Lessons Learned at RSAC 2015

Posted on by Tony Kontzer

Now that the curtain has fallen on the RSA Conference 2015, San Francisco edition, what have you learned? I can't speak for anyone else, but I returned from RSAC with a number of things bouncing around my head.RSAC 2015

For instance, right out of the gate, we learned that Amit Yoran is an energetic and forceful speaker who will carry the RSA Conference keynote torch with great aplomb. Yoran took the stage Tuesday to deliver his first keynote since being named president of RSA. He needed to forge an identity and did just that by issuing a direct call to action to the entire industry.

"Things are getting worse, not better," Yoran said. "2014 was a reminder that we're losing this contest."

The information security industry may be on the precipice of evolving into a better, more complete protector of our systems, applications and data.

There was a panel discussion on the evolving role of women in IT security, an evolution that promises to deliver a stronger and more inclusive industry. Discussions throughout the week focused on the need for security professionals to understand the business better and embrace the transition from a protect-the-perimeter approach of yesteryear to one embracing risk assessment.

The modern security executive's job should focus on "thinking about the data, where it resides, and what risks does it present," said James Christiansen, vice-president of information risk management for Accuvant. 

This focus on data reflects another lesson from RSAC 2015: the perimeter isn't what it used to be. Today, the network is everywhere your employees and customers are, because that's where their devices are accessing your applications and, more importantly, your data. Whether that means securing an employee working at a local coffee house, a customer transacting business on your web site while sitting in an airport, or a third-party contractor pulling data from your cloud application from a remote network, information security teams are expected to protect a constantly expanding universe.

This is part of what Yoran was referring to when he alluded to information security today not operating from the right map of the kingdom they're trying to secure. "The map we're looking at simply doesn't match the terrain, but we keep hoping it does," he said.

On a more intimate level, we learned just how quiet a hall packed with conference attendees can get when a young woman talks about her abduction by an Internet predator. No one who heard Alicia Kosakiewicz share her horror story Thursday will soon forget her warnings that yes, harm can come to our children if we don't protect them as carefully as we protect our business data.

Kosakiewicz has worked tirelessly since her miraculous rescue to make sure schools have resources to educate kids about online safety, but she and a panel of experts made it clear that it is parents who need to be CISOs for their kids. "This is not an easy topic to talk about with your kids, but you have to," Kozakiewicz said. "You have to be a parent."

The new Cyber-Village safety exhibit that took over the second floor of Moscone West reinforced that message. But that conversation is just a beginning.

In fact, let's consider Kozakiewicz's words as kind of a coda to the lessons we learned at this RSA Conference. Today's information security professionals need to act and think like parents. Don't take the police-like approach of locking down network perimeters and telling people what they can or can't do. Recognize that in this world, the next breach is a matter of when, not if. Communication and education will be their most effective tools. 

Even if the 30,000 people who attended RSAC take away nothing beyond that last message, it will still push the industry a huge step toward making Yoran's 2016 keynote a heck of a lot more upbeat.

RSA Conference heads to Singapore in July for RSA Conference, Asia-Pacific edition.

Tony Kontzer

, RSA Conference

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community