who cares, they were super cute.
Our gimmick was bags of Portland’s own Stumptown coffee. It was so popular we gave away 1000 pounds of the magical elixir of life.
Cats, coffee, and security…I’d buy that for a dollar.
In the less adorable category, I did not see a single interesting new technology. The Innovation Sandbox winner was … drum roll … an asset management company.
Okay, sure, asset management is an extremely important aspect of security. But innovative? Maybe back when Nine Inch Nails was considered edgy.
I mean no disrespect to the winner; their product is perfectly good. This win, however, exemplifies how little RSA has changed in the last 20 years. Surely there must be some AI powered secbot learning blockchain big data state-sponsored mathematical heuristic engine with lasers on its frickin’ head technology that is the next big Gartner Magic Quadrant thing that captivates the masses.
Oh, and don’t call me Shirley.
Saying that security is moving to the cloud is an understatement. Everybody was talking about the cloud. Even the dude on the street smoking a huge joint, but that was because the cloud was raining on him.
The merging of cloud, DevOps, and security is fundamentally altering how security is done. This is a topic I have written on extensively in this blog.
If you need proof that the cloud is the future of security, then look no further than security darling Palo Alto Networks. Their $560M purchase of Dimisto was a loud, clear, message that the future of their business is automation and cloud.
The Automation Suite
Which gets me to the one “innovation” that is interesting: orchestration. Automation may be the hot, but orchestration is what makes automation meaningful. It is not enough to automate a single thing. Automation must be orchestrated into a workflow that solves a clear, well-defined business purpose.
If you look back over the last 20 years, security has been all about gadgets that make promises. NGFWs, for example, got more and more powerful, and made larger promises to protect a network. But a NGFW must be deployed properly, monitored diligently, and tuned consistently to actually fulfil that promise. Otherwise, it is merely a box of empty promises.
We have too many promise gadgets. The new realm of innovation is not another gadget, but rather stitching all those promise gadgets together to solve a specific business need.
I admit to having bias here. My own company has released a product in this space: Sherlock Compliance Automation. This is exactly what our technology does. It is not an endpoint product (or SIEM, or vulnerability scanner, etc.); rather, it automates the deployment, configuration, and management of that technology to meet a specific business need (compliance).
Which gets to the last big theme from RSA 2019 – DevSecOps. While this is one of the buzzier buzzwords, it is ultimately what drives orchestration. I view DevSecOps as the “codification of security.”
Traditionally, security is done after a network or application is deployed. Let’s call this what it is: after-the-fact security. Which is why we have an expo hall filled with promise gadgets.
In the cloud, everything is code: infrastructure, configuration, applications, storage…it is all code, all the way down. Security can now be part of that. Which means that security can now be enforced and enabled by default, and by design. This also shifts security left, to be an integral part of the development process. It has the added benefit of forcing developers to build within a secure, compliant environment right from the start.
Security, development, and operations all become part of a common code base. The benefits of this are huge. I could spend another 2000 words on this, but I will leave that for my next blog entry.
Of course, this requires a whole different skill set. Specifically, you have to be able to code, or at least to comprehend how the code is built. This partially explains some of those hostile CISOs I mentioned earlier. Change affects people in different ways.
Surely, the Best of Times?
Okay, RSA is due credit for a theme that was simple. “Better” is a concise way to define where security needs to go. If security is ever going to become simple, it starts with the simplest things.
RSA is not perfect nor will it ever appeal to all. It is, for better or worse, the big event of our industry. I mock it, but I also love it. It is infuriating, and exhilarating. It is the best of times, and the worst of times. It is the age of wisdom, and an orgy of foolishness. It is another strained cultural reference, and the end of my blog.
See you next year. And stop calling me Shirley.