Notes from the 2014 RSA Security Conference in San Francisco

Highlights

For general managers, perhaps the scariest part of the conference was the frequent admonition from security experts that:

1. Organizations should not assume that they will be attacked by cybercriminals. Rather, they should assume that they have already been attacked and that attackers are already within their systems. One presenter cited data that the average intrusion has access for 21 months before being found out.
2. There should be no assumption of trusted users within the organization. Even trusted and certified/authorized users need to have their behavior monitored, not because they are inherently untrustworthy, but rather that attackers will often gain the credentials of trusted employees to gain access to valuable information. Just because a user identity has been identified does not mean that the user is the person who is authorized to use the identity.

Much of the product/service offering at the conference was technical, but the consequences of security breaches have extremely high visibility both financial and in terms of reputational or brand equity. The recent breach of Target point of sale equipment was widely referred to at the conference, with experts from leading malware detection companies making the observation that no current malware software would have been able to detect this kind of attack.

Senior Management and the Board

At a seminar on gaining the attention of senior executives and the board, the point was made that security issues are now of such large impact that are considered a major issue by audit committees. Ongoing education of senior management, the board of directors and members of the audit committee is an important role for CIOs (Chief Information Officers) and the increasingly common CSO (Chief Security Officer). While the importance of the Audit Committee and the IT function was emphasized, it’s hard not thinking that marketers and strategists who deal with the value loss from security breaches need to have a stronger input into resource allocation and policy decision around security (see for example Jonathan Copulsky's book Brand Resilience on the topic).

The Conference Itself

The US annual RSA Security Conference in San Francisco in 2014 was a large one running for five days. It offered a large number of panels (275) and a broad array of vendors offering a dizzying number of products. If you are not familiar with security products, then examples include:

1.  External evaluation services that survey your web software, web sites, networking access and attempt to identify weaknesses.
2. Certificate products. These include software for managing the acquisition of security certificates, individual credentials over the full life cycle of acquiring certificates, issuing and withdrawing them.
3. Software and services for detecting attacks, sharing information about attacks and recommended resolution approaches.
4. Software and services for reducing the occurrence of denial of service attacks (where an attacker attempts to overwhelm the capacity of an online-accessible piece of software).
5. Single sign-on products and services for simplifying access to a portfolio of services and software.
6. Hardware products, e.g. two-factor authentication hardware that requires both a user-name/password combination and also some secondary form of identification that may include an interaction with a smartphone, a proprietary encryption devices, or some form of physical identification.
7. Software assessment tools that look at code under development in order to identify patterns of security weakness.
8. Training services offered by commercial or educational institutions to increase awareness of security risk, best practices and bad practices.

Conference Information

RSA Security Conference 2014, US: http://www.rsaconference.com/events/us14

Linkedin: http://www.linkedin.com/company/rsa-conference

Facebook: https://www.facebook.com/events/553377221417367/

The NSA, Privacy, Trust and Tribes of Trust

While I was writing Innovation Zeitgeist this summer (June and July), the only part of the book that I got some pushback on was the suggestion that the Internet was so important, but so difficult for even sophisticated users to manage (phishing, cybercrime, privacy issues) that I predicted that "tribes of trust" would emerge and that privacy would become a major point of differentiation for competitors. The idea behind a tribe of trust was that it represented a managed safe portion of the Internet where you would have higher confidence about information and transacting.

The recent announcements about the NSA and the cooperation of many companies with the NSA has confirmed the importance of digital trust.

I felt like I was going out on a limb when I suggested that there were roughly ten levels of policies on privacy that companies might adopt deliberately or accidentally, but they seem more accurate that I had anticipated. I wrote:

"Roughly speaking one might imagine companies in a market pursuing ten alternative strategies:

1.        Lie about what information is collected
2.        Don’t reveal what information is stored about the user
3.        Reveal policies and superficial description of information stored about the user
4.        Reveal partial information about what is stored
5.        Reveal all raw information stored about the user
6.        Reveal all raw and evaluative information stored about the user including connections to other users
7.        Allow editing and export of privacy information by user
8.        Pay user to use their stored information
9.        Make the information stored useful to the user
10.   .  Make the information stored useful to the user and charge for it as a service

Today, few companies have been aggressive in their use of privacy information as a differentiator. Perhaps an early sign of competitive use of privacy as a marketing weapon is an internal 2013 video developed by Microsoft (http://youtu.be/-Cr6AgUo764 ). Now leaked outside Microsoft, the video’s theme is that Google tracks everything you do so that it can make money off you. While it may not have been intended as an external marketing weapon, it does illustrate the kind of marketing campaign that might be pursued by aggressive companies in the future.

Some of the larger web sites reveal how long they retain information. But as I pointed out in an earlier chapter, innovation for digital content now includes bundling and unbundling of services, legal rights and methods of monetization. Privacy is, in a sense, no different than attaching the right to re-download a book more than once on an audio book service such as Audible. "

Source: Innovation Zeitgeist: Competing in a World of Too Many Competitors, Kindle, Amazon 2013