Tuesday, April 21, 2009

RSA Conference 2009: Elgamal Strikes Poignant Note, Coviello and Salem Paint in Bold Strokes

"Those who dream by day are cognizant of many things which escape those who dream only by night." Edgar Allen Poe

Notes from Keynote Session, RSA 2009, Tuesday, 4-21-09: Elgamal Strikes Poignant Note, Coviello and Salem Paint in Bold Strokes

This RSA keynote session opened with a documentary short film tribute to the 19th Century storyteller Edgar Allan Poe, a writer of "brave imagination willing to venture into the dark parts of human nature to illuminate the truth on the other side." Of course, Poe also had a keen interest in cryptography.

Legendary, Egyptian cryptographer Taher Elgamal was honored with the RSA 2009 Lifetime Achievement Award. In his moving remarks, accepting the award, Elgamal expresses joy and wonderment. “The thing about this industry,” Elgamal remarked, “is that it is fun, we get to deal with mythic creatures like Trojan Horses and Zombies.” Elgamal also shared a poignant insight into his inner life. From childhood, he said, he was in love with numbers, and believed for many years that the world was ruled by “one massive equation,” but now he said, he has come to realized that “whether or not the equation exists, it is the journey that matters.”

In delivering the opening speech of the Tuesday keynote session, Arthur Coviello, Executive VP of EMC, and President of RSA, EMC’s security division, declared: “The vendor community must take lead in building secure, robust eco-system.”

Coviello talked of security being on the verge of one of those tipping points where evolution turns into revolution; and he suggested that the “decoupling” of policy management from the individual security point products was the real breakthrough that would lead to the overcoming of the criminal threat?

In the next speech of this keynote session, Enrique Salem, President and CEO of Symantec, declared “operationalizing security” the overriding imperative.

Salem described security managers as tired of being “system integrators” and fed up with “silos.” “It is time to change the way we do security,” Salem said, “it is time to operationalize security.”

“It is possible to have an integrated solution that drives security across your entire environment,” Salem promised, “a solution that is risk-based, information-centric, responsive (i.e., situation-aware) and workflow-driven.” Automating manual processes and bridging between silos, Salem added, are key elements.

Some thoughts on the speeches of Coviello and Salem:

Surely we all can embrace both the vision of building a “secure, robust eco-system” and the role that “operationalizing security” would play in fulfilling such a vision.

But is it optimal, as Coviello suggests, that “vendors must take the lead” in the effort to create this eco-system? This is a topic worthy of serious reflection.

Certainly, the vendor community has the profit-motive, the resources, etc., certainly the vendor community would have to develop and sustain vital elements of such an eco-system; but should they -- can they – lead the effort to create it? It is not at all clear that it is the vendor vision that should dominate, and the vendor agenda that should dictate.

What of the other co-creationists, e.g., government, academia, industry sectors and citizen groups?

There are many blind spots from each of these perspectives. How can we collaborate to overcome them with a unified field of collective vision?

These should be open questions. But the forward momentum may simply over-write such questions. Market forces, like nature, abhor a vacuum.

Another observation, not only on these two keynotes, but on much of the collateral and sales pitch out there on the threshing floor of the Expo, there seems to be a preoccupation with the threat of “fraudsters” and “identity thieves.”

Well, in the 1990s, the conventional wisdom was that the biggest issue was the insider threat and that most of the rest of it was juvenile hackers. Both the threat of criminal hacking for profit, and the high-grade threat from corporate or state-sponsored spies were being paid insufficient attention.

Is the high-grade threat still being paid insufficient attention?

-- Richard Power