This year at the RSA Conference a few things showed up for me. First was the real lack of value the conference brings to anyone who is truly interested in security for the sake of making things secure. RSA is jam packed with vendor presentations, flashy displays, and watered down keynotes. I walked away wishing I could get my money back. The networking opportunities are ok but you never know what you are going to get – could be someone who does security, could be a sales executive – could be Joe Sixpack. I’m seriously looking at where else I can invest my own and my companies money for those few events we attend each year.
The second thing that showed up for me was how many vendors advertize that their product will make compliance easy. Do people really buy this stuff? Coming from my perspective, a relatively new InfoSec guy in a smaller organization who has never had formal security organization, there is nothing easy about compliance. I’m sure all these products do their part to make the laborious task of collecting data, auditing data, and enforcing controls a little easier – but do they make the entirety of compliance with something like PCI or SOX easy? You know the answer. What about making things secure!? Is that any easier?
What I saw very little of at RSA was companies who make testing easier. Testing and education are such a small part of these shows but such a huge part of making security successful. I say this because it makes sense to me, not because it makes anything easier. Testing and training and planning are all challenging things and not always all that exciting. It’s hard to have a 50’ booth with 1000 square feet of carpet dedicated to testing and education programs. People don’t buy that – but they should. At the end of the day, it’s your receptionist, your engineers and your janitor who have a better chance of keeping your secrets from walking out the door than your firewall. There are definitely tech solutions which are important and do good things. Defense in depth is important – but don’t forget about the decision makers. The folks who can ask “Who are you? Why are you here?” when someone is where they shouldn’t be. The ones who can question that phonecall they just got and look for additional validation.
Checking a box saying you’ve done the right thing and an auditor has observed evidence to that fact is a good thing, but it’s not all there is – you aren’t done! I just hope people see through the hype of a show like RSA and realize security is about more than managing a massive infrastructure of tech tools.