I think it’s safe to say that we’ve all learned, in some way or another, that talk is cheap. From an early age, and especially into adulthood, we’re presented with situations where we feel like we’re being sold something that benefits the seller more than it does us. This fundamental human challenge is front and center in the field of information security, and it tends to be most prevalent at industry events such as the RSA Conference.

RSA Wrap-Up: Key Takeaways and Trends for 2017

As I walked around speaking with vendors, attending specialty track sessions and listening to the keynotes, it seemed that everyone had the magical silver bullet to fix enterprise security woes. Looking past the hype, however, there were several reasonable, believable trends to take away from RSA. Here are the things I think you should pay attention to and, perhaps, explore for your information security program in the coming year.

IoT Steals the Show

The issue of securing the Internet of Things (IoT) seemed to provide the most talking points at this year’s RSA show. I’m guessing that’s because IoT is sexy, cool and a new frontier for all of us. The key lesson I took from the show was to bring IoT into the fold of your security program. If you don’t, it’s just a matter of time before yet another medium is creating unnecessary business risks.

That said, there is some fearmongering around IoT. To me, that sends a message that all IoT devices are vulnerable most if not all of the time. The assumption is that these devices are connected to the internet or otherwise easily accessible and are therefore easily exploited. But that’s not true in most of the situations I’ve seen in my work. Sure, the onslaught of IoT devices can introduce new risks, but every situation is unique. Risk context is critical, so don’t just assume it’s all gloom and doom.

Listen to the podcast: RSA Speaker Charles Henderson discusses the future of IoT Security

Security Analytics: The Final Frontier

Analytics is that final frontier of security oversight that we can’t seem to master. With cloud-centric artificial intelligence and big data analytics claiming to solve our current challenges associated with logging, alerting and responding, perhaps these emerging solutions will inch us toward getting a better grip on this area.

Still, don’t expect drastic improvements. I remember “event correlation” being the security term du jour at a security conference I spoke at back in 2003. We’ve come a long way since then, in some respects, with threat management and incident response. But it seems we have such a long way to go.

Shortage of Expertise

Both security and privacy professionals are in increasingly high demand. That’s great job security for us, but it’s facilitating business risks that may never be properly addressed, at least not in the foreseeable future.

Based on what I’ve witnessed in my work, rather than simply adding more headcount to solve security and privacy problems, we need to work smarter. Courses in goal and time management can go a long way for IT and security professionals. Even more amazing, however, are the opportunities professionals often miss because they’re too busy majoring in minors — putting out fires that don’t need attention instead of focusing on what’s most important in terms of security.

It’s a challenge, for sure, but the key is to make sure you’re maximizing your current resources. There’s always more that people can do.

Don’t Take the Bait

Everyone has something to sell. That’s how the world works. The important thing is that you become — or remain — a savvy consumer and question what other people are proposing.

Although I do believe that most information security leaders should isolate themselves from marketing banter and focus inward on their known weaknesses for a year or two, it’s hard to avoid the challenges associated with emerging technologies, laws and relationships in today’s business world.

Keep your finger on the growing pulse of the items listed in this RSA wrap-up, among other issues you’re hearing about, but maintain a firm grasp on your core security program. The latter is where you’re going to get the best returns on your investment.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…