Monday, April 21, 2008


Why Enterprise Security still continues to suck...

Industry Guru Gunnar Peterson provides a debrief on the RSA Conference that is a must read...

I am in the same boat as Gunnar. Why would I want to consume my budget just to learn about security products when I could instead attend OWASP events such as the OWASP AppSec 2008 in New York City where real security discussions occur. RSA is only of interest to those enterprise architects who practice productecture and need to be spoonfed the latest elevator pitch because they aren't capable of comprehending anything else. Folks that attend these conferences are dangerous to the enterprise.

I bet there were lots of industry analysts and the media swarming though. It is guaranteed that there will be lots of press from industry analysts coming out the event but no real innovation.

I have to disagree with Gunnar in that I still believe it is true that no one invests in security. The problem at some level is that folks are investing in security products and not in making existing products secure. For example, all the security vendors came out of the woodwork to demonstrate XACML interoperability, yet none of the vendors demonstrated how to embed XACML into their ECM, BPM, ESB, etc solutions. It is guaranteed that the folks at RSA are working on XACML products yet they aren't working with their own inhouse developers to put XACML support into Documentum.

Gunnar is 100% accurate here as their is no body of knowledge that one even needs to know before labelling themselves as security architects. The funniest of observations is that there are many security professionals who on one hand acknowledge that security should be implemented in layers and likewise that you need to protect both at the infrastructure level and the application level yet on the other hand have never written one scintilla of code in their lifetime. Maybe we have to work harder to convince these folks that they aren't doing security but are only doing network hygeine.

I normally don't provide public endorsements of anything or anyone but if you haven't taken one of Gunnar's courses and you consider yourself a security professional, then you need to smack yourself silly as the opportunity to learn from him is immense...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?