Record Crowd, No Surprises at RSA Conference

By Ericka Chickowski  |  Posted 2008-04-15

This year’s RSA security conference held no fireworks, no new game-changing products and very few surprises—but experts believe the relative lack of excitement was actually a good sign of the overall state of the security field. Held last week in San Francisco, the RSA conference drew a record-setting crowd of more than 17,000 security practitioners, vendor reps, analysts and media members.

“There hasn’t been a whole lot of new stuff to come out of this show, but that isn’t necessarily a bad thing,” said Robert Ayoub, an analyst for Frost & Sullivan. “Security as a field is maturing. I think a lot of what we saw and heard validated things that were predicted at previous years’ shows.”

For example, at RSA several years ago, many experts lamented the fact that too few security chiefs were granted a seat at the “adults’ table” with the CEO and board-level executives, claiming that this level of involvement was the only way for security to be taken seriously within the enterprise. Today, this is finally happening, said Howard Schmidt, president and CEO of R & H Security Consulting LLC and former CSO of eBay and Microsoft.

“We’ve never been in more demand than in the past couple of years,” Schmidt told Baseline at the show. “Those not sitting at the table at least get invited to dinners every once in a while.”

More of the security officers who walked the halls of Moscone last week are reporting directly to their CEOs, and more than ever, their efforts are shifting from technology-centric concerns to matters of business strategy and innovation, Schmidt said. This was reflected by session offerings, such as how to effectively present to a board of directors and RSA CEO Art Coviello’s keynote on the role of security in business innovation.

Frost & Sullivan’s Ayoub believes that this directly impacted happenings on the show floor, which mainly spotlighted maturing technologies over disruptive technologies. “We're definitely seeing security become more integrated into business line decisions, and as part of that, you can’t have an industry that’s completely changing every 12 months and still be tied to C-level decisions,” he said.

Ayoub viewed this year as a validation of information-centric security techniques, particularly of maturing data leak prevention (DLP) offerings meant to stem the tide of high-profile data breaches plaguing enterprises.

Another technology trend apparent at the show was the increased push by infrastructure vendors to decrease the security footprint within the enterprise blueprint and do a better job “baking” security functions into the infrastructure. Vendors like Hewlett-Packard (HP), Microsoft and Hitachi were hawking their efforts to build security into the infrastructure, so that general IT products will work securely.

“For a lot of our customers, security is too complex and too confusing, and it doesn’t necessarily get smaller when you apply money to it,” said Chris Whitener, chief strategist for HP’s Secure Advantage program. “We want to promote this idea of simplifying things. We don’t want to build a separate security management infrastructure—or another security console ‘thingy’ on the side. In most cases, these capabilities should all fold into the infrastructure.”

This ideal model of “baked in” security fits well with the diminished technological role of security managers who are focused on helping the business achieve its goals. “The technology piece of security is becoming part of the day-to-day operations of IT,” said R & H’s Schmidt. “It is even evident in the acquisitions we’ve seen—you know, IBM acquiring ISS, Cisco with all of its acquisitions, Google buying Postini and the list goes on.”

Even so, many in security don’t believe that specialized security technology—and the people in charge of it—will ever be completely eliminated from the IT ecosystem because threats are constantly changing. “If the problem was static, that baked-in solution might solve it, but the problem is not static,” Frost & Sullivan’s Ayoub said.

Besides, even just integrating products with built-in security isn’t as easy as it sounds, said Ed Zeitler, executive director of (ISC)2. “I don’t see security technology and security people going away for a while,” he said. “As for the integration of these built-in products, I’ll believe that when I see it. It is a lot harder to do than it sounds.”

This is, after all, why so many IT leaders and security technologists convene every year for RSA. It isn’t for the vendor pitches or the big technology reveals. It is to mingle with like-minded individuals in order to find better ways to practice security in the real world.

As one anonymous security pro told this Baseline reporter after the show, “I have to come every year just to hear about all the best practices, so I can try to put just a little bit more of these techniques in place in real life.”