An Amazing thing Happened for Security Yesterday

In San Francisco there is a huge conference going on called RSA. Anyone in the security community is familiar with event. The community either marks their calendars for the annual gathering with excitement or begrudgingly. This event is huge, 40,000+ attendees huge. The conference is also long, spanning the whole week. The expo floor is so big that it is halved and run from two different buildings. For security, this (along with BlackHat/DefCon) is the event of the year.

Anyways, back to the reason for the post. An amazing thing happened at yesterday: Rich Mogull got on stage at RSA and gave the industry a wake up call. He proceeded to give this presentation (based on his article that we already loved) on why security has to change or die in the modern world.

(n.b. I tweeted direct quotes from the session and have embedded them here. Please feel free to retweet, heart or otherwise share these as you desire.)

He proceeded to tell the audience that security is behind. One of his opening statements was an emphasis that this is already happening.

He equated our industry passing through a blackhole and what is going to come out the other side is not going to look anything like what we have put in it. In fact, our entire industry has a “best used by” date and for many companies and solutions, that date has already passed.

Complete segments of the security industry are dying off right before our eyes.

There are a lot of forces at play here from DevOps to cloud to containers to negative unemployment. However, the three major forces that are actually causing the disruption to ensue are SaaS, endpoints, and IaaS.

These forces are causing us to shift business models with a reduction in time to market and lower cost to innovate. Just as we don’t need antivirus, we don’t need hardware appliances. Soon, through the rise of containers and serverless (n.b. I am doing a talk on serverless and security on Friday at RSA, come say hi!) we will care less and less about the operating systems and more and more about the pieces that brings actual value: the application and the data.

Archaic models for security are fading, new sectors are coming online. I see this first hand at Signal Sciences where customers are adopting a model of adding in security value into the devops flow. In today’s world of breaking silos and uniting teams around delivery, why would you have a web application firewall be a black box on your CDN or network? It doesn’t make sense in our cloud-first world.

With this, our jobs have to change.

Sure, it’s fun to pick on email administrators, but this applies to many of the security and audit roles in an organization. If your business is deploying 10 times a day and you are still doing compliance and audit processes and functions on an annual cadence, then it is time to change.

This is not an easy thing, but change is needed.

It is not doom and gloom and the talk wasn’t focused on the traditional security approach of using fear or preying on uncertainty to motivate. Instead, this talk was a wake up call to the community. Have you used the cloud? Can you write code to automate? Do you grok serverless? Are you working with devops?

These are all questions that we can ask ourselves and they are easy to use for a self assessment. The wake up call is now, the time to change is here, the choice is ours.

Signal Sciences’ industry first Next Generation Web Application Firewall was built in response to our frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps and cloud adoption. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security prioritization based on where your applications are targeted, and blocking attacks without breaking production traffic.