Peter Christy

RSA is a puzzling event. On the one had it's a very successful meeting, fun to attend, and brings together the IT security industry for a week. On the other hand, when we saw old friends and exchanged the traditional show greeting "What have you seen that's exciting?" and the answer in general was "not much." That's paradoxical, or at least troubling. All the vendors were there and they were spending money like Persian Princes. And the security problems are as important as ever, if not more. So if the spending is there and the problems exist, why wasn't there much new? It's a puzzlement. Part of the problem is that it's a lot harder to solve today's criminal attack problems than it was to stop worms and viruses. And the customer now wants to talk in terms of intelligent risk mitigation rather than just "preventing bad things from happening" and that's difficult too. Maybe most of the vendors neither know how to prevent the modern problems nor how their customer should justify the expense. We can hope that things will improve by next year.

At RSA Microsoft (with great fanfare) introduced the notion of "end-to-end trust" featuring a White Paper by Scott Charney, VP Trustworthy Computing, and featured in Craig Mundie's keynote, shown here in dialog with Chris Leach, Affiliated Computer Services' CISO. The paper and the topic are thoughtful and meaningful, but the tenor of the paper is very academic and not at all prescriptive. My MS friends explained that there is still a good deal of remembered pain from Hailstorm, Microsoft's web authentication effort from some years ago which was too prescriptive. Trying to resolve this tension I went around and polled some wise men in security on whether they thought we were winning the war (making the Internet safer) and sadly few feel very optimistic. In the past Microsoft has been a real industry leader in trying to drive collective change. Maybe it's just that Mundie isn't very comfortable wearing the shoes he inherited from Gates. With no blame meant toward Microsoft (they're still out in front of the pack in leadership) it sort of feels like the bad old days of Spam "control" -- Fiddling while Rome burns. I wonder if the bad guys buy analyst services.

Malcolm Gladwell Blinks at RSA: Malcolm Gladwell (who I must confess is probably my favorite author) was one of the paid keynote speakers and gave a really excellent 45 minute talk more or less on the subject of his most recent book Blink! Whether or not you've read the book I really recommend the movie (in this case the keynote replay available from the RSA website). The book and the talk are all about how humans make good decisions (contrary one might say about the McKinsey consulting approach) and how important this problem is now that we are swamped with information to deal with (it turns out less is more). And Gladwell is very entertaining to boot.