SecureWorld Boston 2019: Day One

SecureWorld Boston 2019

Hynes Convention Center, Boston, MA

Day One: March 27, 2019

Last week, on March 27th and 28th, I attended SecureWorld’s 2019 Boston conference and expo, the 15th Annual SecureWorld Boston (#SWBOS19), as did more than 1,800 other tech and security industry professionals. It was a terrific opportunity to learn about the latest in cybersecurity and meet a lot of the industry’s top companies in one location. As a tech industry analyst (and blogger) with a generalist background, I hadn’t dug very deeply into security products, so this was a crash course for me. Certainly, most of the vendors’ names were familiar to me from my years covering the tech industry in general, aggregating some of my colleagues’ vendor analysis of these vendors, and assisting colleagues whose work was focused more consistently in the space, but I spent the better part of these two days getting brief introductions to each of the expo attendees’ products. My tired legs and hoarse voice at the end of the event would attest to the miles I logged while visiting at least 80% of the vendors’ booths.

With my background, my coverage of last week’s event will be from a generalist’s perspective. In addition, since I spent a lot of time visiting booths, I didn’t get to most of the presentations. (I expect that to change next year, as I’ve now acquainted myself, if just slightly, with a bulk of the security industry’s key players; I’ll plan a lot more coverage of the presentations in 2020.) I don’t intend to touch upon my booth conversations, but I will share my notes on the presentations I attended.

Though I missed the morning’s keynote while getting settled to Hynes and getting settled in, I heard impressive things about Intel’s Steve Brown’s “Going Digital: Building Your Strategic Roadmap for the Next Wave of Digital Transformation.” presentation, a speech I’m told touched upon a broad swath of digital transformation technologies.

Lunch Keynote: Bruce Schneier, Security and Cryptography Expert and Author of Click Here to Kill Everybody: “Securing a World of Physically Capable Computers”

Wednesday’s lunch keynote was an eye-opening, entertaining glimpse into security in a world in which essentially everything is a computer. I jotted down seven key points during this presentation, upon which I’ll elaborate based both on what Schneier presented and what I’ve observed elsewhere:

1. The Internet is not built for security. Security would have defeated/overwhelmed the original purpose of the Internet. To oversimplify so it will fit into an already-too-long single sentence, it originated as a way for researchers and academics to exchange information. Though funny cat pictures certainly followed soon enough (my observation, not Scheier’s), security was not a big initial concern.
2. Retrofitting security is hard. Once the cat’s out of the bag, so to speak… and that’s all I have to say about cats tonight.
3. Because objects now have software, everything is insecure. This is a frequent topic at IoT events I attend. And since some legacy devices cannot have their software upgraded remotely, well, this is what keeps IoT/embedded systems people up at night. (Side note: These days, that’s pretty much all of us.)
4. Complexity: It’s easier to attack than it is to defend/secure. Relatively self-explanatory and obvious but definitely important to remember, and it has an impact on how we deploy resources.
5. New vulnerability in the interconnection. I really wish I had taken more notes here, but you get the gist. Interconnection provides an opportunity for a security breach.
6. Attacks are getting faster and better. Schneier referenced the democratization of attacks. Attacks developed by some can be used by others. I did a bit of online searching to find a better way to explain this, and perhaps the best words are Schneier’s own, from this March 2015 blog post on his website.
7. Computers fail differently. When mechanical equipment fails, parts wear out. A maintenance schedule can be set up. Or, at the very least, mechanical failure can be predictable and repairs can be made to individual components or machines as they fail. When cybersecurity fails, everything breaks and needs to be fixed immediately. Vulnerabilities discovered for one network can be exploited everywhere. At the moment they’re discovered. And so the vulnerabilities must be repaired everywhere.

The only possible outcome of increasing security breaches, as Schneier sees it, is government involvement. Regulation is coming in the future. Maybe soon. The question is whether or not it will be smart government involvement or stupid government involvement. We’re seeing it in Europe already. In the U.S., it’s happening at the state level, but Congress will do something at some point. And it behooves the security community to get involved and to court “smart” government involvement before “stupid” involvement is thrust upon the industry. To this end, Schneier directs the audience to Public Interest Tech: https://public-interest-tech.com/.

An interesting, thoughtful speech, this keynote was a must-attend.

The Rest of Day One

The rest of my Day One was spent visiting vendors’ booths, learning about cybersecurity through the vendors’ products. Next year, with SecureWorld Boston 2019 under my belt, I plan to attend more of the interesting presentations that ran concurrently with the exhibits.

And, in the evening, many attendees, myself included, ambled over to the networking reception before calling it a night and preparing for Day Two.

(Stay tuned: A summary of Day Two is in process.)