I recently did a webinar with a few of my colleagues from the RSA Conference Advisory Board on precisely this topic, which you can find here. We tried to expose as much as we could of the fantastic variety that you’ll find at RSA Conference 2019.

Here’s a further elaboration of one of my favorite bits: Amazon’s elastic compute cloud (EC2) service is now a teenager. And yet you’ll often hear chief information security officers (CISOs) talk about “cloud security” as a distinct item (and I’ve assuredly done this myself, so I’m not qualified to throw stones here), rather than as one element of a modern security & risk (S&R) program.

As you’ll see at RSA Conference 2019, following good public cloud security practices will give many organizations (especially smaller or resource-constrained ones) better security than they can achieve in their environments currently. Public cloud security best practices avoid environmental assumptions (as in, “we don’t need to protect X application because it sits in Y environment”). Avoiding environmental assumptions is a good practice to implement everywhere, because environments often change without notice. Further, we’ve long thought of the ephemerality of cloud services as a disadvantage for security. But as Kim Jones pointed out during our discussion, that ephemerality can also be a benefit; if we tear services down constantly and build new ones, that makes it a lot harder for an attacker to keep a foothold in your systems. Attackers can break in, but they will lose that door and everything they know about your structure when you get rid of those elements and spin up new ones a few minutes later.

I also can’t help returning to a conversation I had with an information security policy expert a few weeks ago. He and I both worry that we may look back on RSA Conference 2019 as one of the last big parties of the tail end of the information security gilded age. Here’s my evidence: Firms have been spending more on information security every year for many years now. And while S&R professionals have made great strides (CISOs now regularly present to companies’ boards of directors), if we’re brutally honest with ourselves, we’re barely keeping up with the rising tide of security incidents, breaches, and regulations. I’m skeptical that firms can (or will wish to) afford to increase their spending on information security at the same rate for the next five years that they have for the last five — especially given the bumpy forecasts for the world economy in 2019 and 2020. And as those budgets slow, so too will the torrent of venture capital and private equity that has allowed a thousand startup and M&A flowers to bloom. So enjoy the RSA Conference 2019 festivities; 2020 may be more subdued.

And if your ears perked up when you read “information security gilded age” above, please do join me at my session at RSA Conference 2019, which is “Mushrooming Economic Inequality Menaces Security: Here’s How to Fix It.” Hope to see you there on Thursday, March 7, at 8 a.m. US PDT in Moscone South 304!