RSA 2014: 10 Takeaways From a Show Overshadowed by Fractured Trust
6. Build a hacker's lab: The bad guys are clever, organized and ready to develop new ways of hacking into your network. You are still confined to maintaining your existing security fences and calling on outside resources when needed. Maybe the best advice I heard was similar to what I've heard about companies considering cloud computing: Assign one of your employees to create a test bed for new services. It is almost impossible to have a staff that can investigate new technologies in their (few) off moments from their regular job. Having an on-staff hacker is a lot different from having an on-staff cloud developer, but once you set a couple of ground rules and create a hacking playground aimed at your company innards, you'll soon be learning about all the new hacking techniques and vulnerabilities you did not realize you had. 7. Invest in people and processes: One of the better keynotes was from Hewlett-Packard's Senior Vice President Art Gilliland, who explained where you can invest in security to get the biggest bang for the buck. It is not in adding new boxes to an already overburdened infrastructure, but rather, it is in investing in security training and processes that provide a big sweep approach to corporate security. I heard this several times during the conference from attendees who felt that adding new boxes and managing security software upgrades is important. But this takes away from developing a comprehensive approach and encourages scurrying about to put out fires. 8. Learn how to express digital security issues in business terms: I attended an AccessData CISO briefing, and one of the key takeaways for me was a discussion of how to talk to your CEO or corporate board when they want to know the state of security in your company. CEOs want to know the level of risk, the costs associated with lowering those risks and a straightforward discussion on the state of corporate security. CISOs talking acronyms, buzzwords and the inability to translate security technology into business terms are blocking their chance for promotion to the upper corporate ranks. 9. The cloud as a solution instead of a problem: The more I sat through sessions on the latest threats, advanced attacks, new zero-day exploits and the sophisticated worldwide digital criminal elements, the more I realized that the tasks facing the modern CISO may be impossible to accomplish. Security budgets are not boundless and the pool of security specialists available for hire is limited. While moving more of your infrastructure to a public cloud provider is not the answer to all your security problems, those cloud providers have more security resources than you can marshal. Using the public cloud platforms to augment your digital security and allow you to focus on protecting the corporate crown jewels is an upcoming trend.Eric Lundquist is a technology analyst at Ziff Brothers Investments, a private investment firm. Lundquist, who was editor-in-chief at eWEEK (previously PC WEEK) from 1996-2008, authored this article for eWEEK to share his thoughts on technology, products and services. No investment advice is offered in this article. All duties are disclaimed. Lundquist works separately for a private investment firm, which may at any time invest in companies whose products are discussed in this article and no disclosure of securities transactions will be made.
10. Pay attention to what went on at TrustyCon: On Thursday, I went over to the TrustyCon conference being held in a movie theatre a block away from RSA. I found the speakers well informed, passionate about the need for trust in a digital world and an audience leaning into the presentations. The presentations reminded me of the early days of RSA before the vendor presence at RSA gave the event a much more commercial feel. Instead of belittling the TrustyCon event, the RSA Conference organizers would do well to watch the presentations on YouTube and work at injecting some of that passion for digital trust into next year's RSA. The TrustyCon event was sold out and the organizers donated a $20,000 check to the Electronic Frontier Foundation—a real nice touch in a world of vendor-driven events.