Predictions are dangerous business. Just ask Thomas Watson, who in 1943 as chairman of IBM said, “I think there is a world market for maybe five computers."
Wilbur Wright got it right, confessing in 1908: "In 1901, I said to my brother Orville that man would not fly for fifty years . . . Ever since, I have distrusted myself and avoided all predictions."
As Mr. Wright’s wingman and an observer—not a prognosticator (sorry Mr. Watson—I already have more than five devices myself!)—I want to share a top 10 countdown of observations and patterns we saw while reviewing this year's RSA Conference speaking submissions. They provide insights into where our collective head as an industry is right now, and where we may be headed.
10. Passwords. Yes—everyone hates them. And no one trusts them. There are many ideas on how to solve the authentication conundrum, with multi-factor options such as mobile, biometric, geo-location, context, behavior….you name it, it’s being considered (alone or in concert with other options), balanced against an assessment of the associated risk.
9. Cloudy with a chance of…. The conversation around the cloud has matured considerably year-over-year. With a nod to the children’s movie (yes, we had many references to it!), the industry is still engaged in a tug-o-war between adoption to enable business and lingering concerns about security, privacy and surveillance issues. But we also see advancement, with organizations now focusing on deeper conversations around architectures and architecting (DevOps—more on that later!), APIs, legal responsibilities (cyber insurance—lots on this topic this year) and services. Case studies had more depth, and organizations were better at quantifying the benefits. Speaking of which, METRICS! There’s another theme that emerged across tracks and categories—our industry likes to ground claims with proof. Perhaps some of that is related to our next item….
8. Organizational structures and a general compliance-dismissive tone. The “C” Suite embraces security. We have CSOs, CISOs, CROs, CIOs, and the CxO list continues…..with new reporting lines and structures. Unquestionably, more and more within our industry are having conversations with the Board that never happened three years ago. And there seems to be a notable shift in the view of security as an operational function vs an IT function. Governance, risk and compliance comes to play here—as does the maturity of the organization—with the submissions reflecting many within our industry (and not just the vendors!) tired of the focus on compliance, recognizing the deepening gap between compliance-focused legislation and activity and the true risks the threat landscape presents.
7. Healthcare. So this is interesting. The healthcare industry is not one of the larger verticals currently attending RSA Conference, yet in terms of vertical-specific submissions, healthcare definitely wins the prize—even beating out financial services, which always has a healthy number of cybercrime related submissions. Why? This appears to be an interesting time when an industry which is often perceived as a laggard is actually in the forefront, with things like patient portals, mandated insurance and hi-tech medical devices (more on the Internet of Things later). The implications here for the industry are huge as we all look on healthcare with great interest, and submitters saw opportunities to explore privacy related concerns, identity issues, legislative rumblings and hacking opportunities that are truly life and death.
6. DevOps. This is a really cool evolution—make that revolution!—to the application security track. Hugh Thompson, chairman of the Program Committee, and I were pretty sure there was an appetite for DevOps among Conference attendees so we threw the keyword out there for submissions this year. Did you ever deliver! DevOps most clearly has a strong home with the RSA Conference, with great submissions about how organizations are changing their development models, re-architecting systems, speeding things up, opening new business opportunities and new channels and gateways to partners. We expect big things in DevOps short term.
5. Supply Chain and the Ecosystem. Years ago the castle and the moat defined security. The analogy was easy and clear. The moat fell apart years ago and today we know we aren’t just defending the castle, but rather anything or anyone that touches it—the Ecosystem is far ranging with huge implications. Most tracks had some supply chain contributions, with submissions ranging from risk management to government initiatives to frameworks (lots of frameworks this year!) to detailed case studies. Submissions also reflected an understanding of critical infrastructure and industrial control systems’ impact points.
4. Privacy. Not surprisingly, the conversation around privacy continues, although we noted an increase in submissions dealing with privacy and security together rather than in opposition to each other. Privacy was addressed from several angles, including the implications of the Internet of Things (do you notice a trend?), wearables, new mobile, geo-location and facial recognition capabilities, the consequences of surveillance, and, of course, Big Data. Speaking of which…..
3. Big Data. We seem to have reached a tipping point as we see big data talked about defensively and offensively, with many offering grounded metrics (there is that word again!) to support the claimed benefits. We saw proposals for big data-oriented submissions span our potential tracks, with some coming at it from a legal perspective, others concerned about policy implications, many pointing out privacy and security concerns, architects concerned about protecting it, and of course many utilizing it for business enablement purposes. We also saw it going on the offense, being utilized to develop predictive indicators to combat cyber-attacks. Thematically big data is here with us for years to come, with further and further maturation and defensive and offensive benefits realized.
2. Internet of Things...Is Internet of Everywhere! Call it a buzzword. What was a minor blip on the radar in past years was an integral part of talks on every track this year. It’s hard to find a topic that doesn’t somehow link to IoT. The legal, policy, privacy, risk, development and security ramifications with the widening attack surface into our homes, our transportation, our businesses, our infrastructure—indeed everything—that the IoT brings was reflected in an awesome number of submissions, a focus that we see increasing for years to come as many predict the first breach here is eminent.
1. Intelligence and information sharing. Hands down the largest number of submissions we received had to do with sharing: the technicalities (standards!), the legalities, emerging policy considerations and organizational strategies. As an industry, we have concerns around the need for legislation, the role of governments and what technical structures best achieve the end goals. We also have sharply divided opinions about attribution—does this help the good guys or the bad guys more?
There is so very much more—and many layers under here! Insider threats, drones, mobile, gamification, professional development paths (yes—there are a lot of former NSA, FBI and CIAers out there!), bug bounties….the list goes on! Be sure to join Hugh Thompson and me on our "Reading the Tea Leaves" webcast on Dec. 15 as we dig in further at what information security professionals are thinking about. We will also unveil the word cloud (this year’s and year-over-year comparatives) to give a visual view of the RSA Conference submissions. See you next week!