Last week San Francisco became the information security capital of the world for the 2015 RSA Conference. Around 30,000 attendees, mostly security professionals and vendors, descended on the Moscone Center for a week of discussion about the industry and new technologies. With literally too many talks for one person to attend, it’s hard to build a session schedule. Yet, as with any industry conference, there are key themes that arise in sessions, conversations, and the show floor. As a first time attendee who tried to make the most of my first RSA Conference, here are my three key observations on the industry:
A Need for Standardization
As information security and risk management practices mature, many are asking whether the industry needs more concrete standards for a variety of functions. For example, many inquired about the need for a national breach standard notification law during the panel discussion Cybersecurity Legislation: Congressional and Administrative Actions. While some panelists noted that differing state level breach notification laws were merely bureaucratic red tape for businesses, many audience members seemed to express discontent with the current status quo.
In a panel on a very different topic, the need for standardization was also brought up as essential to manage third party software security. During The Coming Revolution: Industry Groups Defining Vendor Assessment Standards the panelists called for a standard around vetting third party software vulnerabilities. Working with SAFECode, the panelists along with other industry experts presented a basic framework for businesses to better standardize their approach to software security. They noted that a standard model would take away the power struggles that define the current system: small software vendors jump through hoops for large companies and large software vendors ignore software security requests from smaller customers. It seems that on a wide range of topics, the community is ready to begin embracing common standards to streamline security and risk management practices.
Vendor Risk (Still) a Top Priority
Third party security was a hot topic at RSA, with a number of discussions focused on the need for better risk management of vendor ecosystems. One of the interesting crowdsourced sessions, Best Practice or Bust: Test Your Approach to Third Party Risk led by James Christiansen, VP of Information Risk Management at Optiv Security, discussed the risks and challenges of building a sustainable VRM program. He highlighted the fact that many companies have absolutely no insight into the security of non-critical vendors. Unfortunately, something as simple as the storing of network credentials, such as the case of Target’s HVAC vendor, can lead to major data loss. Mr. Christiansen called for a “changing of the paradigm” that incorporated a S&P or Moody’s type rating that could give risk managers insight into all vendors and help streamline VRM programs.
Business Alignment is Key
Multiple talks touched upon the need for security professionals to align their actions with the larger strategy of the business. By having a seat at the table, security professionals can better communicate strategic objectives surrounding data protection. At the session The 50 Minute MBA for Information Security Professionals, Branden Williams and James Adamson gave a rundown of how information security professionals can use tactics from other business functions such as marketing, operations, finance and more to align security with overall business goals. A key takeaway was to promote security as a customer initiative and as a competitive differentiator by engaging with Marketing. As a marketer, that’s one assertion I can get behind.
The RSA Conference is an exciting place to hear about changes in the industry and where the security world is heading. As Bitsight grows, we will continue to attend these conferences to promote Security Ratings and learn about challenges facing security professionals today. After a long week in San Francisco, I’m excited to get back to work in Boston!