The Computer Security Institute's 31st Annual bash in D.C. was bigger and better than ever. More vendors, more attendees, more products, more sessions... more, more, more. But, as good as CSI's 31st was, there were still warts. And those warts led me to ask questions.
First, of course, the big buzz was that Bill Murray, perennial icon of information security professionals, refused to speak at the conference because the keynote speaker was Frank "Catch Me if You Can" Abagnale, a convicted felon. Murray's professional ethics prohibit him from speaking at a conference where a convicted felon is also speaking. I firmly believe that a person has every right to behave as his conscience dictates. I do not happen to agree with him in this particular case, but I will support strongly his right to take the stand he did.
Under the chatter and rumor mill, I heard some vendors complaining that there were not enough quality leads. That one I found disturbing because there were between 2,500 and 3,000 attendees that could visit the show floor. The largest number of vendors and the largest contingent of delegates should have been a dynamite combination. Apparently some disagree.
It's a classic case of two sides to every story. I asked attendees if it was a good show for them. Almost universally the answer was, "nothing new here." Now, that is a far bigger problem than Bill Murray's ethics.
We are in a period of the most challenging information security risks in our history, and the perception is that vendors can't come up with any new solutions? There absolutely is something wrong with that picture. I have a research collaborator who believes that companies are so busy trying to return big profits that innovation has all but died. Another colleague tells me that there is venture capital in record quantities but the VCs can't find anywhere to spend it.
Well, (as my kids would say), duh... more money available for innovation and less innovation – shouldn't these folks be talking to each other? And shouldn't the product developers have a word or two with the world outside their corporate boardrooms – like the world that buys their products and thinks that there is nothing new? Wake up, developers! Your customers want something from you. And, if CSI is a benchmark, they're not getting it.
Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University