Amit Yoran clearly knows a good metaphor when he sees one. Or in this case, doesn’t see one.
Yoran, who was named RSA's president last fall, took the stage at the RSA Conference in San Francisco Tuesday to deliver his first opening keynote. In the dark. And he let the audience of thousands sit there, in the pitch black, for an excruciatingly long moment before offering the first glimpses of what appears will be a time of great change for the information security industry, RSA included.
"Since the beginning of time, man has been afraid of the dark, and with good reason. We can hear noises and see shadows," said Yoran. "Without being able to see our surroundings, we can't tell if those noises and shadows are something dangerous."
And then, the kicker.
"My stumbling around in the dark is a pretty good metaphor for anyone who's trying to protect networks today."
So there you have it: the top executive of the world's biggest security vendor declaring that information security has proven to be about as effective as a blind man at an archery range.
Yoran's bleak tone was in stark contrast to the moments before his entrance, when the ubiquitous Jane Lynch took the stage with a doo-wop trio to sing a Glee-inspired, security-themed version of David Bowie's song, "Changes." But the message was the same: it's time to rethink security from the ground up.
Make no mistake, though. Yoran was not saying that the technologies that RSA and other vendors provide are the problem. Rather, it's in the way tech is being applied in the real world. To illustrate his point, Yoran described a training exercise from his days at West Point, where he was flummoxed by a map that didn't match what he could see of his surroundings. When he asked for help, his superior officer offered him a single piece of wisdom that he has drawn upon, all these years later: "Either the terrain is wrong, or the map is wrong."
Yoran's point was that the security world continues to hold onto a protect-the-perimeter-at-all-costs mentality that has fallen behind in a world where there no longer is a perimeter.
"The map we're looking at simply doesn't match the terrain, but we keep hoping it does," Yoran said.
And, as he noted, things are not getting better, as indicated by the steady stream of major breaches dominating the news cycles. The simple truth is that the evolving ways in which people use technology and access data, combined with the fast-changing nature of the technology itself, has given the bad guys a leg up.
"2014 was a reminder that we're losing this contest," he said.
The answer, he suggested, is a new map. One that that doesn't rely on advance protections. One that emphasizes pervasive visibility. One where authentication, identity and external threat intelligence matter greatly. One where security resources are prioritized based on what's most important to the business.
In other words, we need a map that can help us see in the dark. "The threats that matter most are the ones you can't see," Yoran said.
To that end, Yoran hinted that RSA will be working on that new map in the coming months. He said the company is being re-engineered across the board, presumably to help its customers step out of the dark and into a mindset that reflects today's new business realities.
"This time next year, we won't be the same RSA you've known for decades," he said. "The world has changed, and trust me, it's not the terrain that's wrong."