Two weeks ago, while visiting the yearly security gathering at the RSA conference in San Francisco’s Moscone center complex (and adjacent hotels – it’s growing like mad), I was walking across the North and South Expo halls to check out some vendors (Several I had appointments with, some by curiosity, and a few that were really new kids on the block.) selling their point-solution-products. There were some true good ones, and yes there are some great engineers or SMEs by the booths. But that is not always the case. You can figure it out quickly by asking specific pointed questions.Granted, there are always good and bad apples in any bag, but as C(I)SO, you cannot afford talking with the latter, and you need true, accurate, and timely information. So please forgive if I (and presumably my peers) will oftentimes just ignore the “hi” and “how are you” type of sales pitch and instead look for the CTO or head of product management or at least the SME at the booth. We can sniff the “booth babes” (Even if there is meanwhile a much-welcomed RSA policy to limit the “exposure”/skin factor.) from a mile away, and although those people are just doing their job, it is not the best use of our valuable and notoriously short time to engage with them.This year’s conference was probably again the biggest / most visitors / most vendors / etc. show, but here is the rather disillusioning observation: despite all the hyperlatives, the security industry is failing to solve the crisis. The vendors are there to participate in the gold rush and to sell their products at all costs and by all means. Getting a foot in the door and then cross-selling their snake oil is still a working approach. No one is held accountable, as our global business model doesn’t aim to go back 3-5 years and verify if that what was promised was actually ever achieved.The industry continues to create point products that (maybe) solve single problems that are somewhat relevant but cannot be looked from one viewpoint alone and rather need to be integrated across the tool landscape. Take encryption, for example. Let’s say we want to encrypt all the data in the cloud, and we want to control the keys so that no vendor or provider can hold us hostage nor accidentally (or incentivized by government or other 3rd parties) access our valuable / sensitive / regulated / etc. data without our permission and consent. Let’s say we have solved the puzzle of key generation and management, PKI and (root)-CA’s, (virtual) file/folder/disk encryption, database-, application-, and endpoint encryption. Now, we want to implement a CASB that would leverage that established encryption infrastructure to encrypt data going into the cloud at the “field” level (or attachment/file/email/record level). Does the cloud solution still work? Can we still search? Can we still query? No? So then we have to go back and install on-premise proxies that can actually perform the function that the cloud solution was going to do? Does this make sense, or has this been developed with blinders on, focusing solely on one aspect (functionality) and not looking at the big picture (security)?Another observation that I have made over multiple rounds of RSA: the city (SFO) is becoming way too expensive. Staying for a week at RSA in a close-by hotel (so you don’t miss the sessions/content/etc.) is outrageously expensive, plus city tax (for what?), not to speak about food prizes or other support items. In my honest opinion, I think that RSA should evaluate going to other places, maybe a round-robin over the top ten US cities. This would be a nice alternative and actually contain price increases.One of the things that really stood out to me was this: One booth was put up by the Chinese Zhongguancun science park – the Chinese version of “silicon valley”. What amazed me was the sign that you can see in the picture (figure 1) below (I circled the most important sentences in red). They are hiring, and they’re seeking engineers etc. that can speak & read/write Chinese. Nothing is wrong with that, but get this: China is pouching top talent in the US to build out their competitive advantages. The security market is not only super-hot, (I can tell, I am hiring for multiple positions and have to go extra steps to find qualified and reasonable priced people who are willing to relocate.) but there is also now a true war on talent going on that was unheard of before. Those Chinese guys have understood that this is a global issue, and they are no longer educating university-degree cheap labor for the US and Western world. They now compete 1:1 with the resources here in mainland USA. US companies would be very well advised to start changing their habits regarding how they treat / incentivize / retain their talent. Those that understand the risk & value of information security and that there is only one shot at it will certainly respond.
Figure 1: China is hiringAnother, more obvious observation was made around the West hall of Moscone center: while reserving a seat via the app / web site was certainly a good idea, you could still stand in line and get access to most sessions. But what absolutely drove me nuts is that now the RSAC is forcing everyone to be badge-scanned for every and all session or even just vendor hall access, which is a major invasion of privacy (writing this as EU-raised / minded global citizen). When I resisted on first instance, the door guard told me to see security if I wouldn’t comply. To not lose valuable floor time having a senseless argument with those folks, I resigned and handed them my badge for scanning. Now I simply have to auto-delete all the incoming emails containing the word “RSA 2017” and phone calls from sales and business development. What a nuisance.On a personal note, when I checked in the book store in South Hall, I was pleasantly surprised that they were selling my book “(CI)SO – And Now What? How to Successfully Build Security by Design” at a nice discount and felt honored to be represented there:
Figure 2: “C(I)SO – And Now What?” at RSA 2017At night, there are plenty of parties and receptions, and networking with other security people is a must-do for everyone who is serious about staying in the profession. I observed there are still way too many introverts not willing to talk/share/open up, but as a leader in this space, I broke the ice and initiated lots of conversations. Being a C(I)SO does not prevent me from talking to the developer / tool programmer / analyst / security operations guy (or gal). In fact, it is my duty to foster the exchange and engage in the conversations, and if not for me, then to educate and guide the next generation.Overall, going to RSA is always interesting. You never stop learning; there is always something new or some brilliant folks you wanted to meet and suddenly bump into. This year was no different – see you next year!
About the Author: Michael Oberlaender has a broad, global, diversified background in various industries and markets, 27 years of IT including 17+ years full time security experience, and a strong focus on IT & security strategy. Michael is a globally recognized thought leader, book author (“C(I)SO – And Now What?”), publisher, and has written numerous articles for security magazines, and also has been frequent speaker, panelist and moderator at security conferences. He holds a master of science (physics) from the University of Heidelberg, Germany. He is member of (ISC)², ISACA, ISSA, and InfraGard (FBI).
Michael is currently serving as the Chief Information Security Officer of a larger corporation across the US, Canada and the UK. His expressed statements and opinions are that of his own and do not reflect on any current or prior employer or customer.To find out more about Michael´s book, “C(I)SO – And Now What?”, click here.You can also follow Michael on Twitter here, and connect with him on LinkedIn here.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.