RSA 2018: Back to Basics?

"As RSA yielded a plethora of data about the continued failures of cyber basics, we’re left to process just how difficult this domain truly is."
“As RSA yielded a plethora of data about the continued failures of cyber basics, we’re left to process just how difficult this domain truly is.”

With RSA Conference 2018, the world’s largest cybersecurity gathering, just wrapped up, people are asking me about this year’s big conference take-away. Past RSA events have often seen one or two blockbuster storylines dominate the show. This year that wasn’t the case. In the absence of major news or distractions, what I did hear instead was a frequent but low key refrain of “That means it’s back to basics this year.”

This probably says something about security headlines’ numbing effect; because “back to basics” is a tall enough order anytime. What does this really mean? Controlling data exposures? Understanding the attack surface? Educating the Board? Practicing incident response? The relentless evolution of technology, data and risk factors introduces constant change, making all of these “basics” difficult. In reality, nothing is “basic” in cybersecurity anymore. Even the RSA conference mobile app leaked user data.

Research and presentations stirring chatter at RSA bear this out. Digital Shadows, a firm specializing in digital risk management, released a widely-covered report illustrating the staggering scale of sensitive corporate data that is left exposed to the public Internet, due to misconfiguration errors with cloud services and other tools. Their research showed that 1.5 billion sensitive files, from pay stubs to medical scans to patent applications, are freely available on the open internet to anyone with minimal technical knowledge. This type of research illustrates the challenges with the “basics” of recognizing where your data resides and the footprints it leaves behind.

You would think deploying well-known, market-leading security products is a “basic” step, but the expo floors in RSA’s cavernous halls are overwhelming, with many vendor promises sounding the same. NSS Labs released their latest, independent Advanced Endpoint Protection (AEP) Group Test during the show, revealing the stakes and complexity of security buying decisions. Plotting 20 vendors’ performance along axes of security effectiveness and total cost of ownership (TCO), the study revealed how the right product for your organization depends on a host of changing variables, from the size and nature of your business to the types of complementary security controls you have in place.

Data breach and privacy headlines involving Facebook, Panera and Saks Fifth Avenue drive healthy board and C-Suite awareness of cyber risk. However, the RSA talk “Inside Cyber-Balance Sheets: A Rare Window on Digital Risk in the Boardroom” used real-world input from board officers and CISOs to illustrate how elevated cyber risk awareness can become counterproductive in the boardroom, if security pros and business leaders do not take time to understand each other’s communication styles, backgrounds and roles handling risk. No different from the technology issues underpinning cybersecurity, frank and informative business leadership on the issue hinges on knowledge and dispelling assumptions.

As RSA yielded a plethora of data about the continued failures of cyber basics, we’re left to process just how difficult this domain truly is. The constant change in IT and the organizational behaviors tied to it greatly affect levels of risk; the enormity of the challenge is unprecedented.

The other enormity is RSA itself. With more than 42,000 attendees, this year’s conference offered seven keynote presentations, more than seven hundred speakers across five hundred and fifty sessions, and over six hundred exhibitors in the expo halls. Even as this mega-event continues to grow, paradoxically it feels less accessible each year. For vendors, the challenge of standing out becomes more difficult. So how do you make RSA worth the significant investment in time, travel and other participation costs?

As we have noted before, the key to adapting to RSA’s growth is to be more strategic in your approach. Forget trying to top last year’s total number of media and analyst interviews, and zero-in on your strengths – the most important security trends and themes for your business. I watched many clients and contacts benefit from seeking out a more practical and beneficial level of in-person conversation with influencers following these topics. In a show that feels like it takes over the entire city of San Francisco with booths, product claims and advertising, face-to-face relationship-building still yields enduring results—if you are realistic about what does and does not work during RSA’s week-long cybersecurity festival.

As always, the most enjoyable part of RSA was catching up with friends and former colleagues from my almost 20 years as a communicator in this field. Every RSA we talk about the days when cybersecurity was a niche issue, hardly registering in the mainstream media; and how the business, societal and geopolitical stakes of cyber are only growing—which means RSA is only going to get larger.

What caught your eye at RSA this year? Reach out on Twitter @TomResau or @W2Comm.

Tom Resau is Senior Vice President of W2 Communications’ Cybersecurity and Privacy Practice.