What’s been the buzz at the RSA Conference? Constant and loud, to be sure, but perhaps a dull roar compared with past years. Seasoned analysts, vendors and delegates all note that attendance is down, no doubt due to a decrease in travel budgets mandated by the recession. For those here, of course, the number of sessions, keynotes and peer-to-peer meetings meant it’s impossible to see and do everything.
Even so, amidst the hubbub several trends emerged. As you’d expect at a security conference, vulnerabilities in software, hardware and infrastructure have gathered attention, especially for CISOs who are navigating the thicket of regulatory guidance emerging from Washington and statehouses.
Everyone is looking for ways to use software to easy the burdens of compliance. As I’ll argue in a forthcoming article, however, there is an emerging sea change in the way that government agencies, defense contractors and enterprises are approaching compliance that is not rooted in the current suites of compliance software or frameworks.
As my colleague Neil Roiter at SearchSecurity.com reports, secure software development starts before coding begins. Experts here are emphasizing the importance of baking security into software from the beginning, especially for Web applications.
The need for more effective security couldn’t have been made more clear when breaking news came out of The Wall Street Journal about a data breach at the U.S. Joint Strike Fighter program. When news that computer spies had breached the fighter-jet project filtered on to the floor, the NSA booth and the keynote from the director of the NSA, Lt. Gen. Keith Alexander, instantly gained mass attention. According to the story, the intruders copied and removed terabytes of data related to the design and electronics systems of the aircraft. As reported in the story, breaches also compromised the Air Force’s air-traffic-control system. The story follows on the reported penetration of the U.S. electrical grid.
News that Russian and Chinese cyberspies have been probing critical U.S. infrastructure has forced the issue of cybersecurity to the forefront of conversation. Speculation is rampant in the security blogger community that leaks of the compromised systems are helping to build consensus behind the proposed cybersecurity bill before Congress, and in getting more federal dollars for the affected agencies.
As Rob Westervelt reports, “a panel of experts from the Department of Defense, National Security Agency and the Department of Homeland Security agreed that drastic measures are needed to shore up defenses of critical infrastructure and ensure a plan is in place for critical communications in the event of a national emergency.” Read more about the U.S. government needs a plan to limit Web usage during a security crisis.
Commentary around the data breach and the issues that the NSA chief identified has been swirling, online and off. Just track the #cyberwar hashtag on Twitter to get a sense of the flow.
Security for cloud computing and in virtualized environments continues to be of great interest to attendees as well. The Cloud Security Alliance released a white paper identifying key best practices for secure adoption of cloud computing, many of which have sparked deep discussion in sessions and on the floor. Security for citizens is on the table as well, as panels discussing potential national privacy laws and the impact of new legislation (like the MA data protection law) has shown.
What’s coming from SearchCompliance.com? Look for podcasts with Kodak’s CISO and other security professional and analysts; an interview with Alan Paller, director of research at SANS; a video with Verizon’s senior vice president of innovation and technology on the company’s data breach research; interviews with CA’s Dave Hansen and McAfee’s Kunz; and a feature on compliance in the cloud.
Make sure to follow @ITCompliance (and, if you like, @digiphile) to get updates directly from the floor at RSA from the past week. As you can see below, there’s plenty of humor and fun to be found here as well. Peace, love and cybersecurity from San Franciso.