Every year, one of the biggest events on the information security calendar is the annual RSA Conference, and 2014 is no exception.
On Feb. 11, analysts gathered for the annual pre-RSA conference call to discuss what’s likely to emerge as the big trends from the upcoming conference. Among the most contentious issues at the 2014 RSA Conference is the ongoing discussion about the U.S. government’s surveillance activities.
In particular, there has been some backlash against the RSA Conference, due to the allegation that RSA Security worked with the National Security Agency (NSA) to somehow subvert encryption standards. A report in Reuters in December 2013 exposed the RSA/NSA partnership, which has had an impact on the RSA Conference. In January, a number of confirmed speakers at the RSA Conference decided to boycott the event over the NSA issue.
Wendy Nather, research director for security at 451 Research, said during the analyst call that the Joseph Menn, the Reuters journalist who broke the story about the RSA/NSA deal, is moderating a panel at the RSA Conference. Menn will also be interviewing industry luminary Bruce Schneier over at the TrustyCon conference, which was set up by individuals opposed to RSA’s work with the NSA.
“I just want to point out that this issue involves one pseudo-random-number generator algorithm, and nothing else is being accused of being comprised or compromiseable,” Nather said. “What RSA the company has now is a public relations problem.”
Nather said that whether the allegations are true or false, there is no way for RSA to legally provide proof that will change people’s minds. She noted that RSA is restricted from talking publicly about its contracts with the government.
“RSA the company is in a tough place right now, and because it’s a public relations issue, it is reflecting on RSA the conference,” Nather said.
The skills shortage in the IT security industry is an important issue, even though it’s not a sexy topic, Jon Oltsik, senior principal analyst, Enterprise Strategy Group (ESK), said during the call. “We’re an industry that runs around on bits and bytes and we love to talk about technology, but the security skills shortage is profound,” Oltsik said. “Our ESG data has indicated that this is a trend that has gone on for a number of years.”
A recent ESG study finds that 43 percent of survey respondents said they lacked skilled cloud and virtualization security staff.
“People are moving to the cloud, yet we have a skills shortage in people that understand the implications of cloud and security,” Oltsik said.
Software-defined networking (SDN) security will be a hot topic at the conference, explained Laura Koetzle, vice president and group director at Forrester. Koetzle, who is on the program selection committee for the conference, said that SDN’s popularity as a topic was much greater this year than in previous years.
“With much more fluidity in the way a network is defined, comes the possibility of compromise,” Koetzle said.
The interest in SDN security in many respects mirrors the interest that security professionals had in the early days of server virtualization, Koetzle said. Early concerns about security risks with server virtualization never really materialized, and it will be interesting to see if the same pattern will play out in future years with SDN, she added.
SDN provides some great opportunities to improve security, but more education about SDN and improved collaboration between network and security teams are needed, Oltsik explained.
Oltsik noted that while there will be lots of point solutions and tools released at RSA, he is hoping there will be some intellectual discussion at RSA about how to actually deal with the modern threat landscape.
“Our adversaries are better organized and more efficient than we are, and we need to get there quickly,” Oltsik said.
The RSA Conference runs from Feb. 24 to 28 at the Moscone Center in San Francisco.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.