I think it’s safe to say that we’ve all learned, in some way or another, that talk is cheap. From an early age, and especially into adulthood, we’re presented with situations where we feel like we’re being sold something that benefits the seller more than it does us. This fundamental human challenge is front and center in the field of information security, and it tends to be most prevalent at industry events such as the RSA Conference.

RSA Wrap-Up: Key Takeaways and Trends for 2017

As I walked around speaking with vendors, attending specialty track sessions and listening to the keynotes, it seemed that everyone had the magical silver bullet to fix enterprise security woes. Looking past the hype, however, there were several reasonable, believable trends to take away from RSA. Here are the things I think you should pay attention to and, perhaps, explore for your information security program in the coming year.

IoT Steals the Show

The issue of securing the Internet of Things (IoT) seemed to provide the most talking points at this year’s RSA show. I’m guessing that’s because IoT is sexy, cool and a new frontier for all of us. The key lesson I took from the show was to bring IoT into the fold of your security program. If you don’t, it’s just a matter of time before yet another medium is creating unnecessary business risks.

That said, there is some fearmongering around IoT. To me, that sends a message that all IoT devices are vulnerable most if not all of the time. The assumption is that these devices are connected to the internet or otherwise easily accessible and are therefore easily exploited. But that’s not true in most of the situations I’ve seen in my work. Sure, the onslaught of IoT devices can introduce new risks, but every situation is unique. Risk context is critical, so don’t just assume it’s all gloom and doom.

Listen to the podcast: RSA Speaker Charles Henderson discusses the future of IoT Security

Security Analytics: The Final Frontier

Analytics is that final frontier of security oversight that we can’t seem to master. With cloud-centric artificial intelligence and big data analytics claiming to solve our current challenges associated with logging, alerting and responding, perhaps these emerging solutions will inch us toward getting a better grip on this area.

Still, don’t expect drastic improvements. I remember “event correlation” being the security term du jour at a security conference I spoke at back in 2003. We’ve come a long way since then, in some respects, with threat management and incident response. But it seems we have such a long way to go.

Shortage of Expertise

Both security and privacy professionals are in increasingly high demand. That’s great job security for us, but it’s facilitating business risks that may never be properly addressed, at least not in the foreseeable future.

Based on what I’ve witnessed in my work, rather than simply adding more headcount to solve security and privacy problems, we need to work smarter. Courses in goal and time management can go a long way for IT and security professionals. Even more amazing, however, are the opportunities professionals often miss because they’re too busy majoring in minors — putting out fires that don’t need attention instead of focusing on what’s most important in terms of security.

It’s a challenge, for sure, but the key is to make sure you’re maximizing your current resources. There’s always more that people can do.

Don’t Take the Bait

Everyone has something to sell. That’s how the world works. The important thing is that you become — or remain — a savvy consumer and question what other people are proposing.

Although I do believe that most information security leaders should isolate themselves from marketing banter and focus inward on their known weaknesses for a year or two, it’s hard to avoid the challenges associated with emerging technologies, laws and relationships in today’s business world.

Keep your finger on the growing pulse of the items listed in this RSA wrap-up, among other issues you’re hearing about, but maintain a firm grasp on your core security program. The latter is where you’re going to get the best returns on your investment.

more from CISO

To Cybersecurity Incident Responders Holding the Digital Front Line, We Salute You

Over the course of two decades, I’ve seen Incident Response (IR) take on many forms. Cybercrime’s evolution has pulled the nature of IR along with it — shifts in cybercriminals’ tactics and motives have been constant. Even the cybercriminal psyche has completely rebirthed, with more collaboration amongst gangs and fully established ransomware enterprises running. When I was first starting off,…