RSA 2016 Recap - Howard Friedman's view from the Expo Floor
I had the opportunity to attend the RSA Conference this past week. As we at Ascent Solutions had a number of our Ascent team at the conference, we decided to make sure that we each view the conference through a different lens. For me, I looked for themes and differentiators on the exposition hall floor. After exploring every single booth and spending significant time with almost 100 different exhibitors, I witnessed a few themes: 1) almost everyone assumes the malicious actors can get through your first line of defenses; 2) end points and 'uncaring' end-users are a continuing problem for the health of your cybersecurity; 3) Single Sign-on (SSO) has still not been solved to satisfaction.
The first and the third themes were most surprising to me. Theme #1, assuming that malicious actors are already in your company, means that time and money that your company has spent on defense has been wasted to some extent. How could all of those defenses still consistently allow entities with malicious intent into your company? Could the cause be users and endpoints, theme #2? Looking at where I've personally seen breaches or other cyber issues, all too often the defenses are breached by those internal users that feel they're more secure or above security policies. I saw it when I was in IT - some user groups were more likely to have brought in the problem out of arrogance, for lack of a better word. The most likely culprits were typically in software development, technical engineering, IT administration, or senior leadership, sadly. So for all the money and time spent on building 'castle' defenses, some arrogance or sloppy processes can cause major problems.
That leaves theme #3 - SSO. This has me completely baffled. Being in or around IT for 20+ years, I'm astounded that this issues hasn't been solved. Single Sign-on has been the holy grail from a user perspective since the advent of client/server computing. If you want end-users to be frustrated, require them to have a different logon, password, and portal for everything they do on a day-to-day basis. The harder you make it for people to use 'approved' systems, the more likely they are to stray into 'dark' systems - not out of malice but out of frustration. Next time you look at your systems, think of how many different logins you have. Odds are, if you're in security, you understand and tolerate it. If you're outside of a security discipline, you don't have the same patience or understanding of the potential harm that a 'dark' system may do.
Across the exhibitors, there were many great companies with great ideas. On behalf of our (current and future) customers, we will continue to scour the industry for companies and ideas that will make an impact. We're even kicking off some new partnership explorations.