It is always an interesting experience hanging out with 60,000 of your closest friends!
This was my third RSA Conference. Somethings never change:
- The insanely crowded show floor causing “road-rage” worthy traffic jams.
- There’s always a “gotta’ have” tchotchke – this year a light-up “He-Man” style sword to broaden one’s light saber collection.
- The never-ending quest to build an exhibit that elicits gasps – a rain wall in one, a theatre façade complete with marquee on another. Multi-story structures with SkyBox-esque meeting rooms.
- Some CISO’s say they never go the Exhibit Halls; others say they only go left or right to the show edges where the 10×10 booths and new products tend to be.
Yet, there was a very different feel to this year’s event. If RSA 2017 was the year of The End Point where nearly every vendor had a desk-top security solution, 2018 was the Year of the Great Acknowledgement. And GDPR. Everyone had a GDPR pitch (including Waratek).
Unlike past years when cybersecurity leaders where focused on network and perimeter security solutions, this year there was a clear acknowledgement of the obvious: traditional solutions alone cannot stop the growing number of cyberattacks. Attendees talked freely about trouble keeping up with enterprise software patches and the fear of being the next company in the media and regulators cross-hairs if they are breached because of an un-patched, but known, code flaw.
Along with the usual rumors of who is going to buy whom, you also heard RSA attendees talking about how established technologies like code testing, and software composition analysis tools only solve half the problem. As good as these tools are, they can only tell you where the problem is. They cannot fix the code and AppSec and DevOps teams want/need both.
There was also talk of Oracle’s pending cut-off for public support of Java 8. Most web applications are still being written in or run on older versions of Java that are already out-of-support or soon will be. You can pay Oracle for patches for some older versions, but the lack of backwards compatibility and pressure to upgrade is clearly frustrating a large number of Java users.
In past years, these issues would have been glossed over or minimized as being low priority or problems that could only be solved the old fashioned way – with fingers on keyboards. Emerging technologies were viewed as too risky or solutions in search of a problem.
Not in 2018. CISOs and other InfoSec leaders came prepared to discuss how to automate their patching cycles using virtual patches without code changes or downtime. Or how to virtually upgrade an out-of-support Java app without touching a single line of source code.
Based on the conversations at RSA, we are on the edge of the tipping point in cybersecurity. This shift may be born of fear and frustration, but the outcome is the same: a major step forward in protecting the company and individual data entrusted to businesses.