from Net Politics and Digital and Cyberspace Policy Program

Field Notes From the RSA Conference

CFR Cyber Net Politics

March 7, 2016

CFR Cyber Net Politics
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

More on:


A couple of nights ago, the strength of the public-private partnership for cybersecurity was on full display. There were senior government officials. There were private sector executives. There were hackers. The only thing different from most such gatherings was the venue--the dance floor at the top of the Sir Francis Drake Hotel. Ah, welcome to RSA 2016.

Having spent a week roaming the floor, meeting for coffee, and attending a few talks, I’d sum up the unofficial theme of this year’s conference as clear-eyed optimism. Fewer vendors are pitching the digital equivalent of Clark Stanley’s Snake Oil Liniment and fewer purchasers are stopping by their booths.

There were more exhibitors this year than last (by about 10 percent) but general agreement that a culling of the herd is coming. Last year, you could not turn around in the bar at the W Hotel without bumping into a VC (and getting a business card out of the exchange); this year, the desperation to get in on the deal has shifted in the other direction.

Without another round of funding, many of these companies are likely to get rolled up or continue to fight-on in zombie mode (look for more companies to add “services” tabs next to “products” on their websites). That’s okay, because there is plenty of work to do.

The clear-eyed optimism I detected comes from a belief that cybersecurity is a manageable problem or, more accurately, a narrower set of problems that can be managed. FUD no longer sells. Solutions that integrate into a security architecture and address real threats and vulnerabilities do.

Many of the Chief Information Security Officers and other executives I spoke to have plenty of budget space (“whatever I want”; “never had a request turned down”). The problem is that money alone can’t fix the two most often cited problems: a lack of qualified candidates to fill open positions and legacy systems that are indefensible.

On the skills front, the faint glimmer of hope is not that one more national campaign or community college program will finally start churning out job-ready security operations center (SOC) analysts but that existing SOC analysts can be empowered with tools that can allow them to work faster--crunching data and moving from detection to mitigation in near-real time.

Just about every vendor on the floor has latched onto “machine learning” and “big data.” A handful actually know what those words mean. Yet the potential is clearly there. “I’m not looking for the Terminator; I’m looking for the Ironman suit,” was how one executive put it. Making your existing analysts better (and their jobs less boring) through automation is resonating.

The second problem is harder. It doesn’t take Recursive Bayesian Estimation to figure out that protecting legacy systems in architectures that were designed without security in mind is an impossible task. Even the federal government has figured that out and launched the IT Modernization Fund to address it.

Yet the same companies that have let loose on the spend for security products, are pushing back against upgrades to IT systems to make them inherently more secure. As the budget for cybersecurity increases, the budget for IT is going down. Moreover, in many firms the most obsolete and vulnerable systems are also the most valuable--money-making trading platforms and operational systems that cannot go down. Messing with them, even for security, is off-limits.

Good executives in this space are advocating for budget for the IT department and working hand-in-hand to argue for operational changes that can improve security. Few are winning the argument. The best hope here lies in the cloud actually delivering on the promise of lower costs and better security. The winners and losers in this space may be determined by who shows up on Cloudera’s partner page.

As we in Washington return to the task of the next year (writing reports for the next President on cybersecurity), we should try and hold on to the clear-eyed optimism on the West coast. Who knows but if we do our job right, RSA might go back to looking like CES without government executives taking up space on the dance floor.

More on: