On Thursday at the RSA Conference, I had the opportunity to attend a lunch with the conference advisory board: Benjamin Jun of Cryptography Research, Tim Mather of RSA, Ari Juels of RSA Laboratories, and Asheem Chandna of Greylock Partners. It was an interesting event, and Alex Howard of TechTarget did a good job of covering the discussion in a recent article.

As with many things associated with the RSA Conference, it took me a bit of time to digest and distill all the various bits of information crammed into my sleep-deprived brain. I find that these big events are an excellent opportunity to smash my consciousness with far more data than it can possibly process, and eventually a few trends emerge. No, not this year’s “hot technology”, but macro themes that seem to interweave the disparate corners of our practice and industry. It might run contrary to many of the articles I read, or conversations I’ve had, but I think this year’s subtext was “innovation”. (And not because I presented on it with Hoff).

Every year when I run into people on the show floor, the first question they tend to ask is “see anything new and interesting?” Finding something new I care about is pretty rare these days for two reasons. First, if it’s in my coverage area I sure as heck had better know about it before RSA. Second, most of the advances we see these days are evolutionary, and earth-shattering new products are few and far between. That doesn’t mean I don’t think we’re innovating, but that innovation is more pervasive throughout the year and less tied to any single show floor. One really interesting bit that popped out (from Asheem) was that the Innovation Station had only 14 applicants last year, and over 50 this year. I think in these days of tight marketing budgets for startups, a floor booth is hard to justify, and perhaps some of the total crap was weeded out, but security startups are far from dead (just look at my Inbox).

But more interesting than innovation in startups is innovation from established players. For the first time in a very long time I’m seeing early tendrils of real innovation leaking from some of the big vendors again. We talked about it for a few minutes at the lunch, but it’s obvious that the security industry was able to coast for a few years on its core approaches. Customers were more focused on performance and throughput than new technologies, thus there was little motivation for big innovation. The limited market demand pushed innovation into the realm of startups, where new technologies could incubate until the big companies would snatch them up. Our financial friends at Marker Advisors even talked about this trend in a recent guest post, and how “traditional” buying cycles are now disrupted by technology turnover and changing client requirements. It all ties in perfectly to Hoff’s Hamster Sign Wave of Pain.

On the other side, we’re seeing some of the most dramatic attack innovation since the discovery of the buffer overflow. And for the first time, these attacks are causing consistent, real, measurable, and widespread losses. We’ve seen major financial institutions breached, the plans for the Joint Strike Fighter stolen (‘leaked’ doesn’t nearly convey the seriousness), and malware hitting the major news outlets (with often crappy reporting). There is evidence that all aspects of our information society are deeply penetrated and fallible. Not that the world is coming to an end, but we can’t pretend we don’t have problems.

This combination of buying cycles, threat innovation, growing general awareness, and product and practice innovation creates what may be the most interesting time in history to work in security. We’ve never before had such a high profile, faced such daunting challenges, and seen such open opportunities. Merely building on what we’ve done before doesn’t have a chance of restoring the risk balance, and there’s never been better motivation for big financials, the government, and big manufacturing (you know, the guys with all the money) to invest in new approaches. I’d call it a “Perfect Storm” if that phrase wasn’t banned by the Securosis Guide of Crappy Phrases, Marketing Hyperbole, and Silly, Meaningless Words (after “holistic” and before “synergy”).

Frankly, we don’t have any choice but to innovate. When market forces like this align the outcome is inevitable.

Tim Mather referred to the National Cyber Leap Year, a program by the government to engage industry and push for game-changing security advancements. Not that the Leap Year program itself will necessarily succeed, but there is clear recognition that innovation is essential to our survival. We can’t keep layering the same old crap onto hot newness and expect a good result.

Those of you who hate change are going to be seriously unhappy. Those who revel in challenges are in for a wild ride.

The good news is there’s no way we can lose – it isn’t like society will let itself break down completely and go all Road Warrior. Especially since Mel turned into an anti-semitic whack job.

(Image courtesy www.pdrater.com).