I am thrilled I was able to attend so many sessions at RSA this year. I learned a lot about the state of the industry, and the things people outside of Veracode are talking about. The expo hall was bustling as usual, and the sheer number of vendors vying for attention tells me this problem isn’t going away anytime soon.
Below are my overall impressions from the conference. I am interested in seeing how things change over the next year and if these same topics dominate the conference next year.
Security and development have almost considered each other adversaries. Security thinks of development as reckless, and development thinks of security as a hindrance. What I learned from the show is that both teams actually have the same goals: produce high-quality software for both internal use and external use. If we in the security industry start discussing security as a quality requirement, and work with developers to determine how best to integrate security testing, our relationship with development will improve. We can’t just mandate security requirements, we need to become partners. When it comes to development and security, we need to make code not war – because security/development peace leads to a secure and on-time release.
I didn’t do a count, but there was an overwhelming number of sessions that touched on the topic of cyberwar or attacks on critical infrastructure. Plus, after spending a few nights reading Fred Kaplan’s book, I’m thoroughly convinced this is an issue that needs to be addressed.
The focus on cyberwar and critical infrastructure brought up another great point – the need for private industry (specifically security companies) and government agencies to cooperate is increasing. As I wrote in a previous post:
In the past, technological advances originated with the government. GPS and even the Internet as we know it today were part of government programs. But now, advances are coming from private industry, and we are outpacing our own government. The government isn’t able to pay security experts or hackers what private industry can. And as a result, the government needs the private sector to help it with security issues. On the other hand, the government has information the private sector can use in its push for security innovation.
Traditionally, industry has lobbied against regulations as a way to improve security. It makes sense, as regulations or compliance rarely improve security, but instead become a checkbox for companies. Companies end up doing the bare minimum and assume that, because they are compliant, they are secure. However, well-thought-out regulations can help improve security, and I saw a shift at RSA this year toward this thinking. It all depends on what the regulations are, and how they are implemented. In the past, Veracode co-founder and CTO Chris Wysopal has called for regulations around breach information sharing. Such a regulation would go a long way to improving our knowledge and decreasing security incidents.
What’s the best part about being a woman at a security conference? No lines for the restroom!
I’m joking of course, but the truth is, the women were greatly outnumbered at this conference – and that’s because they are outnumbered in the industry. I attended two sessions during the conference that dealt with attracting and retaining women in the security industry. Both offered some startling statistics – the security industry is only 10 percent female, and women leave the field at a much higher rate than men.
Security is a monster problem facing industry and governments today. The size and breadth of this conference showed just how big a problem it is. We can’t exclude half of the population from entering the field. I’m not suggesting women are being actively excluded; it isn’t a purposeful campaign against the female gender. However, there is a reason women do not feel welcome.
We need to have deeper conversations about this issue that are better attended than the sessions I went to this year. We need to start thinking beyond providing job flexibility to attract women. That is only one issue, and frankly I think it is an issue men are concerned with too. I’m hoping to see and hear more about this issue before next year’s conference.
Women in security sessions:
It was a great week in San Francisco. There were so many sessions I wasn’t able to attend, but wish I had. I’ll be spending the next few days reading through other people’s posts and observations to see if they had the same conclusions I did, and learn from their perspectives. Isn’t that what RSA is all about?