RSA Conference: Behind The NSA Fallout, Protestors And Boycotts Lies A Thriving Security Market
Public perception of the security industry and U.S. technology providers may have been tainted by National Security Agency leaks uncovering alleged links to the agency's global surveillance operations, but solution providers who attended this year's RSA Conference say that perception is far from reality.
Business is thriving among security-centric solution providers, they say.
J.J. Thompson, managing director and CEO of security consultancy Rook Security, attended the RSA Conference in San Francisco following a trip to China, where Rook Security is providing security consulting services to firms there. Thompson said the industry fallout has been minimal.
"It doesn't matter if you are in Beijing or Indianapolis, business owners don't want to be among the next big data breach victims," Thompson told CRN. "We all have the same goal of growing our business and protecting our interests."
Solution providers from around the world gathered for the industry's largest security conference last week, which was overshadowed by allegations that RSA, the security vendor behind the annual event, was paid at least $10 million by the intelligence community to support a controversial encryption algorithm that could be used to spy on potential terrorists. Nearly a dozen speakers protested the conference, protesters demonstrated outside the San Francisco venue, and RSA Executive Chairman Art Coviello was booed when he took the stage to officially launch the conference. Outside one area of the venue, protesters raised a red flag equating the alleged RSA-NSA ties. Meanwhile, across the street at another venue, an artist portrayed the conference facilities under the backdrop of flames and a black helicopter.
Following William Shatner's rendition of The Beatles' classic "Lucy In The Sky With Diamonds" to a security theme, Coviello followed by directly addressing the elephant in the room, acknowledging the company's close ties to the intelligence community for more than a decade and its early days of needing to grow its encryption business by selling into the federal market, dominated by defense contractors and government agencies with three-letter acronyms. Security firms are working with law enforcement and intelligence-gatherers at a time when cybercrime is flourishing and the guise of cyberterrorism threatens national interests, Coviello said.
Meanwhile, Coviello pointed out how far the industry had come since the conference's 1991 debut, which was attended by a small group of cryptologists. This year's conference was the biggest ever, with more than 25,000 attendees and 400 exhibitors, proving that security industry is thriving in the face of the NSA allegations.
"In all my years of being in security, I've never seen the state of investment and innovation that I've seen today," Coviello said. "This is all happening none too soon. The expansion of the attack surface and the growing amount of sophisticated malware and other viruses have outpaced conventional controls."
The chorus of boos and polite round of applause were replaced by sustained hand-clapping from the audience following Coviello's keynote. Attendees were pleased that he addressed the issues and called for a global ban on cyberwarfare and a discussion of the establishment of norms for nation-state-sponsored cyberspionage operations.
"Security is more important to businesses than ever," said Pat Grillo, president and CEO of Branchburg, N.J.-based Atrion Communication Resources, who attended the conference to visit with the company's vendor security partners over two days last week. Grillo said the exposition floor was so large -- it was split up into separate North and South halls at the giant Moscone Center -- that he had trouble making meetings on time. "We initially only walked through South Hall and you should have seen our faces when we were looking for our meeting location and were told it was all the way in North Hall," Grillo said.
Security vendors saw a growing amount of investment dollars flowing into their coffers in 2013, and the trend is continuing in 2014. At the RSA Conference, Shape Security said its appliance line received an infusion of $40 million in venture funding. Bluebox Security, a mobile security startup that just came out of stealth mode, is backed with $27.5 million in funding. Meanwhile, encryption vendor CloudLock, which launched a new product at the conference, recently said it received $16 million in Series C funding.
Grillo said the investments in emerging vendors, coupled with continued merger and acquisition activity and a growing technology partner ecosystem, have made business lucrative for security-minded systems integrators, but it also has increased costs and complicated deployments. More companies require sales and systems engineers to be certified on their products, Grillo said.
"We could have all our engineers in class all the time and be smart as hell, but then we'll be out of business," Grillo said. "No one would be out there doing work."
Peter Hesse, president of Chantilly, Va.-based Gemini Security Solutions, who has been attending the conference for years, said the attention to cybersecurity has helped him expand his business beyond pure application security. Hesse was pulled away from the conference to attend meetings with a global, Fortune 100 company that recently hired Gemini to help bolster its security.
"Business has been really good," Hesse said. "The focus on security and privacy has gotten everyone in the industry a lot more attention."
NEXT: Fallout From The NSA Allegations
International business, however, may be impacted by the fallout from the NSA allegations, according to a variety of officials. At the Cloud Security Alliance Summit, which preceded the conference, Richard Clarke, president of Good Harbor Security Risk Management and one of the members of President Barack Obama's surveillance review panel, said U.S. technology vendors may lose ground to international competitors. Clark said poor U.S. policy-making gave the NSA, FBI and CIA the ability to conduct operations relatively unchecked. Many foreign nations, including some U.S. allies, are using the fallout as a tool to get lawmakers to create rules that rebuff foreign competitors in favor of businesses to lift their local economies. Politicians in some countries are calling for regulations requiring data be stored within the country's own boundaries, he said.
"There are some governments that want to wave the NSA as propaganda to push their previous agendas for localization,’ Clarke said. ’I don’t think I’m going to get into any trouble if I say that NSA and any other world-class intelligence agency can hack into databases even if they are not in the United States,’ Clarke said.
Lawmakers in Washington are discussing whether recent high-profile retail data breaches and privacy concerns surrounding the NSA revelations should prompt new regulation over cybersecurity and privacy issues. In a session at RSA Conference about whether privacy and security regulations could fuel or impede economic growth Jim Lewis, director and senior fellow in the Technology and Public Policy Program at the Center for Strategic and International Studies, said a balance needs to be found. U.S. policy makers need to find the right place between the laws imposed by the Bush administration following 9/11 and the data privacy rules advocated by the European Union.
The president's executive order issued last year may have helped ignite interest in cybersecurity software and new hardware, say experts. It prompted the National Institute For Standards In Technology to create a framework that establishes minimum cybersecurity standards and fosters the sharing of classified information and protecting the source of the information. The executive order is voluntary but could become a requirement if critical infrastructure businesses take no action. The executive order is a downpayment for legislation, Lewis said. It focuses on getting private sector business to better understand the devices connecting to the network, to have a process for implementing security updates, undertake continuous monitoring and implement modern authentication processes.
"We've got to find a balance between the requirements of public safety, security and growth," Lewis said. "Too much regulation will kill economic growth, too little will put the country at risk, so it's important to find the middle ground."
The executive order may be behind at least some of the growth and interest in the security market, say solution providers. For Atrion Communication's Grillo, the RSA Conference proved to be too much to take in this year. The security market has grown so much that it may take a larger team or more days to take in all the new technology areas, he said.
"We didn't have the bandwidth to really do what we wanted to do over the two days of our schedule," Grillo said. "I could have used an extra day. Let's hope that the market sustains this kind of growth."
PUBLISHED MARCH 3, 2014