Well, RSA Conference 2014 has come and gone. It was a very good conference -- the most lively and crowded one I've...
ever attended. Even if you weren't at this year's show, hopefully you've learned something new from the TechTarget team's great coverage.
I still feel as if both Coviello and Charney (especially Coviello) left out some details. ... I suspect we'll never know the full story.
One of my favorite RSA 2014 presentations was the opening keynote by Art Coviello, because it ruffled a lot of feathers and left many people I spoke with wondering whether RSA really took part in NSA's surveillance programs. Coviello's message that it wasn't a willing co-conspirator was somewhat convincing, but not entirely. He even said something along the lines of, "When or if the NSA blurs the lines and exploits the trust in the security community, then that is a problem."
Coviello went on to say very positive things about the Information Assurance Directorate, the defensive cybersecurity unit within the NSA, and that it should be spun off so people and organizations can separate that group's valiant efforts from the NSA's controversial cyberespionage efforts. It's not a bad idea.
On the other hand, the message from Microsoft corporate vice president and Trustworthy Computing chief Scott Charney about Microsoft's involvement seemed a bit more believable. I still feel as if both Coviello and Charney (especially Coviello) left out some details about the relationship their companies have had with the NSA and the extent of the surveillance that's taking place. I suspect we'll never know the full story. At least the NSA was kind enough to sponsor a booth on the expo floor to answer any questions and allay any concerns.
Regretfully, I missed what was apparently the best performance of the show -- Stephen Colbert's "elections have consequences" closing keynote. Sandwiched in between these keynotes was an overwhelming amount of session content. Browsing through the conference pocket guide each day was somewhat frustrating because I had trouble finding the one session I wanted to attend out of a dozen or more.
My favorite track session (part of the CISO Viewpoint track) was called "Security principles versus the real world." It was a discussion moderated by Gary McGraw, with panelists Marcus Ranum, Eugene Spafford, and security executives from Capital One and Aetna. The discussion was centered on Saltzer and Schroeder's Principles of Information Protection that date back to 1976. I loved the throwback to these core concepts of information security that we keep forgetting about. If you're not familiar with them, they need to be actionable items within your security strategy. As I wrote about in my first blog post, I strongly believe that unless and until we master the basic security principles, we're going to continue getting the same results that the Verizon DBIR and similar reports keep finding, namely, too many enterprises falling prey to basic attacks that can easily be avoided.
A few other tracks (and sessions) stood out as compelling at this year's conference, including application security, mobile security and security strategy. It was tiring to see the public policy-related sessions (I think we have about enough laws on the books for now), but refreshing to see more business-centric and legal sessions, both of which are must-learn topics for information security pros. Whichever industry you work in, there was something at the show for you. Here's a link to this year's presentation slides.
RSA Conference 2014
Check out all of SearchSecurity's coverage of the industry's biggest annual information security conference: https://searchsecurity.techtarget.com/essentialguide/RSA-2014-News-analysis-and-video-from-RSA-Conference-2014
Looking back, one thing I'll do differently next time is not take other work with me to the show. It seems that I spent nearly half of my time there completing unfinished tasks. This took away from my time in the sessions and time on the floor. I've had several other friends tell me it was the same way for them. At least it's a good indicator of job security for us!
For many infosec pros, the excitement over what they learned will no doubt fizzle out in the coming weeks. The question becomes, What are you going to do differently? Beware of that unspoken yet overarching theme of RSA 2014: complacency. It'll set in if you're not careful, so set reasonable goals and manage your time wisely to hold yourself accountable. If you focus on just those two things, you'll be well ahead of most others in our field and hopefully gain some credibility, with management to boot.
A good place where you can begin today: Start making plans for next year's RSA Conference. It's going be later in the year in 2015 -- April 20 to 24. I hope to see you there.
About the author:
Kevin Beaver is an information security consultant, writer, professional, speaker and expert witness with Atlanta-based Principle Logic LLC. With more than 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems, as well as Web and mobile applications. He has authored/co-authored 11 books on information security, including the best-selling Hacking for Dummies, The Practical Guide to HIPAA Privacy and Security Compliance, and Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he's the creator of the Security on Wheelsinformation security audio booksand blog providing security learning for IT professionals on the go. You can reach Kevin through his website, www.principlelogic.com, and follow him on Twitter at @kevinbeaver.