Industry Guru Gunnar Peterson provides a debrief on the
RSA Conference that is a must read...
First time for me to RSA, I generally go to more geek-to-geek conferences like OWASP.
I am in the same boat as Gunnar. Why would I want to consume my budget just to learn about security products when I could instead attend
OWASP events such as the
OWASP AppSec 2008 in New York City where real security discussions occur. RSA is only of interest to those enterprise architects who practice productecture and need to be spoonfed the
latest elevator pitch because they aren't capable of comprehending anything else. Folks that attend these conferences are
dangerous to the enterprise.
There were soooo many vendors yet most of the products in the massive trade show floor would have as much an impact on the security in your system as say plumbing fixtures.
I bet there were lots of industry analysts and the media swarming though. It is guaranteed that there will be lots of press from
industry analysts coming out the event but no real innovation.
For years the excuse that security people gave for their field's propensity to lameness is that "no one invests a nickel in security." However, that ain't the case any more and yet most of the products teh suck. This doesn't happen in other areas of computing - databases are vastly better than a decade ago, app servers same, OS same, go right down the list. What gives in security? Where is the innovation?
I have to disagree with Gunnar in that I still believe it is true that no one invests in security. The problem at some level is that folks are investing in security products and not in making existing products secure. For example, all the security vendors came out of the woodwork to demonstrate
XACML interoperability, yet none of the vendors demonstrated how to
embed XACML into their ECM, BPM, ESB, etc solutions. It is guaranteed that the folks at RSA are working on XACML products yet they aren't working with their own inhouse developers to put XACML support into
Documentum.
I would attribute to a lack of accountability. In programming your stuff better compile or you don't go live, you don't get your bonus, people get whacked and so on. In security there is no bar to clear generally. People play cops and robbers off in some corner of the enterprise, right draconian policies that are ignored, and life goes on.
Gunnar is 100% accurate here as their is no body of knowledge that one even needs to know before labelling themselves as security architects. The funniest of observations is that there are many security professionals who on one hand acknowledge that security should be implemented in layers and likewise that you need to protect both at the infrastructure level and the application level yet on the other hand have never written one scintilla of code in their lifetime. Maybe we have to work harder to convince these folks that they aren't doing
security but are only doing
network hygeine.
The other thing that struck me was that everyone was selling their butts off, and I realized I have no budget to buy, so I might as well have something to sell. What about training?
I normally don't provide public endorsements of anything or anyone but if you haven't taken one of Gunnar's courses and you consider yourself a security professional, then you need to smack yourself silly as the
opportunity to learn from him is immense...
# posted by James McGovern @ 8:30 AM
