The 2011 RSA Conference is only three weeks away, so the entire security industry is gearing up for this annual gathering of paranoid geeks. As an analyst, I’ve been getting lots of e-mail about what vendors will discuss at the event and I’ve also spent a bit of time perusing the conference website.

This activity leaves me a bit concerned. Why? There seems to be a tremendous focus on cloud security at this year’s event: all kinds of “voyage to the cloud” rhetoric, how security is the biggest hurdle, and a plethora of tools, technologies, and services aimed at addressing cloud security.

Now don’t get me wrong; cloud security is an important topic. There is a tremendous amount of brainpower and investment going into cloud computing. Yes, we will get to a cloud computing model over time and security is truly a stumbling block. This issue is being addressed by organizations like the Cloud Security Alliance (CSA) and NIST’s Federal Risk and Authorization Management Program (FedRAMP). My issue isn’t with the topic per se; it is with the prioritization of the topic. When ESG asked 611 European and North American IT professionals to define their top IT initiatives for 2011, 16% responded with “increase the use of cloud computing services.” This was the 12th most popular answer, well below such things as “increase use of server virtualization” (30%), “manage data growth” (24%), and “major application or deployment” (23%).

We certainly need to be proactive with cloud security, but let’s not get carried away with addressing future risks when we are swimming in so many currently. In the recently published ESG Research Report, Assessing Cyber Supply Chain Security Risks Within the US Critical Infrastructure, 68% of cyber security professionals working at critical infrastructure organizations believed that the threat landscape is worse today than it was two years ago. When the entire security community gets together at RSA, shouldn’t we be focused on why security professionals feel this way and what we can do to address this increasing threat landscape?

If I were running the show, here are some of the things I’d focus on:

1. Sophisticated and evolving threats. We all need a better understanding of our adversaries–who they are, what they do, and how they think. A new piece of malware is created every 1.5 seconds. Shouldn’t we dedicate security brainpower to this real problem?
2. Creating, monitoring, and enforcing security controls. The security industry is too hung up on products. We need more discussion on sound policies, processes, and controls–not just the latest threat management widget du jour.
3. Security management. Closely related to number two, we need better ways of collecting, analyzing, and reacting to an avalanche of IT data.
4. Identity. This issue gets more dicey each year. We need to talk more about the people and devices that interact in cyberspace and how to better control these relationships.

I understand that security vendors want to make money and that PR and hype are a big part of the technology market. That said, we as a security industry must recognize that we aren’t selling PCs, gaming software, or disk drives. If we can’t secure our existing networks and databases, will any responsible organization ever move to cloud computing?

Related posts:

1. Public Cloud Concerns
2. Top IT Priorities for 2011
3. Final Musings From The RSA Conference
4. RSA 2010: Cloud Security Announcements Already Dominate
5. Worthwhile Cloud Computing Security Resources for CIOs

Tags: Cloud Computing, cloud security, cybercrime, identity management, information security, malware, RSA, Security, security controls, security management, security threats