It’s the End of Our Field as We Know It
(And I’m Doing Fine)
R.E.M. wasn’t at RSA to my knowledge, but I could not help but reflect on their song while I was there. RSA is still the world’s largest security conference. Once a year, security practitioner’s pilgrimage to San Francisco. At one time, I am sure this was an opportunity for security leaders to assess their risk and look for key opportunities to mitigate it with technologies’ best. However, my experience this year was far from that rich history.
To be clear, I enjoyed RSA and had excellent conversations. I wish to go again next year as the access to other business professionals is second to none. But as I reflected on the cyber security industry and how RSA represents it, I could not help but lament.
Today’s RSA is much more a swag grab fest than it used to be. Vendors fill their booth with marketing distractions, bright lights, and swag upon swag. Just short of T-shirt cannons and dance teams, RSA to me is representative of my greatest frustrations with the security field.
Security professionals have always been defined by their ability to identify, articulate, and manage risk. This discipline is at the core of security professionals and cyber security technologists are no exception. Security professionals have moved from managing risk to managing security controls; from managing controls to managing only their budgets. We find ourselves now in an industry of security technologist who solely focus on getting more and more budget to buy more and more widgets. What happened to managing risk? Why have we strayed so far away? And what can we do about it?
I suggest the only remedy is a hard U-turn back to the core of our discipline. Every time we as security technologists discuss our budget plights, we need to ask ourselves if our risk has been accurately quantified, and how best to manage that risk through transfer, acceptance, or mitigation. Most cyber organizations have completely abandoned this discipline. Rather than developing a security strategy around risk management, their security strategy is a vendor procurement roadmap. This has become so prevalent that most organizations do not even attempt to catalog or quantify their risks. The RSA conference seems to enforce this error – and make it easier to get distracted by the shiny lights, swag, and marketing material.
Those of us in the field who enforce the fundamental disciplines need to encourage our peers to course correct. There is still opportunity to improve our posture when our budgets have declined. We can still mature our security programs without buying every technology by Gartner and Forrester. It may be the end of our field, but we are doing fine.