The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Another year, another RSAC

Sunday, March 06, 2016 by spaf
in General
Share:

I have attended 10 of the last 15 RSA conferences. I do this to see what’s new in the market, meet up with friends and colleagues I don’t get to see too often, listen to some technical talks, and enjoy a few interesting restaurants and taverns in SF. Thereafter, I usually blog about my impressions (see 2015 and 2014, for example).I think I could reuse my 2015 comments almost unchanged…

There have been some clear trends over the years:

  • The technical talks each year seem more focused on superficial approaches and issues: there seemed to be less technical content, at least in the few I observed. This goes with the rather bizarre featured talks by cast members of CSI: Cyber and Sean Penn — well known experts on cyber. Not. (Several others told me they thought the same about the sessions.) Talks a decade ago seemed to me to be deeper.
  • This matches some of what I observed at booths. The engineers and sales reps at the booths have little deep knowledge about the field. They know the latest buzzwords and market-speak, but can’t answer some simple questions about security technologies. They don’t know people, terms, or history. More on this later.
  • There is still an evident level of cynicism among booth personnel that surprised me, but less than last year.
  • There seemed to be more companies exhibiting (both sides of Moscone were full). There also seemed to be more that weren’t there last year and are unlikely to be around next year; I estimate that as many as 20% may be one-time wonders.

This year showed some evidence of effectiveness of new policies against “booth babes.” I talked to a number of women engineers who were more comfortable this year working at the booths. A couple indicated they could dress up a little without being mistaken for “the help.” That is a great step forward, but it needs reinforcement and consistency. At least one tried to come close to the edge and sparked some backlash.

As I noted above, the majority of people I talked to at vendor booths didn’t seem to have any real background in security beyond a few years of experience with the current market. This is a longer-term trend. The market has been tending more towards patching and remediation of bad software rather than strong design and really secure posture. It is almost as if they have given up trying to fix root causes because few end-users are willing to make the tough (and more expensive) choices. Thus, the solutions are after-the-fact, or intended to wrap broken software rather than fix it. Employees don’t need to actually study the theory and history of security if they’re not going to use it! Of course, not everyone is in that category. There are a number of really strong experts who have extensive background in the field, but it seems to me (subjectively) that the number attending decreases every year.

Related to that, a number of senior people in the field that I normally try to meet with skipped the conference this year. Many of them told me that the conference (and lodging and…) is not worth what they get from attending.

(As a data point, the Turing Award was announced during the first day of the conference. I asked several young people, and they had no idea who Diffie and Hellman were or what they had done. They also didn’t know what the Turing Award was. Needless to say, they also had no idea who I was, which is more or less what I expect, but a change from a decade ago.)

As far as buzzwords, this year didn’t really have one. Prior years have highlighted “the cloud,” “big data,”, and “threat intelligence” (to recap a few). This year I thought there would be more focus on Internet of Things (IoT), but it wasn’t. If anything, there seemed to be more with “endpoint protection” as the theme. Anti-virus, IDS, and firewalls were not emphasized much on the exhibit floor. Authentication of users and apps were. Phishng is a huge problem but the solutions presented are either privacy invasive or involve simulated phishing to (allegedly) train end users. Overall, I didn’t see much that I would consider really novel.

There was one big topic of conversation — the FBI vs. Apple encryption debate. There were panels on it. Presenters mentioned it. It was a topic of conversation at receptions, on the exhibit floor, and more. The overwhelming sentiment that I heard was on Apple’s side of the case. (Interestingly, I recently wrote an editorial in CACM on this general topic — written before the lawsuit was filed.)

Overall, I spent 4 days in SF. My schedule was fairly full, but I left this time with the sense that I hadn’t really spent all that time usefully. I did get to see some friends and former students. I got a fresh supply of T-shirts. I picked up literature for our campus CISO. And I have a few leads for companies that may be interested in donating product to CERIAS — or joining our partner consortium. If a few of those come through then I may change my mind.

If you attended the conference this year, leave a comment with your impressions.

Tags for this post: Apple, application-security, big data, booth babes, CERIAS, cloud, conference, conference, cryptography, cyber security, firewalls, history, intelligence, malware, phishing, privacy, RSA, rsa conference, security, software

Leave a comment (6 so far) »

Comments

Posted by Scott
on Sunday, March 6, 2016 at 11:36 PM

Kinda scary.  I am not a security guy by any means but I do have Practical Unix & Internet Security along side Bishops’ Computer Security.  To me that’s like basic blocking and tackling.  Crawling back to home in the Cretaceous Period now.

Posted by Stefan
on Monday, March 7, 2016 at 04:33 AM

That’s about what I feared. So looks like I’ll continue to avoid it.. grin

(Yes, they should have known who you are.. :-> )

Posted by Becky Bace
on Monday, March 7, 2016 at 02:56 PM

I feel better about not having put out the funds for the full conference (it’s a lot more fun actually talking with the -real expert - presentors about what they would have liked to have said on stage grin)  The admittedly limited hike through the Expo was discouraging - it seems that the lack of expertise in the area has produced a lot of products that are time warped from a decade ago - indicating to me that there’s a lot of clueless investment funding going on.

And yes, they all should have known who you are (and at least recoiled in terror - or giggled) grin

Posted by Juan
on Tuesday, March 15, 2016 at 04:14 PM

Kinda scary.  I am not a security guy by any means but I do have Practical Unix & Internet Security along side Bishops’ Computer Security.  To me that’s like basic blocking and tackling.  Crawling back to home in the Cretaceous Period now.

Posted by Andrew Smallwood
on Wednesday, March 30, 2016 at 09:55 PM

I feel like big data has been in the spotlight for a few years now, at least 5.  I think “one” reason that it’s still there, and I citing one reason so don’t jump all over me.  I think most people don’t understand that term and just throw it out there because they can or because it sounds cool.  It’s “BIG”.  If it had a name like mysql or postgress in front of it, it wouldn’t be such a hot topic.  Just my 2 cents.

Andrew

Posted by Dom
on Thursday, April 7, 2016 at 08:04 PM

I feel better about not having put out the funds for the full conference (it’s a lot more fun actually talking with the -real expert - presentors about what they would have liked to have said on stage grin)  The admittedly limited hike through the Expo was discouraging - it seems that the lack of expertise in the area has produced a lot of products that are time warped from a decade ago - indicating to me that there’s a lot of clueless investment funding going on.

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry