Infosecurity starts today, and it will doubtless be the biggest, busiest and boldest conference yet. So why am I feeling rather underwhelmed at the prospect?
Infosecurity is certainly the largest and best exhibition of its kind. It’s the showcase for the security industry and an opportunity for information security professionals to gather and network. New products are launched, survey after survey is released, and the vendors go bananas with every conceivable dongle, cable, badge, gonk, bag and giveaway they can come up with. I’ve even spoken at the conference.
Despite the media hype and the clear commercial need for security, it just isn’t sexy any more. When I accidentally started working in the IT security industry (and back then most security folks had discovered the trade by accident – I seemed to be surrounded by a lot of astrophysicists seeking a better income) it was so cool that many people had never even heard of a hacker. Friends thought that a day at work was like being Matthew Broderick in Wargames. We could trip into a customer’s office and explain “what you need here is something called a Firewall. There aren’t any decent ones on the market, so we’ll put one together with a Unix box and a brace of network cards.” The World Wide Web was still a bright idea in Tim Berners-Lee’s head, and my modem sometimes managed 9k6 connection speeds. What was so great was the ability to make it all up as you went along. Ah, happy days.
Of course now we have a professional industry with recognised qualifications, industry bodies, international standards and all the fruits of a great deal of hard work by many dedicated individuals. An SME can purchase all the security kit it needs at PC World, and then phone up the local recruitment agency to get someone to assemble it correctly. Security has become commoditised, productised, and sadly rather oversized. That’s why I became interested in privacy, which is still much the same as security was in the early 1990s.
And businesses are bored with security. We’re talking ourselves into a recession, so they’re worried about risk management, corporate governance, cost cutting and disgruntled employees. Security is just an overhead for them. They don’t want to buy it, they want it built in to their PCs, routers, servers and other products that deliver a perceived value to the organisations. For the average business it’s just an overhead.
What does this mean for Infosecurity? Well, as Bruce Schneier says of the RSA Conference, we’re going to see some retrenchment coming as Infosecurity stops attracting anything but security professionals. The halls will be full of security vendors selling their kit to security vendors, but everyone else will stay away. It’s a well-run conference with a lot happening, but security just isn’t sexy any more (but then, I suspect, neither am I). So I’m off to Oracle’s Safeguarding the Citizen conference instead, where we can all argue about what needs to be done and how we turn privacy into a profession.
THE COMPETITION: This year’s event will doubtless focus on post-HMRC privacy issues, with lots of security kit being rebranded as a ‘privacy solution’. There’s a £10 donation to the charity of your choice for whomever spots the product using the flimsiest attempt to pitch itself as a ‘privacy solution’. Photos to me please.