You are here

RSAC 2019: Tracking the state of cybersecurity

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

Next week, more than 40,000 members of the security community will arrive in San Francisco to attend the annual RSA Conference, now in its 28th year. There, they will find a smorgasbord of speakers, sessions, and an expo where hundreds of companies will be displaying their wares.

Each year, conference organizers emphasize a theme for the mammoth gathering. This year's: "Better."

"When it comes to cybersecurity, what defines better?" RSA Conference organizers ask. "New tools for building stronger walls? Sharper algorithms for predicting risk? AI and machine learning to help outsmart cybercriminals? That's certainly part of it," they continue.

"Technology always has to move forward. But it's not the only answer."

"Ensuring a brighter future requires all of us—everyone from the C suite to those of us on the front lines—to be better today," they explain. "To stay on top of the latest threats. To put in the extra hours. To make security a top priority."

The most important takeaway from this year's theme: "To help ensure a more secure world so others can get on with the business of making it a better one."

That theme is highly relevant, considering the current security landscape. The war against the black hats is at best a stalemate and, at worst, a losing battle. But how does it square with the real world? Here's a look at the RSA Conference 2019 ahead and how it checks out against the actual state of cybersecurity.

How to Get the Most From Your Application Security Testing Budget

Cops and criminals

The cat-and-mouse game that has plagued security pros is still in play.

David Meltzer, chief technology officer at Tripwire, a cybersecurity threat detection and prevention company,  said there were some bright spots in terms of approaches that seem to be reducing overall risk, but as a whole, things are not good from an overall perspective of cybersecurity.

"Looking at the news over the past year, it doesn't feel like we're making progress against the bad guys. For those of us who have been in security for decades, we should wonder, going into RSA, why isn't security more effective?"
David Meltzer

However, Josh Zelonis, an analyst with Forrester Research, noted that the number of data breaches appears to have leveled off.

"If you use that as a metric, things aren't getting worse. But it's very difficult to say that we're making progress or things have turned the corner, because there are always going to be cops, and there are always going to be criminals."
Josh Zelonis

DevSecOps at the fore

Britta Glade, director of content and curation for the RSA Conference, noted that one of the conference's more exciting subjects will be DevSecOps.

"We've seen fabulous maturity in that area. There are many end-user organizations talking about very specific actions people can take based on lessons learned."
Britta Glade

There are a half-dozen DevSecOps sessions at the conference:

  • DevSecOps Day, when practitioners explain how they made the cultural transformation from legacy development and deployment processes to integrated systems that include security as a part of the process, not as an overseer or bottleneck.
  • "Building Security In," a session about how Comcast focuses on automation, speed, and team ownership during the product security lifecycle.
  • "Protecting the Cloud with the Power of the Cloud," which will showcase Dow Jones' Hammer solution. This helps build self-healing architectures that not only identify security misconfigurations within cloud resources in real time, but also auto-remediate them.
  • "Security Learns to Sprint," which argues that DevOps could be the best thing to happen to application security since OWASP—assuming that developers and operations teams are enabled to make security a part of their everyday work.
  • "Securely Deploying Micro Services, Containers, and Serverless PaaS Web Apps," where DevSecOps expert Murray Goldschmidt explains the key items needed to achieve a secure deployment, from initial build through ongoing continuous deployment.
  • "DevSecOps for the Rest of Us!" discusses the use of scripting and APIs to automate security processes, such as provisioning firewalls and configuring secure baselines for servers.

[ Free Report: The State of Application Security in the Enterprise ]

How AI and machine learning help with security

Artificial intelligence (AI) and machine learning (ML) will also be prominent topics at the conference, with topics ranging from using AI and ML to beat global threats and manage the risk of lawsuits, to black box interoperability and how to avoid ML disasters.

Automation is an important tool to address the personnel shortage in cybersecurity, said Bryson Bort, CEO of Scythe, a computer and network security company, and a fellow at the National Security Institute.

"Security tools are overwhelming security teams with data. Artificial intelligence and machine learning can move toward fixing that problem."
Bryson Bort

As with any complex technology, it can be difficult to parse vendor claims from deliverables, said John Dickson, a principal at the Denim Group, an enterprise application security consultancy.

"The lack of familiarity with AI is so large that vendors can make any preposterous claim and no one can push back because they don't know the topic that well."
John Dickson

Dickson will be running a session at the conference on vetting vendors' AI claims.

'Shark Tank'-like platform for security innovators

Past RSA conferences offered an innovation-oriented Sandbox Contest. It focused on later-stage startups with a product in market and some revenue. This year, the forum will also include Launch Pad, aimed at companies without revenue that are on the verge of going to market.

"The goal is to create a platform at the RSA Conference that supports entrepreneurs at the earliest stages of innovation by offering feedback and guidance on how to bring those ideas to life through viable companies with potential for scale," Enrique Salem, a partner with Bain Capital Ventures, explained in an RSA Conference blog.

Three companies will be selected for the Launch Pad. They will be pitching their big idea to a panel of venture capitalists (VCs). "They've got 10 minutes to pitch three VCs, 'Shark Tank'-style," RSAC's Glade said.

Launch Pad is a timely addition to the conference, given the state of innovation in the industry. 

"We seem to be hitting a lull in the innovation cycle. We're starting to see a lot of consolidation. Market segments that were popular a couple of years ago are being consumed and offered as features in other products."
—Josh Zelonis

New: A public-interest track

The new ublic-interest technologist track at RSAC 2019 is bound to attract attention this year. Cybersecurity guru Bruce Schneier, in partnership with the Ford Foundation, will be hosting six sessions on Thursday with topics ranging from "How Public-Interest Technologists are Changing the World," to contributing tech savvy to society, government, and higher education, to "The Future of Public-Interest Tech."

Schneier, CTO of IBM's Resilient Systems and a fellow at Harvard's Berkman Center for Internet and Society, explained in an RSA Conference blog that he thinks of public-interest technologists as people who combine their technological expertise with a public-interest focus. They do this by working on tech policy, working on a technology project with a public benefit, or working as a more traditional technologist for an organization with a public-interest focus.

"Public-interest technology isn’t one thing; it’s many things. And not everyone likes the term. Maybe it’s not the most accurate term for what different people do, but it’s the best umbrella term that covers everyone."
Bruce Schneier

It's a track about giving back, RSAC's Glade said. "Speakers at the sessions will be talking from firsthand experience about giving back to government, to nonprofits, and to an educational entity. It's meant to inspire. It's meant to motivate."

Star power: Tina Fey to cap off the week

RSA Conference planners like to end the week's festivities with a speaker with star power, and this year is no exception. On Friday, comedian, actress, author, playwright, and producer Tina Fey will be talking with RSAC Program Chair Hugh Thompson about several subjects.

"There's going to be some content there that's personally interesting and professionally relevant. You will go away remembering that session."
—Britta Glade

Don't miss the RSA Conference, which takes place March 4-8 in San Francisco. TechBeacon is an official media partner. See our special RSA Conference 2019 coverage here.

[ Get Report: The State of Security Operations: Go Inside World SOCs ]