Compliance initiatives are still a huge budget-driver for many IT security teams, but rather than focusing on how to comply with them, the core focus at the RSA Conference could concentrate on applying security fundamentals and risk-based decision-making. Such a focus is a sign, according to security experts, that the industry may be reaching a new maturity level.
"The number of very serious security events over the last 12 to 24 months has showed us that security is lot more than just checking off compliance boxes," Hugh Thompson, chairman of the RSA Conference program committee, told CRN.
The 2013 RSA Conference begins Feb. 26 at San Francisco's Moscone Center, where thousands will gather to listen to security industry executives talk about their product road maps and how they're needed to address always increasingly sophisticated targeted attacks. The event, known more for being a place to network with other security professionals, typically showcases emerging security technology trends, but Thompson said the sessions will reflect the nature of many of the latest high-profile data breaches.
"Whenever we find the genesis or these highly targeted attacks it doesn't begin with a ninja piece of malware, it begins with a person from inside the company that makes a wrong security choice," Thompson said. "Attackers are spending time hunting down people with privileged access and figuring out how to tailor the attack just for them."
Attackers are using poorly configured systems, taking advantage of poor patching practices and stealing valid user credentials to crack into corporate networks. Exactly how to establish practices to prioritize and address those fundamental problems is looking to be a major focus at the RSA Conference. A number of panel sessions during the four-day event will examine how to gather the right data to make risk-based decisions.
On Feb. 26, a panel of CISOs led by RSA CSO Eddie Schwartz will discuss trends in information risk management.
Then, on Feb. 27, a panel of experts will attempt to explain why companies are still failing to gather and apply meaningful metrics to make decisions in a session appropriately titled "Managing Enterprise Risk: Y U NO HAZ METRICS?"
Big data analytics is also anticipated to be a major theme, Thompson said. Several security vendors, including RSA, The Security Division of EMC and IBM have unveiled the integration of the Hadoop software framework with security appliances.
Experts, however, point out that big data security analytics is still in its infancy. A session led by Forrester Research senior analyst Rick Holland on Feb. 27, "Too Big to Fail: CISO Panel on Scaling Security in the Era of Big Data," will have security executives from several firms attempt to explain why scale matters in detecting threats.
Big data is becoming an overstated marketing term, Holland said, adding that he hopes to get panelists to explain what "big data" means to them and how they are using security data in conjunction with business analytics for operational purposes.
"Big data is when a company is aggregating information and validating information to ensure it is accurate because big data is bad data if the sources that are coming in aren't clean, trusted and parsed," Holland said. "I don't come across a lot of security groups that are actually using the big data solutions for security purposes."
NEXT: Mobile Security, BYOD And Identity Management Sessions