We posed the question below to our Europe Program Committee recently and their responses follow:

Below is a word cloud for the titles of all the submissions for RSA Conference Europe 2013. Over the next 3 years what words do you think will get bigger, what words do you think will get smaller, will there be any new words, and why? In other words, what trends and priorities do you see in security over the next 3 years?

Rashmi Knowles, RSA, The Security Division of EMC

Compliance will get smaller organizations realize they need to move away from solely using Compliance as a driver and in fact Compliance will become a byproduct if intelligence driven security is implemented taking into account the level of risk and protecting the most critical assets.

Mobility will continue to be big although with more and more devices being connected which don’t fall into the ‘mobile’ category threats on other devices will also see and increase e.g. smart meters.

Attacks will continue to be big, they are not going to go away, the types of attacks will be different as the adversaries get smarter and get better investment.

In the next year or so Privacy battles will be fought out globally, this is something that will continue with probably no winners….

User behavior has to be the single biggest challenge and it comes done to education, we should all be responsible for security and the security industry, organizations and government face a real challenge as to how to position this and get programs in place.

----------------------------------------

Leslie Kipling, Microsoft

New:

XaaS = Everything as a service, and as part of that “desktop as a service” will break the BYOD struggle between IT and the end user, so even provisioning will become a self-service experience. 

Bigger:

BYOD for the above reason or perhaps even BYOS (BYO Services)

Cloud again for the above reasons

I’d like to see Business getting bigger – IT should be enabling business in a secure manner such that IT is so aligned to the business it stops being a separate function.

To Rashmi’s point: Attacks

If we in the industry are doing the right things in terms of data protection, hardening of infrastructure, built-in protections etc. at some point the theory is that hack attacks and security breaches should decrease over time.  Having said that, a lot of the attacks today are due to misconfiguration which actually is driving deployment to the cloud, and cloud has far more capacity to weather attacks like DDoS – provided that is that the cloud infrastructure itself doesn’t get compromised and re-directed as a platform for attack.  We know it’s a war out there, do we foresee cloud making things better or worse and if cloud isn’t the answer (or the only answer) what do we need to do to win this war?  Answers on a postcard please.

----------------------------------------

Neira Jones, The Centre for Strategic Cyberspace + Security Science  

Much bigger:

Identity (and IDaaS… )

Authentication

Social

Intelligence

Privacy 

Bigger:

BYOD

Same (or bigger):

Cloud

Mobile

Risk

Attacks/ Threats

 New:

Sourcing/ Procurement

Education/ Awareness

Social Engineering

IAM

Regulation/ Guidelines (in view of EMV, EPC, SEPA, EU Data Protection, etc.)

And maybe Fraud (but that’s wishful thinking…)

----------------------------------------

Axel Nennker, Telekom Innovation Laboratories

I think that mobile has not peeked yet. Although it seems to be in the biggest category already, it will become bigger because industries working on things like mobile payments, mobile wallets, mobile car keys, etc. will bring new security and privacy threats or old threats to another scale. Privacy will become bigger as a word in session title word clouds although I am not so optimistic for privacy as a feature that users can enjoy when living their online life.

I think that Identity will become bigger because you just need Identity and authentication for Cloud and BYOD which are going to stay the same size. Cloud has peeked and is going away as a session title but not as a business. BYOD might stay for another two years and will then vanish. 

XaaS (everything as a service) will be new. It is just too good to be ignored by future speakers. Although I think it will not become big. Xaas is like APT: hyped by some.

----------------------------------------

Greg Day, FireEye

So my 5 pence…

APT/Malware/cyber/vulnerably – so much of this is already blurred.  For me this is like the comets trail. Something will continue to be the catalyst of innovation, but the key is that everything in it's trail evolves as a result.  In many ways Cyber has become the decrier of both so that can only grow.  Behind that I would divide between personal and broad/random attacks. 

Protecting/Prevention/Response – Protecting is large which is what I would expect.  Interesting to see that prevention and response are the same size. For a number of reasons be they legislative or regulation, the personalisation of the attack, our ability to deal with complex IT environments and attackers or simply the user organisations are realising that we cannot stop all the attacks so we must become better as response.  If I look at typical companies today there security protection/prevention strategy is typically much stronger than their response (both technically and from a business impact perspective).  As such Response must get bigger.

M-commerce – not sure I can see that on there.  Banks certainly are.  If we look at the future of payments surely in the next few years the debit and credit card will be phased out in exchange for M-commerce capabilities.  As such the volume cybercrime market will evolve to keep pace and try to exploit how we transact.

Social – When we look at BYOD, Mobile & Cloud you cannot exclude Social, yet it shows as much smaller.  I would consider mobile, cloud and social as inextricably linked to each other.  These are the key IT tools of the future.  We already see Social being used for clear business purpose as well as being used as a recognisance tool and attack vector.  BYOD, Mobile, Cloud, Social and APPS can all only expand.

Visibility – I have heard from more and more CISO's that as their environments both in terms of technology and security controls continues to expand and evolve they MUST become much better at being able to see what I happening in a timely manner.  If you can't see what’s going on, how do you join the dots together to recognise the problem which is all too commonly made up of a number of  symptoms.  It's a bit like going to the doctor for a remedy when you can't describe the symptoms.  We must be able to understand what normal health looks like to be able to identify our own symptoms.  If we can't do this then how do we know there is an issue?

Information (can only grow) – When we look at what it is that we really have to protection, it's critical business systems and Information be it PII or IP. We still have such a long journey ahead of us to really be able to qualify what information we have and how we use it through technology.  Yet the Information explosion continues, the question will come where either it's all public record or we are able to effectively define the sensitive of the information and apply the appropriate usage controls to it.  In some segments there is some maturity and other have yet to start the journey.  There is no doubt the regulation is a key influencer to this.

Supply Chain Trust – I'm linking together here words that currently are not in the image.  We have spent so long trying to ensure that our own security is fit for purpose yet all so often our supply chain is the weak point of entry, so much so that nation states are looking at how to solve the problem.  How can we define standards that can help companies validate if their supply chain has appropriate controls in place that both makes them an attractive partner in business but also means they are not a blind risk to the business.

----------------------------------------

Agree or disagree with the Program Committee?  Give us your take in the comments!