Monday sees the start of the RSA Conference and exhibition in London, which I’ll be attending. It’s a significant occasion, with a reasonable level of sponsorship and attendance. But it’s very different from its US counterpart. For one thing, it’s a lot, lot smaller: just a fraction in size of the San Francisco thrash, which attracts around a staggering 17,000 attendees. But more interestingly, it’s “softer” in focus, with more emphasis on non-technical issues.
Earlier this year, following a trip to Miami, I suggested that US and European UK approaches to security were converging. I now question if that’s really the case. The US security community has clearly picked up the “process” focus that many UK firms have practised for decades. But that could be largely down to regulatory compliance pressures. More significantly, few US companies appear to have latched onto the “people” side as much. You can see that, for example, by the absence of coverage of this subject in next year’s RSA Conference USA.
It will be interesting to see how 2009 plays out. My feeling is that this could be the year that information security finally bites the bullet and invests properly in human-focused initiatives. But, so far, budgets have not reflected this, and they’re now being seriously squeezed. Perhaps we’ll have to wait for regulatory compliance to bang the table. But one thing is clear: we can’t keep ignoring it for long.