This week Doc Hugh Thompson of RSA fame was in London. We had an interesting and entertaining debate on current and future trends. Hugh is a consummate, multi-tasking professional: lecturer in Cyber Security at Columbia University; Chair of RSA Conference; and Chief Security Strategist at Blue Coat. He's also a larger-than-life character, with a keen interest in technology, human behaviour, and innovation.
Blue Coat products have a strong position in the market (80% of Fortune 500 they tell me) based on their easy-to-deploy security appliances which have the useful feature of providing visibility of encrypted SSL traffic. They have recently added additional features such as sandboxing and advanced analytics to combat APT threats, making them a good choice for an enterprise security gateway.
Not surprising we talked about encryption. Default encryption has been suggested as the best way to protect web users' privacy online, and it's on the increase as more and more organizations switch from http to https. Hugh tells me that around 25% of incoming business traffic is now encrypted. However, this trend presents a major problem for enterprises, as it also enables attackers to hide their communications. Security demands the ability to read traffic. Encryption creates as many problems as it solves. In my view it will not succeed. The future is more likely to be a hyper-connected world in which no information is secure.
Information sharing is another hot issue we discussed. I take the view that it's simply not viable as legal, compliance, and political considerations discourage any release of sensitive information to third parties. Governments can't easily share secrets with international companies. And executive boards don't like security managers telling others about incidents. Countries with state-owned industries clearly have an advantage here, though such an infrastructure carries its own baggage.
Another topic was conference audiences. RSA Conference has seen a trend away from a technical security community towards a more business oriented security community. My view is that security managers are going native. They need to stand up to, rather succumb to business managers. I've also noticed that compliance and audit functions are now setting more of the security agenda. Large financial organizations now have almost ten times more people policing them than securing them. At this rate ISACA conferences will overtake RSA conferences in size.
We both agreed that speed, imagination, and attention to the human factor are the keys to security in the future. CSOs need to escape the burden of compliance and be empowered to practice real security. Personally I don't believe this will happen until after an electronic Pearl Harbour incident.
Unfortunately we ran out of time to discuss deeper issues. But we did agree to continue the discussion next time Hugh is in town.