Flew to SF today for the RSA Security Conference where Veracode is launching.

CEO Matt Moynahan was on a panel at the Churchill Club tonight. The title was “It’s a Small, Small, Dangerous World – What Global Business Means for Your Security.” The moderator was not able to keep the panel on track, unfortunately. The discussion was all over the place. The two most unbiased people were Matt (who kept trying to bring the discussion on point) and Josh Levine (ex-CIO/COO at e-Trade and Archivas board member). Some key points:

• Some panelists alluded to conspiracy to hide the fraud losses in the financial sector. Josh strongly disagreed, arguing that the losses are decreasing as a percentage of business transacted online.
• Enterprises have no good way to measure software security risk and so there is no good way to measure security ROI and so there is no good way to tune security investments.
• The bad guys are smarter, faster, richer and have better looking girlfriends (OK, that last piece wasn’t explicitly mentioned). They are running circles around the FBI, which is cybercrime-clueless.
• It’s going to get worse before it gets better.
• It may not get better. Internet 1.0 was a utopia of implicit trust. Getting security right means some hassle for consumers (two- or three-factor authentication) and more cost as all points in the information chain.
• Trust may develop in sub-regions, e.g., a set of e-commerce and banking sites, accessible via a trusted browser, which cannot browse the general internet.

Best quote, from Eugene Kaspersky:

The Internet used to connect people with people. Now it connects people with criminals.