One of the most interesting things to learn at every RSA conference is what the collective audience of security vendors, analysts, venture capitalists, government security types, grizzled security professionals — and, of course, we cynical journalism types — see as the main themes coming out of the show. This year’s 2013 RSA conference, held in San Francisco, was no different, and several themes began to emerge as I talked to others about where the industry is headed, and what they thought security professionals and system administrators needed to worry about for the coming year.
In addition to the seven themes I’ve listed here, I’d suggest that you also take a look at some others have written (or people they’ve interviewed) about RSA and the current information security landscape, namely Bill Brenner at CSO Online, Eleanor Dallaway at Infosecurity Magazine, and Mark Russinovich, Technical Fellow at Microsoft. Another must-read is Mandiant’s M-Trends 2013: Attack the Security Gap report (link to registration for download) which provides another perspective on the threats facing IT security in 2013.
1. Big data and business intelligence are the buzzwords du jour
Big data and business intelligence are the current trending buzzwords in the more general IT market, and they’ve now seeped into the security space as well. While the promise of big data teamed with business intelligence to combat security threats has a tremendous upside, the reality is that we’re still in the more sizzle/less steak phase of the hype cycle. “Big data and intelligence were everywhere,” said Heidi Shey, a security analyst for Forrester Research. “This is not a good thing if it’s just noise and marketing speak… but most of the time, it is.”
2. IT security job growth is booming
I met with representatives from more than two dozen security vendors at RSA, and all of them stressed that the industry is woefully understaffed — both from a quantitative and a qualitative perspective — with IT professionals who know security. Mark Weatherford, the current deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security DHS, stressed that getting more IT security people trained and hired is also a matter of national security. “We simply don’t have enough smart people in the security IT career pipeline,” Weatherford said during his keynote address at the Cloud Security Alliance (CSA) Summit. “The unemployment rate for IT security professionals is zero.”
Mark Weatherford speaks at the Cloud Security Alliance Summit at the 2013 RSA Conference
So if you want to brush up your IT security skills, keeping up on the latest cybersecurity news and burnishing your credentials in the security basics of patching, setting up firewalls, and establishing good security policies is a must.
3. Embrace the “zero trust” model
A common theme mentioned by many security experts at the show was that the old IT security model of only have a rigid external perimeter by only erecting firewalls, installing anti-virus software, and patching vulnerabilities no longer goes far enough. You have to now assume that your system will be compromised — if it isn’t already — and then take steps to identify and eliminate the threats as soon as possible. “There is no perimeter, [and] no trusted users,” says Shey. “Forget about ‘trust but verify.’ Packets are not people. If you haven’t heard of the Zero Trust Model of information security, I encourage you to check out a Dark Reading article that introduces this concept.”
4. Cloud computing? Less cloudy, more practical
“Cloud computing” has been a security buzzword for years, but it’s now moving from being a nebulous buzzword to a more segmented, specific set of technologies that are gradually being adopted across the board. I spoke with two executives from Barracuda Networks — Sanjay Ramnath, director of product management, and Klaus Gheri, VP of product management for EMEA, and they both agreed that cloud computing is moving from the buzzword phase to actual deployment. “Cloud computing was much too broad of a term for a long time,” Ramnath said. “Things are starting to settle down [into specific use cases] where IT is leveraging the cloud for specific things.” Ramnath pointed to how some of their customers are using cloud-hosted apps or building internal private clouds as examples of the increasing segmentation and differentiation of cloud usage.
Gheri mentioned that social engineering is impacting security whether apps live in the cloud or not. “[Email] spam volume is down, but we’re seeing more spear-phishing attacks as a whole across the industry,” Gheri said. “Attackers are getting much better at using social media platforms [like Facebook and Linkedin] to help them target their attacks to the right people.”
5. Cyberwarfare is real
If the ever-present news headlines about corporate espionage and hacking by nation-states wasn’t enough to convince you that IT security is becoming even more militarized, one only had to wander through the packed RSA expo hall, where the National Security Agency (NSA), Department of Homeland Security (DHS), and Federal Bureau of Investigations (FBI) had presences at the show. Several of the conference sessions were on how nation-states — specifically China and the US — were using cyberwarfare to achieve national security objectives, and how the increasing activity on this front could eventually lead to a state of outright cyberwarfare. Microsoft Technical Fellow Mark Russinovich has written a fictional account (Zero Day) of how terrorists could use cyberwarfare to active their aims. Scary stuff, but this is the new IT security reality, folks.
6. The information security glass is half full
One of the brightest spots of the conference was Microsoft’s RSA keynote, where Microsoft Trustworthy Computing Group President Scott Charney touted all the advances that have been made in the field of information security over the years. Before the cynical among us begin to tear down that assertion, Charne did make some valid points. IT security has improved over the years, and Microsoft Windows in particular has become one of the most hardened modern OSes available, despite the necessity of regular patches and security updates.
7. BYOD is the new battleground
Mobile devices — and the now ubiquitous Bring Your Own Device (BYOD) acronym — were also hot security topics, as IT has had to contend with an ongoing onslaught of devices making their way into corporate offices. During an interview with Charlie Pulfer — the VP of Product Marketing for information security vendor Titus — he mentioned the recent news that the US Department of Defense had recently announced that it was working on a program to allow wider use of Android and iOS smartphones in the military. While traditional IT departments are grappling with how to manage security and maintain compliance with corporate directives, the military is getting into the game as well.