Compliance initiatives are still a huge budget-driver for many IT security teams, but rather than focusing on how to comply with them, the core focus at the RSA Conference could concentrate on applying security fundamentals and risk-based decision-making. Such a focus is a sign, according to security experts, that the industry may be reaching a new maturity level.
"The number of very serious security events over the last 12 to 24 months has showed us that security is lot more than just checking off compliance boxes," Hugh Thompson, chairman of the RSA Conference program committee, told CRN.
The 2013 RSA Conference begins Feb. 26 at San Francisco's Moscone Center, where thousands will gather to listen to security industry executives talk about their product road maps and how they're needed to address always increasingly sophisticated targeted attacks. The event, known more for being a place to network with other security professionals, typically showcases emerging security technology trends, but Thompson said the sessions will reflect the nature of many of the latest high-profile data breaches.
"Whenever we find the genesis or these highly targeted attacks it doesn't begin with a ninja piece of malware, it begins with a person from inside the company that makes a wrong security choice," Thompson said. "Attackers are spending time hunting down people with privileged access and figuring out how to tailor the attack just for them."
Attackers are using poorly configured systems, taking advantage of poor patching practices and stealing valid user credentials to crack into corporate networks. Exactly how to establish practices to prioritize and address those fundamental problems is looking to be a major focus at the RSA Conference. A number of panel sessions during the four-day event will examine how to gather the right data to make risk-based decisions.
On Feb. 26, a panel of CISOs led by RSA CSO Eddie Schwartz will discuss trends in information risk management.
Then, on Feb. 27, a panel of experts will attempt to explain why companies are still failing to gather and apply meaningful metrics to make decisions in a session appropriately titled "Managing Enterprise Risk: Y U NO HAZ METRICS?"
Big data analytics is also anticipated to be a major theme, Thompson said. Several security vendors, including RSA, The Security Division of EMC and IBM have unveiled the integration of the Hadoop software framework with security appliances.
Experts, however, point out that big data security analytics is still in its infancy. A session led by Forrester Research senior analyst Rick Holland on Feb. 27, "Too Big to Fail: CISO Panel on Scaling Security in the Era of Big Data," will have security executives from several firms attempt to explain why scale matters in detecting threats.
Big data is becoming an overstated marketing term, Holland said, adding that he hopes to get panelists to explain what "big data" means to them and how they are using security data in conjunction with business analytics for operational purposes.
"Big data is when a company is aggregating information and validating information to ensure it is accurate because big data is bad data if the sources that are coming in aren't clean, trusted and parsed," Holland said. "I don't come across a lot of security groups that are actually using the big data solutions for security purposes."
NEXT: Mobile Security, BYOD And Identity Management SessionsMobile security is expected to be a core theme at the RSA Conference as well, prompted by the increased interest of IT security pros in gaining control and visibility into corporate data on smartphones and tablets in the workplace. Two notable sessions include a presentation Feb. 26 by Troy Lange, a mobile security expert at the National Security Agency, who will identify the security gaps in mobile devices and what the industry can do to create a more secure ecosystem.
A session on Feb. 28, "Mobile Security Battle Royale," will pit several prominent security researchers against each other, debating the security merits of each mobile platform.
Companies are struggling with BYOD and ways to enforce mobile security policies. The idea that IT practitioners can simply deploy technology to gain control over the influx of mobile devices is overstated, said Ramon Krikken, a research vice president at Gartner, in a conference call with reporters this week. Organizations are evaluating mobile device management platforms -- there are dozens of them vying for business -- but costs and perceived maintenance burdens may be hindering adoption, Krikken said.
"They're coming to the conclusion that it's too heavyweight or it doesn't do what they quite want it to do," Krikken said.
Massive password breaches and identity theft are expected to breathe new life into the topic of identity management at the conference, Thompson said. The topic faded in the past and strong submissions on identity management got filtered into other session tracks, but this year the conference program committee brought the track back. Weak and default passwords plague the Internet and are easy pickings for cybercriminals, Thompson said.
"It's not just about the password, but the way we choose to architect how we authenticate someone at a distance that is becoming an issue," he said.
Steve Werby, an information security consultant, formerly the CISO at the University of Texas at San Antonio, will present his project to gather, assess and rate password policies and controls from the top 10,000 websites in his session, "Crunching The Top 10,000 Websites' Password And Controls." A panel of experts led by Wired reporter Mat Honan, who wrote about his personal experience with identity theft, will discuss security measures such as VPNs and two-factor authentication, in a session, "Think a Password is Going to Protect You? Think Again." Both sessions are scheduled for Feb. 28.
PUBLISHED FEB. 19, 2013