NSA Allegations Casting Shadow Over RSA Conference

RSA Conference 2014 attendees will be looking to RSA Executive Chairman Art Coviello to re-establish trust with customers and security industry experts following National Security Agency leaks alleging RSA may have been paid to aid the U.S. intelligence agency's surveillance activities.

RSA, Microsoft and other U.S. technology vendors have denied any role in helping NSA by providing compromised software or software that was easily compromised. But the allegations have provoked a vocal backlash against RSA, including a boycott of the conference by some. The issue has placed a gloomy backdrop against the security conference that aims to highlight a new wave of security startups backed by an influx in venture capital funding, discussions about the security of software-defined networking, new threat intelligence technologies, and behavioral and predictive analytics designed to get one step ahead of cybercriminal gangs. The RSA Conference also is intended to showcase a variety of other emerging approaches for better protecting data, improving threat detection and more efficiently responding to security incidents.

The reason for the controversy around a number of NSA initiatives but around RSA in particular is that it violates a certain trust security professionals have in the company and its products, said Paul Kocher, a noted encryption expert and president of Cryptography Research, a solution provider that is a division of Rambus. RSA is held to a higher standard, Kocher said.

[Related: 10 Innovative Security Startups To Watch In 2014 ]

Sponsored post

"People are incredibly forgiving about accidental mistakes, but they're not so forgiving about anything that might hold a hint of intent," Kocher told CRN. "A lot of people in the audience will be listening for an understanding about what the relationship between the customer and the vendor is and what their relationship as a customer of RSA and RSA as a vendor should be."

Pat Grillo, president and CEO of Atrion Communication Resources, a Branchburg, N.J.-based RSA partner, said Atrion has had two or three RSA business deals on the table since the NSA allegations emerged and hasn't seen any pushback from customers.

"As long as it doesn’t impact our ability to make money with these products and not lose customers I may be personally upset about it, but as a businessman I have to put that aside," Grillo told CRN.

NEXT: IT Security Pros Feel Ill Prepared Against Attackers

Grillo said he uses the RSA Conference to speak directly with senior executives at security firms and discover emerging security vendors that could improve Atrion's growing security practice. Business executives and chief information security officers heading up strong security programs are focused on their task at hand, whether it be reducing risk at an organization or finding technologies that improve on existing security capabilities, Grillo said.

RSA still may have a public-relations issue on its hands that isn't easily solvable, said Wendy Nather, research director for security at 451 Research, a division of the 451 Group. The allegations have eroded trust, she said.

"There is no way that they can legally provide any proof that can change people's minds. They cannot say anything publicly about their contracts, particularly with the government, and neither can anyone else who has that kind of contract," Nather said in a recent press conference previewing the conference. "RSA the company is in a tough place right now and because this is a PR issue it is reflecting on RSA the conference."

Meanwhile, high-profile retail data breaches and continued database compromises show that financially motivated cybercriminals, hacktivists and nation-state-sponsored attackers are having a lasting impact, said Jon Oltsik, senior principal analyst at the Enterprise Strategy Group. Chief information security officers and IT security pros are generally afraid that the controls, technologies and processes they have really don't work well anymore, Oltsik said.

"We have to start talking about enterprise security architectures, standards, middleware, sharing data and more, and those are kinds of things I'm hoping to hear more about at RSA," Oltsik said. "I'm hoping for that kind of intellectual discussion. We need to get there. Our adversaries are better organized and more efficient than we are, so we need to get there quickly."

Oltsik said the majority of enterprises are considering or planning projects to capture security data, store and analyze it to detect threats, uncover weaknesses and potentially predict certain kinds of attacks. The security industry needs to have more practical education, use case discussions and a road map on how to get benefits out of integrated technologies for that purpose, he said.