Reflections on RSA 2011

Just back from this year’s RSA Conference in California, the biggest security bash in the world, with around 20,000 visitors and a huge pipeline of would-be speakers and exhibitors. Whatever your views on it’s merits, it represents the most significant event of the year for information security professionals.

That makes it all the more surprising that the level of creativity and innovation on display is not higher. Partly that might be because of the repetitive formula of the event. But mainly it’s because of the lack of ideas and variety across the security community. I was pleased to note that visualization and virtualization (concepts I’ve been promoting for several years) were this year’s buzzwords. But the reality was far more hype than innovation. There was little that could be regarded as new, creative or compelling on show.

It’s a shame because this should be the year when ‘new’ security hits the road, drawing on the fusion of cloud services, trusted computing and virtualization technology. So where is it? Not here, unfortunately. This conference was largely focused on pedestrian solutions, such as ISO 27001 and risk management, dressed up as breakthrough concepts. You have to attend the Global Security Challenge to discover really innovative developments.  

Refreshingly, the vendor keynotes did seem to appreciate the emerging underlying trends, though they had little in the way of solutions that was new or innovative.

RSA and VMware promoted their virtualization-based security solutions for cloud environments. It’s a promising start, though the underpinning security requirements are inspired by ISO standards which are more than a little past their sell by date. We need to establish a better articulation of today’s security requirements before we can begin to build effective solutions.  

Microsoft remains the clear leader in secure development practices, though their keynote was little more than a pitch for electronic identity solutions. Nothing new here, except for the sales opportunity presented by the new White House citizen identity initiative.    

Symantec’s keynote highlighted data growth and targeted threats, as well as the need for governance, architecture and auditing. These are all things that have been apparent to every security professional for many years. The only new concept was the marketing metaphor of an “ozone layer” for cloud security services.

HP sounded as though they have just discovered the concept of risk management. Unfortunately they have yet to appreciate that it’s a forward-looking, decision support tool for humans, not a backward-looking, decision-making one for machines. Much money will no doubt be wasted building white elephant technology that fails to hit the spot.         

Qualys remain the most innovative security vendor, though their keynote reflected steady progress, rather than a step change, in their long standing vision of cloud security services. Nevertheless they remain well ahead of the bandwagon in understanding the power of the cloud, continually enhancing their products and building strategic partnerships with other vendors.  

The US Government had plenty to say, but their primary focus is industry outreach rather than innovative thought leadership. It’s unlikely to succeed, given the dearth of new ideas from vendors and the herd mentality of user community.       

The exhibition was more interesting, though you had to look quite hard to find anything new. Trusted computing, one of my tips for this year, continues to grow in investment, as reflected by Wave System’s relatively large stand. The most novel new technology for me was Breaking Point’s large-scale Internet simulation tool. The most impressive product was 3M’s iPad screen protector. (Yes it’s that bad.) Best giveaway toy was LogLogic’s bouncing rubber cup. And best for hospitality was IOActive’s penthouse suite at the nearby W Hotel, with great presentations of how to hack ATMs.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

My takeway was that the RSA conference primarily focussed on 4 key themes: 1) Cloud (Securing the cloud as well providing security services in the cloud). Visibility, control, trust and compliance were some key elements here. 2) Mobile (iPhone, iPad, Android Smartphones) Computing Platforms Security 3) Social Networks (Facebook,Twitter) - how to prevent confidential data leakage via these networks 4) Cyberwar
It's a sad reflection that our industry works off hype and marketing rather than risk. I didn't attend RSA but will try to go to more grass-roots conferences such as OWASP and DayCon that are organised by practitioners rather than vendors. My "grand ideas" to address security from the ground up (much influenced by your own good self) - i.e. through soft measures such as awareness and training - still meet with a huge amount of cynicism and resistance. Much easier to give in to the hype and purchase another technical solution.
I can't agree more with you about IOActive's party by far the best! They know how to party - thats why we love them.