Saturday, February 25, 2017

Alfidi Capital at RSA Conference 2017

I made my first-ever visit to the RSA Conference in 2017  because I really needed to catch up on the tech sector this year. The visual displays on the Moscone Center expo floor were phenomenal, as you can see in my standard badge selfie below. I was all set for some awesome cybersecurity action. I scored a free Expo Pass from a generous sponsor because I am still way too cheap to pay for anything. I still score massive wins after all these years tracking business.

Alfidi Capital witnesses the mighty RSA expo in 2017.

I sat in the front row for the first panel session and a local venture capitalist recognized me right away. I had not seen him for at least a year, so I obviously made some impression on him back then with my commentary. Anyway, the VCs held forth on the economics of countering hacking and the kinds of expertise they want to see in a cybersecurity startup before investing. It should come as no surprise that CISOs own a corporation's cybersecurity budget, so a security startup should focus their customer development on CISOs and nowhere else. The panelists with CISO backgrounds noted that they have longstanding trust relationships with sales reps who have hopped around different companies. Relationships matter even in tech, so startups should hire experienced sales people with huge contact lists if they want to win revenue. Startups will be disappointed to know that security solutions don't always scale well, so presumably large corporate customers have internal barriers that inhibit integration with other enterprise systems. Maybe automation can solve scalability, or maybe automation is another buzzword that VCs can chase for a year.

Executives addressed foundational controls.

The RSAC Innovation Sandbox was a hoot. RSAC users threw a bunch of words into a word cloud and the biggest ones were "data, cloud, risk, threat" in bold letters. If I had my own personal word cloud following me around, it would show words like "genius, brilliant, awesome" in big letters. One investor noted that total dollar-volume funding for cybersecurity startups was down in 2016 but later-stage funding was still keeping valuations high. The situation totally reminded me of the VCs' push for a cloud / mobile / Big Data confluence a couple of years ago because their portfolio companies in each specific sector were failing. Startups chasing those dollars now should know that innovation must address speed, because hackers' OODA loops operate faster than security professionals can respond. Get used to hearing phrases like "cognitive load" in startup pitch decks, because VCs want to fund solutions that add value through automation that reduces an IT team's cognitive load in managing cybersecurity functions. I think a startup that can demonstrate how the OWASP Benchmark Project validates its automated security solutions will have a big advantage in attracting venture funding. Any solution that can address processing encrypted data, particularly with cutting edge tech like homomorphic encryption, will garner a similar advantage.

People also implement foundational controls.

The Governor of Virginia came to tell us all about how cybersecure things are over in his state. He kept telling variations of a funny story about dolphins in his state's waters and how much Virginians loved them. I hope those dolphins are qualified cybersecurity professionals. I agree with the Governor's sentiment that state-sponsored education should offer more tech and less baloney, although he didn't use the word "baloney." That's one of my favorite words. Anyone who thinks there's no baloney in tech has never sat through a startup pitch fest. I did a Google search for the US's national STEM education standards and found the US Department of Education's K-12 standards page, so the STEM stuff may be in there somewhere. The NSF's STEM Education Data has gotten a lot more user-friendly since the last time I checked out its Science and Engineering Indicators report. The NEA surprised me with some useful STEM links; it's nice to see a union do something useful. Remember, folks, that arts education puts the STEAM into STEM.

Intelligence on threats must drive security decisions.

I was thrilled to listen to a security panel featuring cybersecurity legend Bruce Schneier. I have read his regular Crypto-Gram newsletter for years and he always has a fresh take on the biggest security trends. The panel addressed the emerging challenge of monitoring, maintaining, and certifying IoT products. It sounds to me like there are plenty of niches for security startups to make their cases. Industry will always sacrifice security for performance, so expect government regulation to drive security standards. Mr. Schneier mentioned how regulation has both fixed costs and marginal costs for solutions, and he somehow connected it to European Union regulations that will raise the marginal costs of producing IoT devices. It sounded like justification for US device manufacturers to on-shore more IoT device production here at home. I can see the walled gardens going up already in IoT thanks to security concerns. Here comes my awesome Alfidi Capital genius, folks. Secure models must connect trusted "walled gardens" (i.e., families of products from Google, Apple, and other big providers) to home IoT hubs (i.e., the coming smart home systems) that are certified under federated standards (i.e., cloud stack, network connectivity, and hardware all certified under some family of government-approved standards bodies). You heard it here first. Oh yeah, one more thing . . educating consumers on security never works! People ignore privacy settings and safety procedures, so regulation will have to build fail-safe protocols that make it difficult for non-expert users to leave themselves exposed.

Get used to hearing about securing ICS.

The RSA people livened up their conference by having actors and poets come out to introduce major themes. Hollywood actor John Lithgow gave an opening-day monologue with audience members raising their glowing wristbands. It worked as a performance art piece but I did not get a wristband. That's what happens when you only get an Expo Pass. A poet named Rives introduced a couple of cute musings on how ideas can represent data connections. I won't spoil his performance for you, so just go look up his TED talks.

Scripting in software is not like the movies.

I never miss a chance to hear Dr. Eric Schmidt from Google (aka Alphabet, its new corporate name) hold forth on tech stuff. His talk at RSAC mentioned Google's TensorFlow open-source AI library. Those Google folks are just non-stop innovators; it must be all the coffee they drink. Dr. Schmidt said he uses game theory to make strategic business decisions, especially when deciding to deploy tech that keeps Google at the center of a new ecosystem. It's no wonder why Google is so dominant if that's really how they think. Every company should be lucky enough to have geniuses running the show.

FireEye came out to the expo.

I acquired some good background information from the NIST Cybersecurity Framework presentation. It is destined to be the beta version of the federated standards system I mentioned above. Cybersecurity professionals need to know about the Center for Internet Security's critical security controls, the Center for Responsible Enterprise and Trade compliance standards, the CForum's development of the NIST framework, and the National Cybersecurity Center of Excellence's implementation of the framework. The framework's sponsors were fond of the Checklist Manifesto methodology, so there's a cue for startups that want to execute solutions in this space. Note that the Industrial Internet Consortium has its own security framework.

The final speaker that mattered to me was the phenomenal, incomparable, mind-blowing Dr. Neil deGrasse Tyson. Okay, I'll admit I attended other speakers but this guy was the real deal when it comes to pure, unadulterated genius. His genius probably ranks right up there with my own. I can't do justice to his blend of science wisdom, performance art, and comedic monologue with my meager words. Check out YouTube for tons of examples of his knowledge. It's all in the delivery. Dr. Tyson connected Albert Einstein's theories to lasers and gravitational waves during his RSAC talk. Previous eras had Dr. Einstein, and we are lucky to have Dr. Tyson among us today. His explanations of complex ideas make him a living national treasure. He should run NASA.

Read my blog article closely enough and you'll see how I spotlight hints for startups. I picked up a ton of printed information from expo floor presenters on technology implementation that I am not going to share in public. My intent is to attract entrepreneurs to some cool ideas and advise them on execution. I am not about to tip my hand in public lest potential competitors get a clue. Suffice it to say that anyone can track publicly available information on tech development, but only a genius such as yours truly can fit it all into a coherent business plan. Every conference I attend is by definition a massive winner, simply because I am there. Thank you RSA for enabling me to score in 2017.