Pre-show on the third day of RSA: I watch TV with amusement as U.S. House Representatives struggle to enunciate cyber terms trying to get them read into the record on cyber amendments on sharing incident information. This is in sharp contrast to a few years back when they could scarcely pronounce them, and that same sense seems to pervade the halls of RSA – people are starting to consider security mainstream in their conversations.
No longer just the purview of those with questionable hygiene and aspirations to someday move out of mom’s basement, security has made it to the boardroom – even if not all of the board fully understand what it means just yet, they know it matters. No longer is security a sideshow process only tangentially related to your core business; in many cases it IS your business – or at least it means people understand that if you have a cyber incident, you have a big problem that matters.
I scoured the halls for hacker types. In fact, I mean, aside from some obviously identifiable show-goers with hacker garb, the displays targets more the manager sorts who talk about things like risk mitigation and less about grepping logs and tweaking regex to do your bidding. Security is changing. Sure, the swag is good this year, and though (by last count) my hacker shirt count hovers around 100 (minus a few hacker t-shirt casualties at the hands of the washer), but apart from squishy balls and flashlights, many vendors here target customers willing to spend $100K to make hackers just go away from their networks -- customers who never intend to touch the command line and dig in themselves.
I guess maybe that’s just the progress of the industry. People want a box that just does stuff to thwart hackers, even if it costs more than you got paid the first year in your first tech job; or at least they want to feel like it *might* stop the hackers. The vibe is that corporate customers are sick of dealing with it, so they're looking for a big pretty button to make hackers die in a fire, or at least look for some other network to hack, thank you.
The good news is that vendors who now understand this are working on appliances with big pretty buttons, things that produce slick printable reports that can be paraded to the boardroom to bolster the perceived wisdom of spending $100K, sort of insurance in a box. And I guess making security simpler is something we’ve all been trying to do for some time. Maybe we’re getting better at it. But we still can’t explain this stuff to our grandmother, so are we there yet? No, but hopefully very soon she’ll have a pretty box with some solid tech that can keep her safe without her having to know how to re-compile and harden a kernel, or even that her machine HAS a kernel, like, not the food type.
And maybe this is progress, I mean, people who drive performance cars don’t really have to understand the difference between caster, camber and toe-in to know that their car was hopefully designed to not suddenly try to run off the road in a corner when it hits a bump, so maybe compartmentalizing good security isn’t all bad. Oh, and I picked up another couple hacker shirts.
For more on the trends spotted by ESET researchers at RSA Conference 2015, see Stephen Cobb's post.