If you missed this year’s RSA Conference, it was quite the spectacle. With a purported (and unconfirmed) 40,000 attendees, there was a ton of energy around the amazing field of information security that impacts everyone working in and around IT. There were keynotes, session tracks, and a vendor expo floor that reminded me of a super-crowded Vegas casino, minus the smoke of course. It was sensory overload. Information overload too. Still, a very good experience overall.
The interesting thing about the RSA show was the lack of anything new. Okay, there actually was a lot of hype around some new technologies and security business challenges. But looking at the industry as a whole from a larger time perspective combined with the security flaws I see in my work performing security assessments, there really was nothing new. Sure, there was talk around the threats. Lots of talk around the vulnerabilities we currently (and have always) faced. And bottom-line business risk was especially evident in the career, legal, and risk management tracks. Still, RSA and shows like it are a whole lot of marketing hysteria and rebranding of the same old things, i.e. “cybersecurity”.
Although nothing “new” but rather emerging, there was an enormous amount of discussion around the Internet of Things and the risks it brings to the average enterprise today. Devices both known and unknown created by manufacturers that may not get security are introducing vulnerabilities into business networks that many people are struggling to get their arms around. You could be quick to jump on the IoT security bandwagon and buy these newfangled products and services to lock things down. If your security program is mature enough to the point where you’ve mastered all the security basics and you’re seeking out new ways to spend your time and money, then go for it! For everyone else, I think the smartest thing to do is simply treat IoT as any other network system. The threats are essentially the same. So are the vulnerabilities. The only thing unique about IoT is the medium/attack surface by which the threats exploit the vulnerabilities to create the business risks. Still, any good information security program will have already addressed IoT in its policies and oversight and it would essentially be just another environment to control.
Another thing that stood out at the RSA Conference was security analytics and the promise of “artificial intelligence” to solve our security problems. It seems so many vendors have solutions around the formidable challenges of good incident response based on good information. We’ve been talking about analytics since 2003 when “event correlation” was new and cool. Artificial intelligence goes back much further. I’m not convinced that technologies that show up at RSA in 2017 are suddenly going to pull everything together so that information security can go into auto-pilot mode. As long as we have people and complex business processes in the mix, I think we’ll continue to struggle with security buy-in, implementation, and ongoing management.
Finally, there was a lot of talk around the skills gap in security. Too many risks and not enough people to help manage them. I, selfishly, like this challenge because it’s great for our industry. If you’re looking to bolster your IT initiatives and fine-tune your information security program, I recommend attending the RSA Conference next year. In the meantime, check out the presentations and other resources from this year’s event. Taken with a grain of salt and pondered in the context of your business and your unique needs, this information can only make you better and your business more secure.
About the Author
Kevin Beaver is an information security consultant, expert witness, writer, and professional speaker with Atlanta-based Principle Logic, LLC. Having over 26 years of experience in the industry and 20 years focusing on security, Kevin specializes in performing independent security assessments of Web applications and network systems. He has written 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheelsinformation security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.
Source: SANS ISC SecNewsFeed @ February 22, 2017 at 05:12PM