As I write this, I’m waiting for the final keynote of RSAC 2019 to begin—a conversation with actress Tina Fey. I’m not sure what she will be talking about in relation to security, but it is a great way to end what has been a very busy conference.
One of the themes of this conference was to make things better. But what areas of security did the participants at RSAC want to make better? One of my goals on this trip was to discover what RSAC attendees were talking about and what they considered this year’s most important security concerns.
DevSecOps or Zero Trust
On my first day at RSAC, when I asked someone for his biggest security issue, he said I should expect to hear a lot about DevSecOps. Yet the only time I heard anyone talk about DevSecOps was in terms of what types of cybersecurity jobs were in the highest demand (the search for DevSecOps engineers was about the same as the need for cloud security experts).
On the other hand, when I asked someone else that same question on Thursday of the show, I was told, “DevSecOps was so last year.” (And by then, Monday seemed like last year.) “This year,” he added, “it’s all about zero trust.”
That was echoed by several others I spoke with and also overheard on the Expo floor and on the streets on my way from one building to another. However, there was concern that zero trust is being addressed by a one-size-fits-all toolset.
“I heard a lot about zero trust as I visited booths at the Expo,” one woman told me. “But it seemed like all of the products were exactly the same.” Different vendors, of course, but there wasn’t much different between how they approached the problem or the customers they were targeting. If zero trust was a security problem you wanted to address this year, your selections were slim. However, the chatter I heard was an expectation that this will be addressed next year.
Interest Depends on Their Business
I talked to a number of people who said what they considered the biggest security topic of the show was the topic that was most deeply related to their business operations. One woman, for example, said that her company dealt with business communications, so she was visiting vendors and attending sessions that specifically covered security surrounding that issue.
But one business interest that garnered a lot of reaction was how to deal with third-party security risks. Third parties aren’t doing a very good job at sharing security-related information, which is becoming a greater problem now that we need to add data privacy into the mix. One data privacy expert suggested the need for better policing of third parties when it comes to data sharing so everyone is able to stay in compliance. There will be a greater need going forward to ensure that third parties are keeping current with state privacy laws.
Data Privacy Was Present, But Not as Much as You’d Expect
Speaking of new state privacy laws, people were talking about GDPR and CCPA and the progress of the Washington state bill. Nearly every session and keynote address I attended included some element of data privacy, so people were thinking about it. What seemed to be missing, however, was deeper discussion on how data governance and security should work together. One security professional affiliated with a vendor told me that he expected this to be a high-level topic at this year’s RSAC and was surprised at how little he saw surrounding this concern.
The Skills Gap
From a sessions point of view, there was a lot of discussion surrounding the cyberskills talent shortage and the need to find employees. I happened to attend a lot of sessions that either featured the skills gap or had some element of the need for talent, but it was an issue that came up everywhere, sometimes in surprising manners. One of the biggest surprises of the show was the news that cybersecurity vendor Swimlane was kicked out because the company staged a protest to draw attention to the issue of burnout and the talent gap. Burnout and a commitment to mental health was an issue addressed in a keynote from Ann Johnson, corporate vice president, Cybersecurity Solutions Group at Microsoft.
Security and Improv
So, as I finish my writing before I’m kicked out of Moscone West, I have an answer to how Tina Fey fits in at a security conference. Imrprov, it turns out, is a lot like dealing with cybersecurity. Jokes have to be a surprise for them to work, she said. And that’s how attackers operate: They have no rules, they are creative, they want to take you by surprise. Improv, also, means having to come up with a solution on the fly. You have to be able to respond to what is happening when you have no idea what is coming. That’s the rule in improv comedy, and it is a lot of what we have to deal with in security.
Maybe Tina Fey was the perfect ending keynote, after all.