This is the third post in a four-part series exploring 25 years of RSA Conference session titles. If you’re new to the series, Part 1 (“From Crypto to Cyber”) and Part 2 (“Hot Trends and Has Beens”) are waiting for you; get ‘em while supplies last. If you’re a repeat customer—welcome back and thanks for your loyalty.
This time we’re going to see what the RSAC session corpus says about who we are as an industry, what we do, and how we do it. I’m conscious that data analysis can sometimes be a rather ivory-tower affair, so I’d like to start with something that has everyday value for all of us—how to answer friends and family when they ask what you do.
“What exactly would you say you do here?”
If you’re like me, you hesitate a moment when smuggles (security muggles) ask what you do for a living, while questions like this go through your mind: “Do they really care or just being polite?” “How much would they understand?” “What’s their background?” “Do we have a common frame of reference?” And so on. Personally, I like to bow my head slightly, slip on some sunglasses, slowly raise my head, and in true Horatio Caine style, say “I do cyber.” Then I wait for the response and clarify/expand further as necessary. You guys do that too, right?
Well, explaining what we do to smuggles is one thing, but how do we refer to our art within the community of security wizards? I’ve been around long enough to notice the answer to that question depends, to a certain degree, on which part of the community you live in. For instance, I used to be able to recognize someone with a government background by their use of “information assurance,” while I default to “information security” (yeah, yeah…I get it - IA is waaaaaay broader and more mission-critical than mere infosec (<_<). And, aside from their literally grey beard, you can spot a security greybeard by listening for the phrase “computer security” amid their otherwise indecipherable ramblings. But I’ve always believed there was a time element to this phenomenon as well and 25 years of RSAC sessions offer a perfect way to test that theory.
Figure 1. Common monikers for the *security practice. Based on phrase usage as a percentage of sessions per year.
Several common descriptors of “what we do” are shown in Figure 1 and measured according to the percentage of sessions in which they’re referenced each year. Some, like “computer security,” didn’t squeeze through my minimum filter of at least 5 occurrences over our timespan, and thus don’t show up (it was only used 4 times - sorry greybeards!). Note that variations like cyber security, cyber-security, and cybersecurity are all merged and represented as “cyber security” in the figure to keep things simple.
I’m not the data whisperer or anything, but I think I hear Figure 1 snickering at you if you’re one of those still using terms like “IT security” or “information assurance.” Ugh; so over it. Get with the program, people. “Information security” seems to be the mainline candidate with some experience under its belt. Go with that if you want to appeal to the masses. The really cool kids are clearly doing “cyber security” these days. But those few who are truly in the know, of course, just do “cyber.”
Identify, protect, detect, recover, and respond
Speaking of “what we do,” I was quite interested to explore how conversations around that had changed over the last 25 years. The NIST Cybersecurity Framework lays out five primary functions for information cyber security: identify, protect, detect, respond, recover. These, it states, can provide a high-level, strategic view of an organization’s management of cybersecurity risk.
I’ve always thought security has traditionally been overly focused on protection/prevention, but recent years have seen a lot of R&D on the detection and response side. Let’s see what RSAC session titles have to say about that.
Figure 2. References to the 5 security functions defined in the NIST Cybersecurity Framework with bars for percentage of sessions each year and lines for frequency.
Figure 2 tracks the percentage of sessions in which these terms are used (bars) as well as the raw frequency of usage (lines). Note that I’ve recoded instances of “prevent” to “protect” for this chart as well as combined different forms of words (e.g., “detection” and “detect”).
Overall, it reinforces my previously-stated suspicion: our industry has largely focused on keeping bad stuff from happening, but we’re waking up to the fact that you can’t protect/prevent everything all the time. It’s critical that we improve our capability to detect and respond to those bad things when they do happen. And they will. Perhaps when we get that sorted out, we’ll give more attention to recovering from incidents in a timelier and effective manner.
On a side note, I do find it curious that “detect” peaked in 2005. I would have thought that was all the rage in the last five years or so. Maybe other “detection” words I’m not thinking to include? Maybe we’ll sort that out for the panel at RSAC, which, if you don’t remember, will feature industry ROCK STARS Bob Rudis, Alex Pinto, and Jay Jacobs. I’m just calling them that to mess with them, but you should feel free to play along by asking them to sign autographs or something else that will make them feel uncomfortable.
You down ‘wit GRC? Yeah, you know me.
GRC - how can I explain it
I'll take you frame by frame it
G is to Govern, R is for Risk geeks scratchin' temple
The last C, well, that's not that simple.
While those more Cyber by Nature won’t like the label, GRC is a term that has been used for quite some time to describe a large portion of what we do. I thought it was worth seeing how the words comprising that acronym behaved over time.
Figure 3. Percentage of sessions referencing "governance," "risk," and "compliance."
Nothing terribly interesting there, except the notable jump for both “risk” and “compliance” in 2004. On the compliance side, I attribute the surge to increasing security-related regulation/legislation. The Sarbanes-Oxley Act was passed by congress in 2002, but if I remember correctly, had a few years built in before enforcement began. The Federal Information Security Management Act (FISMA) also hit in 2002. California passed Assembly Bill 1950, which required business to maintain a “reasonable” level of security if they held information on California residents. Version 1 of the Payment Card Industry Data Security Standard (PCI-DSS) landed in late 2004. You get the picture; growing external pressures on multiple fronts to improve security posture and practice.
Figure 4. Percentage of sessions referencing various compliance-oriented words (3-year moving average).
On the risk front, 2003 was an insane year for Internet Worms. I can still clearly remember the panic that Saturday in January when I learned Slammer took my MS SQL servers down. I can also remember the double-tap of Sobig and Blaster later that summer and then MyDoom at the start of 2004. These worms did a lot of damage and caused many to view IT security (using the prevailing term back then) as a legit risk that needed to be dealt with. That realization continues to grow.
Figure 5. Percentage of sessions referencing various risk-oriented words (3-year moving average).
To offer a perspective beyond just matching on the words “governance,” “risk,” and “compliance,” Figures 4 through 6 include various other words associated with those concepts. I’m not going to comment on them other than to observe that governance—a rather sad “me too!” in Figure 3—looks to be alive and well in Figure 6. Perhaps it's just my choice of words driving the chart or perhaps security is actually getting broader business-level visibility and accountability. My fingers are crossed for the latter. Beyond that, feel free to poke around the figures as you like.
Figure 6. Percentage of sessions referencing various governance-oriented words (3-year moving average).
I’m not exactly sure what we’re going to do yet in the next (and last) post. We’ll just follow wherever the winds of analysis blow. Until then, happy cybering.