As we look back at another year at the RSA Conference in San Francisco, there was a noticeable absence of the cybersecurity 'WOW-factor.' Yes, the show was as huge, and one might even say overwhelming, as ever. Attendance records were probably broken, and there were numerous very good sessions. Still, surprisingly, government announcements may have been the highlight of the week.
As I was enjoying a meal with a well-known security leader this week in San Francisco near the end of the 2015 RSA Conference, I asked these questions: What do you like on the show floor? What speeches impressed you?
The answer: “Not much, more of the same. Nothing has WOWed me. At least – not yet. ... ”
And I’ve heard similar things from many others. And yet, there is always more to learn.
No doubt, there were numerous sessions, many very good speeches, lots of tutorials, tons of young cybercompanies trying to make a name for themselves, panels on the shortage of cybertalent and plenty of old friends working for new companies or government agencies. There were cyberindustry challenges from keynote speakers, calls to action, scary malware threats, interesting stories, examples of how the Internet of Things (IoT) can be hacked, hands-on workshops and more.
The trouble is, if you have been paying attention over the past several months, you knew much of this already. While I did learn about about promising companies and new technologies, one question for many observers is why this seems to be so much like yesterday. Everyone is looking for a major cyberbreakthrough that may not be coming.
As in other years, the relationship-building and small group discussions were the best part of the RSA Conference for me. The human factor in cyberdefense is essential, and the need for better equipping of our cyberteams and end users is becoming even more obvious to a wider group of executives.
RSA 2015 Headlines and News
So what announcements did grab the news headlines?
- New York Times: “Jeh Johnson, the secretary of the Department of Homeland Security, announced this week that his agency would be opening an office in Silicon Valley.”
- Washington Post: How Internet Security Conferences make you feel unsafe.
- USA Today: “It’s boom time for hackers as cyber sleuths gather ...”
- Computer Weekly: Intel Security head challenges industry (to step up).
- The Register (UK): Point of sale (retail industry) passwords aren’t being changed.
- ABC News (with video): Size and scope of conference and challenges with Jeh Johnson quotes.
"... Security researchers at Cisco have found that 75 percent of all attacks only take minutes to begin exfiltrating data, and more than 50 percent of attacks persist for months or years before they are discovered. ..."
More Details Please
For those who want more detailed summaries of what happened each day, I recommend reading Steve Ragan’s daily summaries over at CSO Magazine. Needless to say, that coverage was wide and deep from Computerworld and other tech magazines as well.
The EE Times offered these eight views of security from the RSA Conference in a slideshow format.
There were plenty of RSA Conference tidbits of cybernews details, like this story from the Cylance CEO on how “Sony hackers targeted employees with fake Apple ID emails.”
CIO Magazine discussed how important it is to have the ear of the CEO to stop cyberthreats. But oops, that story from the former FBI director didn’t come from the RSA Conference, even though it was released this week in D.C.
Dark Reading reported that Michael Daniel, the president’s cybersecurity adviser, is intrigued by the Underwriters Laboratories-type model for IoT security certification.
As far as other government news, I was intrigued by these RSA Conference announcements from the government side.
SC Magazine reported that the recent number of breaches is likely to cause a time of change.
“During a Thursday morning panel at RSA Conference 2015, called “Full Disclosure: What Companies Should Tell Investors about Cyber Incidents,” Ramarathnam, along with Jonas Kron, director of shareholder advocacy with Trillium Asset Management, discussed the growing concerns and sense of responsibility board of directors face in the wake of high-profile breaches, which will indelibly engage investors' attentions.
“Hardly a day goes by without another breach being reported,” Ramarathnam said, explaining that the SEC is tasked with formally overseeing security incidents or issues that would impact the integrity of market systems, customer data protection and disclosure of material information. ...”
The Department of Homeland Security published the remarks from Secretary Jeh Johnson here.
Here’s one excerpt:
“…In Fiscal Year 2014 alone, the NCCIC [National Cybersecurity and Communications Integration Center] received over 97,000 cyber incident reports from the private and government sectors, and issued nearly 12,000 cyber alerts or warnings.
Almost continually, an NCCIC team is in the field, making what is in effect a house call on a company to assess a significant cyber incident and helping them fix it. For certain diagnoses, we bring in more doctors, from the NSA, the FBI, or other agencies, to assist.
The NCCIC identifies numerous vulnerabilities. Last year, across dozens and dozens of departments and agencies of the U.S. government, we identified 265 instances of the Heartbleed vulnerability, and in a three-week period reduced them to two. Last year we helped the private and government sectors address Shellshock, BlackEnergy, Havex, BackOff Point of Sale, Lenovo SuperFish, and other vulnerabilities. ...”
Chris Ipsen Named SC Magazine CSO of the Year
I always learn a lot by seeing who wins the SC Magazine awards, and this year was a very good year for FireEye, being named best security company of the year.
I was also very happy for my friend Chris Ipsen, former CISO from Nevada, for being selected CSO of the Year. This was the third time that a state CISO was selected over the past eight years, with former California CISO Mark Weatherford and myself winning back in 2010 and 2008, respectively. (I see this as a boost for state government security professionals all over the country who work so hard.)
I also encourage readers to review the other award-winners in each category. The SC Magazine awards are viewed very highly in the industry.
In conclusion, this year’s RSA Conference 2015 was another major cybersecurity industry event, and I fully suspect that next year’s event will be even bigger as the industry continues to grow. There is always plenty to learn in the cybercommunity, so if you have never been to an RSA Conference, start planning now to attend in 2016.
Note: All photos by Dan Lohrmann