Every year, the RSA Conference is an exciting opportunity to get the security industry together to debrief on the past year and look ahead toward how we can ensure more security in the coming months. This year, as always, I was inspired by the great work and technological advancements on display from a wide range of impressive security vendors. However, as I attend the event year after year, there are also some concerning patterns I see on a regular basis that are unfortunate byproducts of an otherwise great event.
Here are a few things I saw this year that I’m hoping won’t be making an appearance at RSA 2018.
Unreasonable vendor claims and silver bullets. Every year, countless security vendors roam the show floor at RSA, promising that their latest revolutionary tool is going to solve the entire world’s security problems. Don’t get me wrong – innovation in the security space is extremely important and a crucial way to ensure we are staying ahead of attackers. However, too often these organizations are overpromising and underdelivering, leading organizations to invest too much money into disparate security products that don’t actually make their organization more secure.
Let’s be honest, there are no silver bullets in security, and as an industry, we need to stop telling CISOs that they exist. Ultimately, an effective security program requires a more comprehensive approach to risk management, focused on integrating several different technologies and building a strong security team to manage these systems.
The “spray and pray” approach to security has long been inefficient, and it’s disheartening to see organizations continue to capitalize on this trend.
Scare tactics as a selling tool. Along those lines, many vendors seek to sell their goods by scaring organizations into believing they need them. Highlighting the latest big security breach and claiming to have been able to stop it if only that organization had had their product isn’t a positive way to sell your wares. Additionally, scaring companies into thinking that if they don’t have one specific security component their entire organization is immediately at risk isn’t an effective approach to security either.
The truth of the matter is that most mature companies are not buying the fear, uncertainty and doubt being put out. If we as an industry continue to cry wolf about threats and attacks, I fear we will lose credibility and ultimately do a disservice to our customers.
We need to see organizations taking a cohesive, thought-out approach to security, not jumping at every new product on the market for fear that they’ll be compromised if they don’t.
Breach-shaming. All organizations have security risks. Period. While the industry works tirelessly to help organizations avoid being compromised, the fact is that breaches are going to happen. When they do, too often the company that was victimized is barraged by criticism from the rest of the industry, who say they should have implemented this product or this service or this response. This form of “Monday morning quarterbacking” benefits nobody; instead, we should be looking at companies’ past misfortunes as valuable learnings for the entire industry. The only benefit of a major breach is that it provides us with information that we can use to prevent something similar from happening in the future. Rather than shaming an organization who happened to be on the wrong side of it, we should be using a large-scale attack as motivation to continue to innovate and create better security for the future.
A promising trend: More collaboration. I don’t mean to be overly negative about what was otherwise a great event. There is one area in particular that was particularly motivating to see: more collaboration. It’s no secret that the threat landscape is continuing to evolve. Integrating technologies and sharing intelligence among the world’s leading security organizations is a crucial way to stay ahead of growing threats. Rather than allowing hackers to target multiple organizations, if each organization was aware of an attack as soon as it happened, the hacker would be stopped in his tracks before he could face his next target. Likewise, allowing organizations to integrate their technologies to provide customers with a more manageable and easily deployable security infrastructure is a great way to enhance security while minimizing extra effort on the part of the user. At RSA this year, I was inspired to see many organizations echo this perspective and make an effort to improve collaboration moving forward. As the dust settles from RSA, I hope we will continue to see much more of this trend throughout the year.
Overall, RSA was once again an inspiring and motivating event. I’m already looking forward to next year!