RSA Wrap-Up: Top Stories From the 2017 RSA Conference

I think it’s safe to say that we’ve all learned, in some way or another, that talk is cheap. From an early age, and especially into adulthood, we’re presented with situations where we feel like we’re being sold something that benefits the seller more than it does us. This fundamental human challenge is front and center in the field of information security, and it tends to be most prevalent at industry events such as the RSA Conference.

RSA Wrap-Up: Key Takeaways and Trends for 2017

As I walked around speaking with vendors, attending specialty track sessions and listening to the keynotes, it seemed that everyone had the magical silver bullet to fix enterprise security woes. Looking past the hype, however, there were several reasonable, believable trends to take away from RSA. Here are the things I think you should pay attention to and, perhaps, explore for your information security program in the coming year.

IoT Steals the Show

The issue of securing the Internet of Things (IoT) seemed to provide the most talking points at this year’s RSA show. I’m guessing that’s because IoT is sexy, cool and a new frontier for all of us. The key lesson I took from the show was to bring IoT into the fold of your security program. If you don’t, it’s just a matter of time before yet another medium is creating unnecessary business risks.

That said, there is some fearmongering around IoT. To me, that sends a message that all IoT devices are vulnerable most if not all of the time. The assumption is that these devices are connected to the internet or otherwise easily accessible and are therefore easily exploited. But that’s not true in most of the situations I’ve seen in my work. Sure, the onslaught of IoT devices can introduce new risks, but every situation is unique. Risk context is critical, so don’t just assume it’s all gloom and doom.

Listen to the podcast: RSA Speaker Charles Henderson discusses the future of IoT Security

Security Analytics: The Final Frontier

Analytics is that final frontier of security oversight that we can’t seem to master. With cloud-centric artificial intelligence and big data analytics claiming to solve our current challenges associated with logging, alerting and responding, perhaps these emerging solutions will inch us toward getting a better grip on this area.

Still, don’t expect drastic improvements. I remember “event correlation” being the security term du jour at a security conference I spoke at back in 2003. We’ve come a long way since then, in some respects, with threat management and incident response. But it seems we have such a long way to go.

Shortage of Expertise

Both security and privacy professionals are in increasingly high demand. That’s great job security for us, but it’s facilitating business risks that may never be properly addressed, at least not in the foreseeable future.

Based on what I’ve witnessed in my work, rather than simply adding more headcount to solve security and privacy problems, we need to work smarter. Courses in goal and time management can go a long way for IT and security professionals. Even more amazing, however, are the opportunities professionals often miss because they’re too busy majoring in minors — putting out fires that don’t need attention instead of focusing on what’s most important in terms of security.

It’s a challenge, for sure, but the key is to make sure you’re maximizing your current resources. There’s always more that people can do.

Don’t Take the Bait

Everyone has something to sell. That’s how the world works. The important thing is that you become — or remain — a savvy consumer and question what other people are proposing.

Although I do believe that most information security leaders should isolate themselves from marketing banter and focus inward on their known weaknesses for a year or two, it’s hard to avoid the challenges associated with emerging technologies, laws and relationships in today’s business world.

Keep your finger on the growing pulse of the items listed in this RSA wrap-up, among other issues you’re hearing about, but maintain a firm grasp on your core security program. The latter is where you’re going to get the best returns on your investment.

Share this Article:
Kevin Beaver

Independent Information Security Consultant

Kevin Beaver is an information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With over 28 years of experience in IT and 22 years specializing in security, Kevin performs independent security assessments and helps businesses uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security, including the best-selling "Hacking For Dummies" and "The Practical Guide to HIPAA Privacy and Security Compliance." In addition, Kevin is the creator of the Security On Wheels information security audiobooks and blog providing security learning for IT professionals on the go. You can learn more and link to Kevin's articles, blog posts, videos and more at his website, www.principlelogic.com.