But, he said, "the good news is that RSA already has a robust software security approach. It's being run by Eric Baize, and he's doing a great job."
Gula and others say the industry is moving in the right direction, through compliance with regulatory regimes like SOX (Sarbanes-Oxley Act) and PCI DSS (Payment Card Industry Data Security Standard) that, "require least use of privilege, no admin accounts, etc. -- these are directed against insiders. Also, there is a move by many organizations with cloud assets to have centralized authentication, such as single sign-on, which is also a large deterrent and form of detection of insiders," he said.
But they also offered a few additional suggestions for what Yoran said should be the goal -- a new "Age of Enlightenment" in security.
Chuvakin said that good visibility should be supported by, "effective security incident planning."
According to Sudhakar, organizations should be using, "behavioral analytics and machine learning to uncover hidden threats and vulnerabilities."
He added that since IT security people are hard to find and retain, organizations should, "automate to the maximum degree possible so that you can do more with less. Automation can also change the internal dynamic, as IT security staff can become threat hunters instead of being the hunted."
Kraus also said planning is important. In war, he said, "does the U.S. simply give soldiers guns and point them to the battlefield? Or, is it more likely that they train their soldiers and appoint leaders to drive the battle to a successful outcome?"
Overall, as tough as the message was, it was welcome. Yoran said this week that while he had been uncertain about what the response to his keynote would be, "I was actually a bit surprised by seemingly unanimous support from colleagues and even competitors. Many people have come up to me or tweeted since that I said what needed to be said, and that they hoped that the speech served as a catalyst for necessary and significant change in the industry's mindset."
Sign up for CIO Asia eNewsletters.