Friday, February 28, 2014

Notes from the 2014 RSA Security Conference in San Francisco

For general managers, perhaps the scariest part of the conference was the frequent admonition from security experts that:

  1. Organizations should not assume that they will be attacked by cybercriminals. Rather, they should assume that they have already been attacked and that attackers are already within their systems. One presenter cited data that the average intrusion has access for 21 months before being found out.
  2. There should be no assumption of trusted users within the organization. Even trusted and certified/authorized users need to have their behavior monitored, not because they are inherently untrustworthy, but rather that attackers will often gain the credentials of trusted employees to gain access to valuable information. Just because a user identity has been identified does not mean that the user is the person who is authorized to use the identity.

Much of the product/service offering at the conference was technical, but the consequences of security breaches have extremely high visibility both financial and in terms of reputational or brand equity. The recent breach of Target point of sale equipment was widely referred to at the conference, with experts from leading malware detection companies making the observation that no current malware software would have been able to detect this kind of attack.

Senior Management and the Board
At a seminar on gaining the attention of senior executives and the board, the point was made that security issues are now of such large impact that are considered a major issue by audit committees. Ongoing education of senior management, the board of directors and members of the audit committee is an important role for CIOs (Chief Information Officers) and the increasingly common CSO (Chief Security Officer). While the importance of the Audit Committee and the IT function was emphasized, it’s hard not thinking that marketers and strategists who deal with the value loss from security breaches need to have a stronger input into resource allocation and policy decision around security (see for example Jonathan Copulsky's book Brand Resilience on the topic).

The Conference Itself
The US annual RSA Security Conference in San Francisco in 2014 was a large one running for five days. It offered a large number of panels (275) and a broad array of vendors offering a dizzying number of products. If you are not familiar with security products, then examples include:

  1.  External evaluation services that survey your web software, web sites, networking access and attempt to identify weaknesses.
  2. Certificate products. These include software for managing the acquisition of security certificates, individual credentials over the full life cycle of acquiring certificates, issuing and withdrawing them.
  3. Software and services for detecting attacks, sharing information about attacks and recommended resolution approaches.
  4. Software and services for reducing the occurrence of denial of service attacks (where an attacker attempts to overwhelm the capacity of an online-accessible piece of software).
  5. Single sign-on products and services for simplifying access to a portfolio of services and software.
  6. Hardware products, e.g. two-factor authentication hardware that requires both a user-name/password combination and also some secondary form of identification that may include an interaction with a smartphone, a proprietary encryption devices, or some form of physical identification.
  7. Software assessment tools that look at code under development in order to identify patterns of security weakness.
  8. Training services offered by commercial or educational institutions to increase awareness of security risk, best practices and bad practices.

Conference Information

RSA Security Conference 2014, US: