Reflections on RSA Conference 2010

The improving value of the British pound against the dollar makes visits to the USA more attractive. But if you just wish to experience the culture, you need to go no further than London Hilton Metropole when the RSA Conference comes to town. For three days and nights, you will be transported to America, listening to US speakers delivering US sales pitches in a US hotel filled with US guests.

Regardless of what you feel about the format or agenda, the RSA Conference remains a major calendar event, attracting high-profile speakers and security professionals from far afield. It’s a great networking event where you can rub shoulders with the likes of Ira Winkler and Bruce Schneier, and catch a flavour of the state-of-the-art in information security. This season is an especially interesting time to take stock of the security scene, as the growing problem space seems to be is finally leading to the beginning of a long overdue tipping point in the solution space.

Key trends I observed this year include a consensus view that cloud computing needs new levels of security standards and assurance; that the human factor requires much more attention; that the threat of cyber attack demands new principles and agreements; and that we must urgently migrate the focus of security to the applications and data levels. 

A few years ago only a handful of experts articulated these points. Now they are accepted truths. It’s a significant step forward, but we have a long way to go to actually solve these problems. And there were few signs of innovation in a conference that was clearly brilliantly executed, but based on a tired, old format. If you were in search of new ideas and thought leadership, you might have been disappointed. 

There were however some important solutions on display. Microsoft’s SDL methodology, for example, is an essential solution for all enterprises. It merits a lot more attention. In my view it should be mandated for critical national infrastructure, as experience has demonstrated that developers will cut corners without big sticks to persuade them to pay attention. 

It was also encouraging to see Qualys taking a leaf out of Google’s book and introducing easy-to-use, Cloud security services that can be immediately tried and used without upfront costs. This type of security model is the only way we will be able to engage small and medium enterprises (an issue which is growing in importance).  

To me, the conference reflected a widespread staleness in an information security field that is surprisingly short on imagination, boldness and diversity. We have become a herd of box tickers, lost in a sea of compliance and backward-looking standards. Such an approach might have satisfied a business operating in a static problem space, where best practices rarely change. But it does not serve a modern enterprise operating in a dynamic environment that needs real time solutions to new forms of security threat.

I enjoyed the RSA Conference and will be back next year. But I’m looking to next month’s Global Security Challenge finals in London for ideas and innovation.