Hello, RSA Conference attendees. We probably haven't met before; my name is Tony, and I'll be one of your guides throughout this week.
I am one of the contributors to the RSAC editorial team, and this year, we are going to take a different approach on how we cover the conference on the blog. This is a change for me, as in the past, I attended as a member of the technology media.
As a journalist, I've always felt that the stories from the trenches are always the most interesting. I wasn't as interested in the products and solutions that are ubiquitous at these events as I was in what corporate IT security folks had to say. Those are the stories I'll be concentrating on this week. I'll be doing my best to reflect the heartbeat of the security community that uses the technologies, employs the strategies and struggles with the universe of threats you'll be hearing about all week. Most importantly, I'll try to be your eyes and ears, providing you with a glimpse of what the priorities are today among the folks who buy security technologies and tools.
As RSAC 2015 dawns, what do I expect to hear from the corporate security world? If the past few years are any indication, I anticipate a lot of soul-searching. The universe of threats has grown exponentially as the use of devices to access and manipulate data via the cloud has essentially presented bad guys with a new cookie jar. So it's no surprise that information security has found itself in a near constant state of identity crisis.
Back during RSAC in 2010, IT security executives made it clear that they were rethinking how they approached their jobs. Rather than continuing as mere protectors of the network perimeter, they had begun to see their roles as evolving into an entrepreneurial partner to the business. It was as if they were following in the footsteps of CIOs, who had been actively seeking to cash in on the rising profile of IT to get a seat in the board room. Just like IT before it, IT security was shedding its reputation as the department of "no."
"If they understand you're there to enable growth, they're going to bring you to the table," Tony Spinelli, the then-CISO at Equifax, said during a panel discussion.
A few years later, at RSAC 2013, there was a growing sense among corporate security speakers that they needed to step out from behind the green curtain a bit. Rather than treat their security intelligence as sensitive information that could undermine their efforts to protect their users or tip off their competitors to their best practices, they were starting to realize that, like in the animal kingdom, there was safety in numbers. But they also recognized it would require a leap of faith.
“Information sharing is all about trust,” JPMorgan Chase's Anish Bhimani, the chairman of the Financial Services Information Sharing and Analysis Center, told a packed room. “Someone has to be willing to say, we’ll go first.”
Despite the widespread recognition that IT security teams needed to become more collaborative—both with the business and with the industry at large—last year's RSA Conference brought word that the transition was proving to be a difficult one. During a panel discussion, Michael Hammer, who manages web operations security for the online unit of card maker American Greetings, suggested that business executives still tend to obstruct security teams' efforts to be more of a contributor to the business.
Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, said IT security teams themselves were struggling with becoming a business enabler instead of an inhibitor. "The goal should be to allow people to do their jobs without getting in their way," Spafford said during a panel discussion. "That's the big problem with security in general. We get in the way."
All of which leads to the questions I'll be most interested in getting answers to this week:
- Are security folks still in the way, or are they doing a better job of becoming business enablers?
- Are business leaders embracing IT security executives as more than sheriffs trying to keep the business safe?
- Has the security world become more collaborative across corporate boundaries?
I have no idea what the answers will be, but I certainly look forward to learning what's making IT security folks tick these days.