This week is the annual pilgrimage of security professionals to San Francisco's Financial District for the RSA Conference. While it doesn't have the nerd cachet of Black Hat/Defcon in Vegas, the RSA security conference is one of the largest in the industry, with more than 20,000 attendees and generating dozens of parties. But is the 20+ year-old assembly still relevant in today's grim infosec landscape?
One of the big questions is how much attendance will drop due to the boycott by industry heavyweights in protest over RSA's alleged collusion with the NSA over its acceptance of a $10 million handout to include a weakened random number generator in its products. In addition to cancellations by cybersecurity experts Chris Soghoian and Jeffrey Carr, F-Secure CTO Mikko Hyponnen withdrew from his appearances at the conference and confirmed the company wouldn't be exhibiting.
Trustycon, the NSA protest-con held in a nearby movie theater as an alternative event, reportedly sold out within six days. Besides some RSA boycotters, speakers include Jeff Moss and Bruce Schneier. Initially involved in Trustycon, Microsoft pulled sponsorship, and Co3 Systems, Schneier's new home, will still make an appearance at RSA's Innovation Sandbox event. Security is still a business after all. It all seems a bit sad that these revelations came just when the brouhaha over the 2011 data breach of RSA's network -- a breach that led to successful attacks against major defense contractors -- was fading in everyone's memory. Once again, the NSA spoils another party.
The RSA expo floor, one of the largest in the industry with approximately 199,000 square feet of exhibition space and hundreds of vendors, can feel like entering Dante's legendary Inferno. But Virgil is nowhere to be found.
RSA exhibit floor represents much of what is wrong with product marketing
The RSA expo floor, one of the largest in the industry with approximately 199,000 square feet of exhibition space and hundreds of vendors, can feel like entering Dante's legendary Inferno. But Virgil is nowhere to be found. It represents everything wrong with product marketing: an assault on every sense, loud with ridiculous vendor tchotchkes and the ubiquitous conference booth babes. If the technology industry wants to encourage more women to enter the field, seeing lots of scantily clad women on the expo floor at a major industry event doesn't help. And rationalizing or ignoring this practice perpetuates a negative stereotype, alienating a significant sector of the population.
But the worst part of this and other security conferences is the schadenfreude that of late seems to permeate them. Last year saw some of history's worst data breaches, such as the Adobe compromise of 152 million accounts and Target's exposure of 110 million customer information accounts -- a breach that exposed credit card numbers. Hacking has gone mainstream, and information security is now a common household concern for everyone.
And what does the industry do? It throws a big party with even bigger after-parties, slapping itself on the back in self-congratulation over a job well done. It relishes in the recent misfortune, because it means increased sales and budgets. The behavior is sickening, especially considering how often security has its hands out.
Security departments can't pretend to be superheroes
There is a disconnect about security's role. Security departments don't exist to play war games with attackers, glorifying in their hacking powers like superheroes, laughing at users' ignorance of arcane exploits. The mission is to protect and serve the organizations that depend on them to safeguard their precious data. In light of the stupendous failures over the last year, it makes the celebratory nature of the RSA Conference seem more like a funeral wake than a party.
Is there anything worth seeing at RSA? Sure, mixed in with the high-level talks focused on generating FUD (fear, uncertainty and doubt) and the marketing propaganda, there's some decent content. In the past, great sessions have been delivered by very talented industry professionals such as Andrew Case, Joseph Menn, Dan Geer and Chris Hadnagy. Unfortunately, most of the excellent substance will probably get lost in the hype.
Recent protests in San Francisco against tech companies by residents feeling ignored and disenfranchised should serve as a wake-up call to an industry out of touch with those footing the bill for their failures. Maybe it's time to stop and take stock before continuing down the slippery slope of hubris. When Adobe fails miserably at following best practices in protecting passwords or Apple makes a disturbingly amateur gaffe in its implementation of SSL, when Target has credit cards compromised due to a failure in implementing network segmentation for Payment Card Industry Data Security Standard compliance, this isn't the time for celebrations. It's time for the security community to take a hard look at itself, realizing it has failed people who have put trust and considerable money into their hands.