April 4, 2008 - Volume 3, #34

Good Morning:
OK, last day of prep before the big RSA fiesta starts. I'll be on a flight out to SFO first thing Monday morning, so I figured I'd do a special pre-RSA Incite to give all of you heading out to the show (yeah, the 10,000 vendors and 2 customers) a preview of what's to come.

First of all, set aside some time in your calendar to come see my session called "Avoiding the Security Groundhog Day," at 8:30 AM on Thursday. I know, after all the parties on Tuesday and Wednesday you don't want to get up early. But when are you going to get to see me, Ron Woerner, the Mogull, Dave Mortman, and Captain Privacy on the stage at the same time? If you want to hear my thoughts on the session, I recorded a podcast with the RSA folks to discuss why I think the session is important.

So what's with the RSA conference "theme." Why do the RSA people even care? Does Interop have a theme? No, besides networking your stuff. Does the VMWare conference have a theme? Who the hell is Alan Turing anyway? And even if RSA wants to say "Turing Lives," we all know he's been dead for 50 years. 

You know they are stretching when this is the money quote from Turing: "We can only see a short distance ahead, but we can see plenty there that needs to be done." Churchill he is not.

I know how all of this started. Basically Jim Bidzos was trying to make the conference a little distinctive. A bunch of crypto heads sitting in a room talking about prime numbers and factoring isn't very sexy. So they came up with a theme each year to distract us from the fact that it was a bunch of digit heads rubbing their antennas.

Now they have to keep coming up with new themes, which get stupider and less relevant every year. Maybe next year's highlighted theme will be physical security. And then they could get buttons with Attila the Hun. I hear he had a pretty good security detail. 

For me, RSA is a lot of fun. Keep that a secret because the Boss thinks I'm working hard at these shows. Actually the schedule is brutal. 7 AM breakfast meetings and I don't stop until the wee hours, usually at the W bar. I'm doing 3 formal conference sessions, 2 panels (I'll be at the Shavlik booth speaking with Eric Schultze about PCI on Tuesday at 2 PM and Thursday at 11 AM), and over 20 meetings. Yes, brutal.

I'm an information junkie, so there is nothing better than drinking from the firehose. Information, tidbits, gossip, and other data points come flying at me. The biggest problem is that my schedule doesn't allow me to really attend any of the sessions unless I'm speaking. I know there are a bunch of good one's that I'd like to see. I also don't have a lot of time to roam the show floor. But alas, it's better to have a lot of demands on my time than not a lot. So I'll take it.

FYI, I'll try to do an extended laundry list of RSA activity in lieu of full Daily Incites next week on Tuesday, Wednesday and Thursday mornings. I'm sure I'll also get pulled into a few "Live from RSA" videocasts and podcasts as well. The hope is that you'll be seeing a lot of me next week, but not promises.

Have a great weekend and I hope to see you at RSA. If you see me (and I'm not running to a meeting I'm late for), please come up and introduce yourself. I usually don't bite and just got my rabies shot.


Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top 3 RSA Themes

Virtualization Security
So what? - Yes yes, virtualization security will be everywhere at this year's RSA. New companies will be announced, new products will be discussed, old products will be "virtualized," and everyone will be worked up into a lather about the hypervisor and making sure it's safe and sound. And as with every other over-hyped topic at every year's RSA, it will be much ado about nothing. Not that the topic isn't important, I've discussed that lots of times. But the focus and hype that you'll see is a mismatch to the real threat. I do think that 2009 will be even worse from a virtualization security hype standpoint, but starting this year you'll need a machete to cut through the hype.
Link to this

GRC
So what? - You didn't think I'd forget about compliance did you? Of course, it's not called compliance anymore - it's now all about Governance, Risk and Compliance - or GRC. So you'll have every vendor that used to do a thing called security management positioning themselves in this vast unclaimed land called GRC. The reality is I hate this constant renaming and reshuffling of the cards to try to gain a marketing edge. I know that's how the game is played and I spent a long time playing it. Now I can just make fun of it. You'll probably see a lot of folks talking about PCI as well. With Hannaford Brothers hot on the minds of everyone, vendors will continue talking about how their stuff helps keep the credit card receipts flowing and protects the data. They'll also be telling you about how "easy" it is if you use their magic elixir. They'll be lying, but that's OK. If they know that you know that they are lying, it's OK. And you know they are lying, right?
Link to this

Security in the cloud
So what? - I also expect a lot of activity around security services. They'll be new deals announced (MSS consolidation is alive and well), but I also think a lot of the vendors are going to be doing one of two things (or maybe both). They'll be spinning their products as service offerings. The bigger vendors are doing this already. They understand that a lot of stuff can be done in the cloud now and customers increasingly want to do that, so forcing customers into an on-prem solution isn't the best way. It's all about customer choice. You'll also have a number of vendors positioning their equipment to help emerging MSS players to roll out services. This kind of "enabling" function makes a lot of sense as well. This security outsourcing thing has left the station, and you'll hear a lot about that as well. 
Link to this

What you won't see: Innovation
So what? - I remember distinctly leaving RSA 2007 and reflecting on the fact that there really wasn't a lot of innovation. Security had become an industry. Probably pretty slow growth and not a lot of innovation. I expect the same this year. Everyone will be trying to paint their latest widget as new and exciting, but the reality is we are moving the boxes around. Maybe a little faster, maybe a little incrementally better - but it does feel a bit like moving deck chairs around on the Titanic. The bad guys are the iceberg and we keep talking about how our ships cannot be sunk. It is what it is, but at least we can acknowledge it. It's been quite a while since something really innovative has made waves at an RSA conference. And sadly enough, it may be quite a while until we see that again.
Link to this


The Laundry List (other "hot" topics)