The Jericho Forum may have been saying this for a few years, but there is now a feeling that data-centric secure computing has finally arrived. Or at least the concept is taking hold in the marketing departments of the world's security vendors, represented en masse in the vast expo area of the RSA Conference.
But if that was a major theme, and one with the added bonus of giving vendors and analysts something positive to spin around, then the other was less positive. In fact, it was a declaration of defeat.
While some vendors, such as Kaspersky Lab, still believed in fighting the good fight against malware, some have started to acknowledge that it's time to entertain the notion that malware is here to stay and that we have to move to policies of containment rather than fruitlessly believing that malware can be eradicated.
I spent most of my time in the track sessions that have made RSA the world's biggest, most successful and influential information security conference. The sessions are usually where you will find vendors let their guards drop and sometimes get a grilling from customers who make up some of the audience.
However, this time, CSOs were urged again and again in these sessions to take a good, hard look at their architecture, their business processes and the data flowing through it and make some hard decisions on the value of that data.
If there is to be any growth in the vendor community it is likely to be in the emergence of intelligent data management (IDM) tools in the security sector as well as log management tools. As data management emerges into the mainstream, businesses will want to know more about data behaviour and the actions of employees accessing that data.
It was no surprise that some of the most intriguing small companies at the show - Imperva, LogLogic, Secerno, Intellitactics and Splunk - are all, in one way or another, doing interesting things with data protection and log management.
But not everyone was excited about the emergence of web-based applications and cloud computing. Google (present on the exhibition floor for the first time) excites and worries delegates at the same time. The fear is that Google Apps takes away control from IT departments and creates a new, direct relationship between users and Google. "You're no longer protecting your apps - Google is. Who's going to police this?" was a typical comment.
However, a consensus seemed to emerge during the conference that fighting Web 2.0 applications in the workplace was ultimately counterproductive and ways must be found to constructively exploit Web 2.0 (and beyond) in the corporate space.
Some CSOs have already made the leap and in a few cases, even encourage the use of Web 2.0 and consumer digital devices in the workplace.
"Denying the use of the tools that the brightest graduates take for granted will have negative impacts on the future of those businesses" was a much-heard session comment. CSOs and their board-level colleagues have to find the balance between lockdown and what they risk employees having access to. This trend will have a fundamental impact on what kind of company cultures emerge and which are successful in the next five years.
Other challenges for CSOs under discussion included the emerging "consumerisation of technology". This means managing previously unsupported devices such as the Apple iPhone, particularly important as it is senior executives who are driving the demand.
More and more applications are becoming self-managed, and managed services and SaaS will continue to grow in installs and sophistication. The growth of managed services will be helped by virtualisation and the drive to offshore anti-malware loading.
Finally, virtualisation is reaching a tipping point and will place new demands on suppliers and CSOs. The attractions and savings involved in virtualisation are too good for IT departments to ignore, but will provide new security challenges - according to one delegate, VMware had already been hacked just two weeks before the show.
Growing calls for data protection
According to VeriSign's CEO, Bill Roper Jr, there are now 33 billion transactions (and growing) every day on the internet and consumers are starting to demand personal identity services for transacting and other web-based activities. All those involved in selling to consumers online will need to do more to safeguard their data. In the US and Europe the public is becoming data aware and increasingly distrusts government agencies that store personal information.
The demands from the public for better protection from government and other public-sector bodies are likely to feed an increase in security spend. As one speaker succinctly put it: "plausible deniability is dead".
An opportunity exists for vendors and ISPs to do more to guarantee safe passage for consumers online. Vendors need to create products that address consumer fears concerning data loss and ID theft. The smaller European and Israeli players are beginning to take control of the domestic US market as the bigger players - McAfee and Symantec focus on the corporate market.
Interesting times ahead
It was difficult to get a feel for how much the recessionary slowdown may affect the industry and activity in the Bay area. One senior vice-president of marketing at a major compliance-management vendor revealed his firm had torn up its budgets for 2008. But this was an isolated view.
Others were a little more optimistic - most spoke of a slowdown but were confident that even if IT spend was to fall the security ration would hold up as businesses saw the need to remain vigilant in a less secure world.
The sector will continue to see merger and acquisition activity, it was predicted. The nature of the business will spur innovation that will continue the typical startup-IPO-acquisition cycle.
Overall the message from most of the business tracks was: don't panic, the sector is healthy and likely to remain so, even if CSOs will have to remain tolerant of M&A and the resultant effect on purchasing and planning in the departments under their control.
There was a call for a metrics approach to security. The industry needs to figure out how security can be measured so that CSOs can deliver results the board and customers can understand. A universally adopted and recognised security rating system would reassure the public and shareholders that businesses are safe.
Financial services are keen to push mobile banking products, but concern about security has held this back, as has reluctance by carriers to allow short-term tryouts of new products. The message was that in a world where users increasingly expect to be able to run their lives on mobile devices, the banking industry and the mobile carriers will need to urgently find secure solutions.
They will also need to prepare for full-blown mobile financial regulations to appear in the next few years as functionality and use of mobile banking devices mature and the mobile channel becomes primary. Secure mobile transactions will be one of the most exciting areas in the next few years and will be driven by early adopters.
The overall message from San Francisco was: the battle goes on, but the industry seems ready for the challenges ahead. There is no one solution and there never will be, but the days of simply closing the endpoints is well and truly over. New paradigms are emerging however, driven by rapid changes in social use of computing and abundant new devices.
The new era of the consumerisation of IT and virtualised computing will demand smarter and faster thinking from newly risk-educated CSOs and their teams.
An edited version of this report can be downloaded from www.rsaconference.com/2008/europe