RSA 2018: A Parade Watcher’s View

It’s been a few weeks now since the RSA conference happened in San Francisco, and I needed that time to fully digest the onslaught of information. As a long-time standee on the sidelines of cybersecurity, watching the sector grow unabated, lurching from issue to issue, always expanding and rarely, if ever, consolidating, I have to marvel at the sheer circus of it all. My area of expertise is network management and monitoring, which commonly utilizes the very same technology elements that underlie advanced security monitoring. But unlike network management, the past few years have seen oodles of new startups enter the security solutions space, adding to a growing clamor at RSA. How is the average security pro ever going to keep up?

Yes, the crooks keep winning, but…

After walking the expo floor at RSA, my conclusion is that the vendors are the ones who are really taking it to the bank. Just like the California Gold Rush of the 19th century, the ones who will get rich are the merchants – the suppliers of security technologies and services. In the final tally, the amount of money spent on all of the tools and products will outstrip the losses incurred from successful attacks by the vast majority of organizations.

The security technology vendor landscape is beyond bloated.

After walking the RSA expo floor and navigating the dizzying array of offerings being hawked, I had the opportunity to sit in on a market landscape briefing given by 451 Research. Clearly, the venture community is betting on the merchants. New investments are pouring into companies at a rapid clip, on the order of $1 billion per quarter. And while enterprise security is the most active area of tech M&A for three years running, with 140+ acquisitions expected this year, there simply aren’t enough buyers to handle the supply. But beyond that sobering assessment of the vendors, the 451 team had some sage thoughts to share. A few that I found most timely and compelling:

• “Every security product will be an analytics product.”
• “Cybersecurity is the killer app for big data analytics.”
• “Security automation will move closer to the mainstream.”

Put these together, and big data analytics that can contribute to automation would be a really good combination.

Good technology alone is not the answer.

Let’s face it. We have a number of big societal and economic weaknesses that make cybercrime pay. Bad systems design, poor coding practices, insufficient testing, too much trust, too little technical security proficiency, and a financial sector that gaily throws around credit like so many flower petals at a wedding all add up to a virtual paradise for the bad guys. The banks not only expect fraud, they plan on it. They are willing to take massive losses to crime and they still turn a healthy profit. Think about that for a minute – failure is actually being embraced and tolerated. In my opinion, financial incentives (the carrot) and CxO penalties (the stick) are both helpful at getting the IT sector to take security seriously, but we also just need to take frank stock and do some growing up. We need to add discipline and good engineering practices to building and deploying IT infrastructure and applications. We need to say no to rushing new products and services to market if they have not been developed in ways that are both stable and secure. The 451 team is finally seeing organizations take this seriously, adding secure coding practices, and giving rise to DevSecOps. They also noted a marked rise in the business for MSSPs (managed security services providers), who can augment staff with expertise and coverage. So the cavalry is coming – it’s about time!

Takeaways

One thing is for certain – this juggernaut will not slow anytime soon. It will keep many good people employed, and massive resources (in currency and headcount) will be thrown at the many, very real challenges. But many resources will also be poorly spent, with little net effect or improved security posture. After nearly 30 years standing on the sidelines, watching this parade, I have a few recommendations to make:

• First, unless you are a large organization or a service provider, get help. There is no way that your security team can keep up with the multi-headed hydrae that are enterprise security technology and the realities of today’s threat landscape.
• Next, when going to RSA, you’ll probably want to spend your quality time in the big booths of the large established vendors. Sad to say, but many of the little booths around the edges are filled with startups that, as likely as not, won’t be there next year, or they will have become a pod in one of those bigger booths.
• Finally, take advantage of the investments you have already made. Don’t overlook the complementary value of your monitoring tools and technologies, many of which can provide security-specific insights at no additional cost to you. And given 451’s take, if those tools happen to be big data analytics with the ability to automate response, you’re in an even better position.