RSA and the expanding hole in cybersecurity

By Tom Foremski
The recent RSA conference drew more than 43,000 people — a record number as the cybersecurity hole continues to widen with new exploits.

There were record numbers of people, exhibitors, talks and awards at the recent RSA Security show in San Francisco. Yet we have widening security holes in enterprise systems that continue to be discovered and exploited.

You could buy every product and service at the RSA show from hundreds of security vendors and still have no peace of mind. In fact going to RSA show will likely cause your mind to race in panic at all the vectors of malice that the security vendors will happily tell you about.

To paraphrase George Bernard Shaw, if you lined up all the 43,000 computer professionals that attended RSA they would not reach a conclusion on the best approach to security. Yet enterprises are to asked to shore up security amidst a cacophony of advice.

“I haven’t seen so many people, so loudly complaining about a problem they aren’t solving,” said Ethan Ayer, CEO of Resilient Network Systems.

Not only are the security vendors not solving the problem but they are expanding the security hole by discovering new exploits. It seems that you can always spend more but you’ll never spend enough because there are more undiscovered threats to plug.

As new laws come into play such as the upcoming European Union Data Protection Law which requires businesses to use appropriate protective measures or face very expensive fines if there’s a data breach — enterprises are in a tough spot. What is the right level of security?

Ray Rothrock, a veteran Silicon Valley VC last year called cybersecurity a burdensome tax on business that is unsustainable. He called on the industry to get ahead of the problem.

Peter Tran does try and get ahead of the problem. He heads RSA’s Advanced Global Threats group. “We get ahead of the problem by carefully monitoring online discussions and exploits and predicting where attacks might come from.”

Tran says buying everything at the show won’t work. Educating staff on security and having a process are the best defenses. “Technology is not enough.”