RSA is wrapping up today. I’ve been watching a lot of what people are talking about and what is being presented. There are definitely a lot of vendor announcements (see my employer’s announcement here).
But are we talking about the right things? I think there are three big problems in information security today and I didn’t see them on display at RSA.
Growing security executives
We continue to talk about the role of the CISO but we aren’t talking about the people who fill the role. Do they have the appropriate skill sets to fill the changing role we keep talking about?
I think few security people can effectively communicate with the business and Board of Directors. Few can measure their programs (see the last issue). Few can help grow the talent they have. We should be talking about how to grow security talent, how to help security managers better articulate risks and how to grow security people.
Growing the security industry
We have a shortage of security people. It results in a cascading set of issues. And we love to talk about the shortage and what it means for salaries, jobs and software people buy in the hopes they don’t need an extra person.
Why aren’t we talking about how to get more people into the security field? Why aren’t we working to create a career path for developers to become application security professionals. How do we get colleges and trainings to include security basics? RSA could be a great place to build sponsorship for programs to increase the number of security professionals.
Measuring the Program
There was one presentation on metrics. There is always one. Let’s start talking about how to measure our processes, vulnerabilities and risks into something the business can understand and the organization can get comfort (or not) around how security is being handled.
Everyone should start with this awesome book on security metrics from Caroline Wong.
I’m sure RSA picks the best presentations based upon what is submitted. Let’s change the dialog by submitting a new generation of topics next year.