Another RSA Conference has come and gone. This time around the theme was The Codes of Prohibition". Bill Gates (MSFT) and John Thompson (SYMC) gave opening remarks on Tuesday and on Thursday Simon Singh, who was probably invited to discuss "The Code Book" took those of us in the audience through a delightful romp covering his musings on "The Big Bang" which included a demonstration of the human brain's capability for pattern matching when specific patterns are expected using a snippet of Led Zeppelin's "Stairway to Heaven" as the proof point.
All well and good, but what, has changed, *really* changed, in security? I've been in this business for 15 years now and attended my first RSA Conference in 1998, but I can't escape the lingering frustration with an industry that's so very often chasing its own tail.
Are enterprises any more secure than they were 10 years ago? Of all the cost and splash on the show floor from new and existing vendors, have we been able to establish a sane and sensible approach to IT risk mangement? Sadly, I think not. At RSA this year the vendor money was more apparent, the attendance numbers were up, but where are we? Are we doing a better job of protecting our most critical assets?
The answer, as is so often the case in this field, is a grey one. Without a doubt we have seen some incredible advances in the available technology, network management has reached a level of maturity (though, sadly, not a 'secure' one, yet), Single Sign On (or more accurately reduced sign on) is a reality in many organizations, and the ability to sign off on 404 for many companies required a process, audit, and reporting trail that far excedes what was available in the past. But still, as a network admin at heart, I find myself frustrated. All I ever wanted to do was to provide the intelligence and infrastructure to help the companies I worked for run their business as well as possible.
Yet as I looked over the show floor, saw all the available technology, I winced. More solutions, more servers, more byzantine audit trails. Where are the standards and coherent integration required to make a truly intelligent and appropriately risk managed enterprise? The SAML interoperability demonstration and the work towards a common criteria for ranking vulnerabilities, CVSS , Common Vulnerability Scoring System, give me hope.
"Security" - rather appropriate Risk Management - is about sharing the right information and disseminating that information so it can be acted on in the most efficient way possible. Of course, yes, each vendor has a product or service to sell so the lure of doing it in a way that eliminates competition is understandable. But we're in a much bigger community here, we, as IT professionals and stewards must also learn how to work together, interoperate via standards, for the greater good. Whether we like it or not, we now live in a world that is dependent on digital information.
And our responsibility as members of this community is to learn how to work together to protect that information. The "my product's better than your product" mentality is understandable, and arguably required by the folks on Wall Street, but it won't get our industry where it needs to go. Innovation is critical to our future, which often means a new, niche concept from a small group of talented and creative people. But failure to understand that we must, in some way, work together (share standards, interoperate) will create nothing more than the cacophonous and largely indecipherable vendor hysteria that colored this year's conference.
Let's all work together towards the greater good - it doesn't mean we have to stop competing - but it does mean we all need to think about what's best for protection of digital assets even as we attempt to create the next, most important piece, of the risk management puzzle. Working towards shared standards and levels of risk acceptability is, as Martha would say, a "good thing." But, sadly, something that was not recognized in a holistic sense this year. Nor in previous years. We can do better. Let's challenge ourselves and as a discipline accept that challenge. Our most critical assets are at risk. Sure, each security vendor company lives and dies by the financials at the end of each quarter, but if we want to "build to last" and also, build to protect - we must think more completely. Want to really provide "security" to the enterprise? Build tools that work, intelligently, with the other tools in the market.
Silo'd security is an oxymoron - security tools must protect the business. And the only way to make that happen is to build tools that work with, rather than against, each other.
That's my take away from the RSA Conference 2005 - what's yours?
Posted by Diana at February 20, 2005 03:39 PM