Five things we learned planning Structure Security 2016

Golden Gate Club

A very interesting year unfolded as we planned our first security conference.

It’s a year that witnessed a showdown over the right to encryption between the FBI and Apple, two of the most important organizations in their respective fields. It’s a year in which, at this point, it’s fairly well understood that Russian hacking groups — working with or without the knowledge of the Russian government — have attempted to interfere with a presidential election. And it was a year in which even the NSA itself was hacked, making it clear that a determined adversary will find its way into targets that take security as seriously as oxygen.

Next week Structure Security will bring together the people who are setting the tone for the future of information security, and you shouldn’t miss it. Security industry legend Art Coviello will kick off the conference next Tuesday, Sept. 27th, with a presentation on the state of modern information security. Alex Polvi, CEO of CoreOS, will close the conference on Sept 28th by emphasizing how one of the hottest developments in cloud computing can make us more secure. And we’ll showcase dozens of security leaders in between, from RSA Chief Strategy Officer Niloofar Howe to FBI CISO Arlette Hart to Okta CEO Todd McKinnon.

We’ve learned five things about the modern information security world over the last six months of planning, ranked in no particular order.

  • There is a massive shortfall of qualified information security professionals expected over the next five years.

    If you’re oriented toward a technical career, and have a good head on your shoulders, you might want to consider working in security. Rich companies are throwing money at the best of the best information security engineers, the same way Ruby on Rails experts made bank in the Web 2.0 era and Java engineers outperformed their peers in the first dot-com boom. But this is a little different: security thinking requires a unique set of skills and a different way of approaching software development, and companies desperately trying to improve their information security practices are finding it very hard to hire qualified people on in both leadership and day-to-day roles.

  • The frantic pace of modern tech development often forces security to be an afterthought or a bolted-on-later solution.

    Product development engineers have ruled Silicon Valley for a long time now, and inside many companies, those engineers are evaluated on how quickly they can ship projects to market. There are a lot of very good reasons why speed is so valuable, but the need for speed can create vulnerabilities; not just in your code, but in how you respond to security issues. Solving this tension between your engineering department and your security department will not be easy, but it will be harder the longer you wait.

  • Your security people don’t have all the answers. They need to share information with others and employ crowd-sourced bug testing.

    Information security is one of those difficult fields in which you’re only really noticed when you screw up, despite how many times you’ve saved your company or client from serious harm. That unfortunate reality creates a bunker mentality in which security professionals in similar industries are very reluctant to share information about attacks and threats with each other, making everyone less secure. Yet at the same time, more and more companies are realizing that they can’t expect their own security teams to catch everything. If Apple, Google, and the Department of Defense are willing to embrace bug bounty programs, then everyone should at least consider the benefits of crowd-sourced bug hunting.

  • Just as open-source software took over the enterprise computing market over the last decade, open-source software is poised to take over the information security market.

    The maturation of open-source enterprise software revolutionized the practice of building and scaling information technology departments; this year, Microsoft employees became the leading contributor to open-source projects on Github, which is a staggering change to anyone who remembers the software giant’s epic battles against the very nature of open-source software. We believe that something similar is going to happen to the information security market as well, and you’ll see a preview of that future at Structure Security.

  • Machine learning and cloud computing are changing how information security tools are designed, developed, and deployed.

    One of the biggest problems in modern information security is that it’s nearly impossible to protect yourself against the sheer number of threats and exploits out in the wild, not even counting the ones we don’t know about yet. But what if we could train powerful systems to understand threat and vulnerability patterns? And is putting our workloads in the cloud making us more secure, or concentrating of some of the world’s most valuable data in three or four places that will be irresistible to the best criminals? We don’t know yet, because these trends are still evolving in the mass market, but we’re going to talk about it.

Security is one of the most fascinating subject areas in technology. It’s full of heroes and charlatans, stone-faced government automatons and delightfully punk-rock hackers, and, for the most part, hard-working people who are trying to protect our most valuable institutions and organizations against a growing tide of determined attackers.

They know that our world will only become more and more digital every year until Earth gets hit by an asteroid or runs out of energy. Willie Sutton, when asked why he became the most notorious bank robber of the 1930s, supposedly said “because that’s where the money is.” In 2016, the money is in our networks, and protecting it against the spiritual heirs of Willie Sutton is one of the most important jobs in technology.

Join us at Structure Security next week to learn more about the future of information security. I’d like to thank all the advisors and friends who helped us plan this important conference, and we promise two days of stimulating discussion at the beautiful Golden Gate Club in San Francisco’s Presidio district.