As I await final official attendee numbers from conference organizers, it was clear that thousands of information security pros turned out (unofficial, pre-audit numbers are said to be more than 21,000 people in attendance compared to 18,500 the previous year, according to one RSA Conference staffer). All the major vendors were on tap, as were government officials, executive leaders, analysts, consultants and more.
As we were going to press with this edition, the results from an online poll regarding RSA were still rolling in. We asked visitors to our site to rate their experience in San Francisco. So far, it's been pretty positive, with about 46 percent of respondents saying the event met their expectations and another 20 percent noting that it exceeded them. Only about 35 percent expressed some disappointment, saying the gathering fell short of what they were hoping for.To many, it seemed as if larger crowds were hitting classes and were more engaged with speakers and the information presented. As well, questions being bandied about on the show floor were more detailed – attendees really wanted to hear from vendors how their solutions worked and in what ways these offerings actually might help them.
This is an interesting observation and sort of reflects one that was voiced in an online editorial webcast we held mid-March. During that event, “Evolve and Survive,” in which we were examining our findings from this year's SC Magazine Data Breach Survey, Gene Fredriksen, CISO of Tyco International, said there were a whole host of things driving budget, resources and tweaks to security/risk management programs. Some of these include regulatory mandates, pernicious attacks, like APT, and certainly the success of many of today's infrastructure assaults. Just as many pros believe, he warned that companies and government entities likely already have malcontents roaming their networks, which has brought into existence two groups of executives: those who know they've been breached and those who have no clue.
Now, what is not driving budgets is the fear, uncertainty and doubt (FUD) argument. Sure, there are some IT security pros who still try to freak out their CFOs, CEOs and boards with FUD. The idea is that if they get these guys and gals so spooked by the possibilities of profit losses and brand damage from some cyber thief or hacktivist, the execs will throw money at them willy-nilly (like that'll happen in this economy, anyway!). The thing is, though, said Fredriksen, even if some less farsighted pros are relying on such methods, more knowledgeable and aware C-level cats just aren't buying.
FUD simply doesn't fly any longer. And this change may be just one of many catalysts driving all those security pros at RSA and other conferences, like our live SC Congress or SC Congress 24/7 online happenings, to grill exhibiting vendors about their products and the likely and potential benefits they'll bring to help them solve the often troubling and confounding security problems they're trying to rectify in their organizations.
If that is, in fact, happening, then we're in one cool place right now. Strategic moves made to safeguard critical data and harden systems, as opposed to sometimes haphazard tactical ones, are just right for the long run success of any business and government agency. And so, too, are traits like agility and vision that are needed to rapidly adapt.
As Fredriksen said during his talk, to move methodically and quickly is a necessity these days. Failing that, organizations, their leaders and most assured their CISOs/CSOs will simply transform into today's dinosaurs. And, well, we all know what happened to those guys.