From the CTO’s Office: Looking Back at RSA 2017

Another RSA Conference has come and gone. Much was announced, much hype was created, and as we all settle back into our daily routines, it’s important to think about what, if anything, will change as a result of the revelations from the conference.

Overall, my impression of RSA was as it normally is, there are far too many vendors. There have always been far too many vendors, but the new and innovative vendors are refreshingly starting to find their place in the security ecosystem. Ultimately, security programs work best when they are coordinated and work seamlessly, sharing information between disparate platforms with ease. Unfortunately, this is much easier said than done. Based on scope alone, few security providers can make the realistic pitch that they can be the central platform for your security machine. Those vendors are limited to large scale antivirus providers like Symantec and McAfee, or SIEM vendors like IBM and LogRhythm. The key though is that the central platform providers not see themselves as the panacea, but understand that in order to fulfill their mission, they must be open to integrating with smaller and more innovative providers. Both Symantec and McAfee have acknowledged this need and committed themselves to meeting it during the last year, and which they both loudly reinforced at RSA. This represents a core change from pure competitive stances taken by the big guys towards the little guys – a “co-opetition” model in which the large providers offer both integrations as well as competing products. This offers much promise, but is a delicate dance for vendors in the space. Whether the recent noise about the possibility of working together turns into anything meaningful remains to be seen.

Alternative organizations who could lead this space are virtualization platform owners or operating systems manufacturers. This is a scary proposition because these organizations have been notoriously closed to making it easy for clients to deploy their security tools in conjunction with provider environments. Well-known companies that grew up allowing third-party manufacturers access to develop on their platforms are now making it increasingly difficult to use external security products. It’s even further concerning to think that the creators of operating systems, which generally have the most known, and exploited, vulnerabilities, want to be the single source security providers for their customers.

So what about the little guys? Does this mean there is hope for a significant number of them to achieve longevity and growth without chasing the next acquisition? Possibly, but if history serves as a guide, probably not. What it does though, is lower the barriers to entry for good ideas into the security landscape and pave the way for smart and innovative serial entrepreneurs to solve a multitude of our problems using different startups as a vehicle, which should be exciting to all of us. It also means that organizations will be able to extend the core security initiatives provided by large scale providers using innovative niche products in an easier way, assuming the vendors figure out the “co-opetition” piece in a meaningful way, which remains to be seen.

There was also, for the first time since I’ve been going to RSA, a renewed emphasis in programs and processes as more important, and lacking, elements of security programs. I welcome this acknowledgement, but let us not swing this pendulum too far away from the technology component. We need people, process, and technology. Ignoring the role of technology is no less detrimental to our security endeavors than ignoring the importance of people and process. Most people are not in danger of doing this, but the message should not be “technology doesn’t matter” and should be far more about “technology is not the only thing that matters”. The latter represents sound security strategy, while the former represents a fundamental misunderstanding of the interdependence of the three aspects of a successful security program. If you don’t believe me, trade in your iPhone for a 90’s era Nokia and try to run your security stack off of a Windows 3.1 platform. I promise you, it will not be effective.