Top Security Trends at RSA Conference 2018: An Uncertain Camelot
Since its humble origins in the early 90’s, the RSA Conference has grown to become the premier annual event of the IT security industry. Attracting more than 40k attendees to downtown San Francisco’s Moscone Center this year, attendees hear, meet, and drink with the thought leaders of cyber security. These include security experts from the White House and the European Union (EU) all the way down to the scrappy little unknown security start-ups that cobbled together funds to get a booth at the show for the first time. And what a show it is! In a nod to the younger generation of cyber, this year’s show included an amazing hip hop DJ who told the story of Cyber Security as a rap! Writers and futurists challenged us to imagine our world 10, 15, 20 years from now. What would security look like then?
Here’s some of the top trends impacting security that were center stage at RSA:
IoT Security – Securing All Things
Security is an industry that is constantly being disrupted and this year was no exception. Bruce Schneier, one of the great security thinkers of our age, currently working with IBM, pointed out that as the Internet of Things (IoT) becomes the Internet of Everything, “Internet Security” is going to become “Everything Security.” Let’s take one piece of the puzzle as an example; authentication.
Today most of us authenticate maybe four to six times a day, but in the fully-connected world of IoT a person with 25 active daily devices/credentials would require 300 authentications each day! The Smart Fridge tells the Smart Store to add milk to your weekly grocery order. The store reroutes the Smart Delivery Truck or Uber Shopping vehicle. The human driver (if there is one) is sent a one-time password to open the “Fresh Locker” beside your garage…you get the idea. Now add communities, companies and cities to the equation. How will we manage all of those credentials? Where will security for IoT live? Will all of the personal data that is being used to drive these transactions and workflows remain private? Let’s leave aside the topic Smart Toilets, but yes, there was a session on that too.
GDPR – Privacy for All Things
Speaking of data privacy, no security issue loomed as large at RSA as Europe’s General Data Privacy Regulation (GDPR), which is seen by the industry as the most important regulation since… well, since ever. America’s tech industry awaits as the EU asserts its position as the world’s only regulatory global super power. For example, GDPR requires notification of a potential breach within 72 hours. US companies usually wait weeks or even months before reporting a breach. And it’s not just the Americans who are getting nervous. GDPR has become has become an anxious topic of conversation over the dinner tables across Europe.
Prof. Dr. Udo Helmbrecht, Executive Director of the EU Cybersecurity Agency ENISA explained that the Public Authorities tasked with overseeing the regulation would be funding their budgets in no small part from fees levied on violating organizations. So while the Facebook firehose of private data only earned Mr. Zuckerberg a few cross words from congress, that’s not how things will play out with the EU.
Prof. Dr. Udo Helmbrecht along with some of the other speakers
AI Is Here to Stay
AI is a game changer and security vendors that do not embrace it will not remain competitive. A great example demonstrated at the show was AI handling a GDPR request for erasure of data. Under GDPR, EU residents have the right to request that their personal data be erased by the firm using it, as well as any third parties that the firm has contracted with. Cindy Compert, IBM’s CTO for Data Privacy and Security, showed us how AI could handle the entire process, from receiving the email requesting erasure, grabbing all of the pertinent data, erasing the data, correctly logging the erasure, reaching out to 3rd party vendors, and responding to the EU resident who made the request.
Another interesting use case for AI in a security setting is what’s being referred to in the industry as Security Orchestration, Automation and Response (SOAR). Cyber attackers have automated their weapons and IT security practitioners need to do the same. Splunk’s recent acquisition of Phantom Cyber for $350m is a great example of how big data and security analytics can be integrated with security orchestration and artificial intelligence for IT operations (AIOps).
Conclusion: The Human Element
I’ve been attending the RSA show on and off for about 15 years now. In that time, the IT security industry has matured incredibly. We’ve seen Next Generation Firewalls, the rise of SIEM and Security Analytics and now AI. We’ve seen encryption algorithms embraced, replaced and then re-embraced once more. We have argued about things like the Clipper Chip, Edward Snowden, Sarbanes-Oxley (SOX) and patch management. We’ve seen companies rise and fall. We’ve even had a former White House security expert warn us regarding the likelihood of an apocalyptic Digital Pearl Harbor.
Through it all, the one thing that’s remained consistent is the human element. Good security requires good, smart, well-informed people who are willing to put security first on the priority list and make sure it doesn’t get politicized. Security is a team sport and it doesn’t exist in a vacuum. The most successful security leaders are the ones who can explain in plain English what it is they are doing and why it’s valuable. When you get past all the conceptual firewalls and cryptic technical jargon security is about helping people.
To learn more about the state of data security in organizations today, read Syncsort’s full “State of Resilience“ report.