Deb Radcliff filed this RSA wrapup.

Everyone’s always asking those of us from the trade press about trends we see at RSA.

Some will tell you RSA this year was all about virtualization, which already seems like an old story with vendors like Blue Lane Technologies and Reflex Security stepping in to monitor the heretofore unwatchable layers created by virtual machine managers and their guests.

Others will say it’s all about data leakage protection, and we sure saw a lot of that at the conference this year, with Symantec, Trend Micro and others taking leakage protection to a more comprehensive level at the endpoint and gateway.

Unified authentication and use of federated identity frameworks are also gaining momentum, with Microsoft discussing its unified access approach, TriCipher announcing over 50 web applications (SalesForce, WebEx, Google, etc.) in its user single sign-on portfolio, and so on.

Ultimately (true to RSA President Art Coveillo’s Tuesday morning keynote), the overall conference boiled down to more holistic management of risk under the following bullet points:

• Looking at security from inside out instead of outside in (protecting data instead of the network)

• Driving protections deeper into the infrastructure to make it more of an operational function rather than a separate security function

• Using security as an enabler for new types of business

All good and necessary aspirations. But one theme that subtly carried across and outside the conference was this nuance of surveillance – surveillance of children (Symantec’s upcoming family security suite), surveillance of IP traffic, including  through the ISPs.

The theme of being watched resonated outside the conference, starting with hotel rooms booked through the RSA block. On Monday night, little piles of colorful conference bling and fliers appeared on doorsteps of all RSA attendees who registered through that block. They know where you are, and so does everyone walking down the hallways looking at the bling in front of all those doors. RSA used a middleman to deliver the bling to the doors, according to a spokesperson, but that’s still creepy.

That same feeling also carried over to the end of RSA bash Thursday night, in which RSA Conference organizers put a lot of work and expense into setting up different forms of entertainment in the Marriott ballrooms. In the Karaoke room, for example, local entertainers set up a 20-foot black pyramid topped with a giant, 12 by 10-foot face-shaped screen with a nose protruding. Onto that screen was projected the face of a real person taking questions, acting all knowing like the Wizard of Oz, while looking ominously down upon them. (See my friend Liz Safran’s picture of said face here.)

Then there was the face painting room. With security and privacy blended so closely together, it was amazing how many security practitioners blithely stood in line to get barcodes painted on their foreheads. Not only did the fake barcodes wreck their coiffures, they made their bearers repulsive – every time one walked by it made you think of the ‘mark of the beast’ predicted in biblical revelations.

All in fun, one might say. But given the level of desensitization among this crowd, it looked more like a parody of things to come.

The press has been locked out of RSA’s Friday keynote by Al Gore, and the registrar says it was at Mr. Gore’s request. That’s gonna be difficult to enforce, thousands piling into this massive auditorium, but the handful of us with the green tags on our badges aren’t allowed? Meanwhile, at least 20% of those thousands with the general conference tags do some type of blogging and they still get in.

Patrick J Conte, CEO, Agiliance

The need to map security to the business has been an ongoing topic of conversation for quite some time.  While that might mean different things to different people, the common denominator is that it requires a change in how IT and security professionals think about and approach security.

Regulatory compliance has been a great enabler in forcing this sea change.  SOX tied executive-level accountability to IT and compliance spending tied “gaps” in the IT infrastructure to a dollar amount.  The need to prioritize what gaps to fix first helped to crystallize the discipline of risk management.  According to Forrester, when you combine effective risk and compliance management, what you get is good corporate governance.

While the Governance, Risk and Compliance (GRC) market is extremely broad and still being broken down into more manageable components by analysts (and everyone else), one could argue that it inherently links security to the business, and in doing so, is helping to shepherd the industry along.

A recent survey from The Deloitte Center for Banking Solutions tracked what 20 of the top 50 banks spent on compliance from 2002 to 2006.  No big surprise, spending increased each year, rising from 2.83 percent of total net income in 2002 to 3.69 percent in 2006, a jump of almost a third in just 4 years.  That translates to about $83.5 million per bank spent on all aspects of compliance, with $14 million of that spent on IT.

The survey also said that one of the main reasons compliance costs are on the rise is because they are overspending on people (more than 60% of their budgets) and under spending on scalable technology.  In other words, it’s time to automate IT compliance processes.  It’s a good crossroads to be at because it shows we know what’s broken.

We also have some lessons learned.  SOX was reviled for being too vague, which is one thing you can’t say about PCI (although it might be reviled for other reasons.)   Plus, after five years of SOX and its regulatory and private sector brethren, compliance, security and risk — while far from fused — are no longer mutually exclusive.   As a result, CSO’s can justify security investments based on business ramifications and operational efficiencies instead of FUD.

While as an industry, we’re still at the beginning of the learning curve, the Deloitte report and plenty others like it will continue to help us understand what doesn’t work.  Moving forward, one way to further align security to the business will be to not only continue to innovate and automate IT compliance management, but to increase the ability to appropriately articulate the benefits that delivers across the organization.