At the 2018 RSA Conference that ran from April 16-20, there was an underlying theme of discussion that IT cyber-security professionals can get the upper hand on hackers.
The idea that defenders can make a difference was well represented in the conference motto: Now Matters. The basic premise is that doing things now can make a difference and by taking the rights steps and investing in the right technologies now, cyber-security will be better in the future.
Against a backdrop of seemingly endless data breaches, vulnerable cloud storage services and widely-reported privacy violations, speaker after speaker tried to convince attendees that things really aren't as bad as they might appear to be.
"Let's talk about how the security community is growing stronger and moving faster," Rohit Ghai, President of RSA said during the conference's opening keynote. "Of course, you won't see it in the headlines. You won't see the New York Times cover how your stunning implementation of risk-based multifactor authentication stopped nation state threat actors from accessing a critical database. "
Ghai said that it's simply the nature of the IT industry that the biggest wins will never be front-page news. Ghai's keynote presentation was all about "silver linings" and identifying the positive things that IT professionals can do to secure their enterprises.
"When we execute on the silver linings, we don’t make headlines," Ghai said. "In fact, we stop the bad ones."
Tom Corn, senior vice president and GM of security products at VMware echoed a similar theme. In his view, defenders should have what he referred to as the "home court advantage" against attackers. Corn's opinion is that no one should know an enterprise network as well as the enterprise itself and that should be an advantage that gives defenders an edge over hackers.
Nadav Zafrir, former commander of Israel's 8200 Intelligence Unit (Israel's equivalent of the NSA) also delivered the same basic message that defenders should have the advantage.
"We know where the battle will take place," Zafrir said. "It will happen on our network and we should know our network better than attackers."
Zafrir also reminded attendees that the internet and the role of technology is not about security, but rather is about connectivity and improving the human condition.
Does Now Really Matter?
While some RSA Conference talks and speakers hit an optimistic tone, there were a fair number of pessimists as well. Adi Shamir, the "S" in RSA, was asked during the cryptographers' panel keynote what he sees as the sliver linings in cyber-security today.
"The silver lining I see in cyber-security is that our job security is guaranteed," Shamir said.
IDC analysts also struck a somewhat pessimistic tone on the current state of the cyber-security industry during the firm's annual RSA Conference breakfast meeting. Robert Westervelt, research director in IDC's security products group said that people were wandering the RSA Conference exhibit halls "scratching their heads" because they were confused about what different vendor provide.
In Westervelt's view, few vendors actually properly explain in their marketing messages what it is they actually provide and what the technology they sell can do for an enterprise. Westervelt's view on cyber-security marketing was taken to the extreme by browser isolation technology vendor Authentic8. Rather than have yet another booth that markets its own product, Authentic8 had a booth that was identified as FAKE Security and included giveaways of empty bottles labeled like 19th century quack nostrums that could cure all manner of cyber-security ills.
It is true that bad security news more often makes headlines than good security news. It's also true that it can be confusing, sometimes even for industry experts, to understand the marketing messages that come from cyber-security vendors.
That aside, there is no reason for fatalism in cyber-security outcomes. Though hackers will continue to find inviting targets, there are many things enterprises can do to limit risk. Here on eWEEK we regularly highlight new product innovations and companies that are making a difference.
No company needs to be a "sitting duck" or an easy target. By taking steps now, by thinking about best practises, understanding risks and implementing risk controls, the steps a company takes now can really matter.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.