Hi there folks. I am home and somewhat rested from my trip to London for the RSA Europe 2008 conference. It was a great trip and i enjoyed the conference. Below is a recap of my first day. This is going to be long, so hang in there :)
Information Security: From Ineffective to Innovative
Arthur W. Coviello, Jr. – Executive Vice President EMC
If I had to compress Mr. Coviello’s talk into a few concise points, they would be the following:
- Concentrating all our information security efforts at the perimeter is an ineffective model in today’s world.
- The data we are tasked with protecting must become central to our thought processes when determining how to protect our enterprises.
- Information security must be business aligned.
Point number 1: Our perimeters have become quite porous. This is by design. As such, customers, partners and others have much more access to internal systems than ever before. This means that perimeter defenses are inadequate in dealing with attacks that are targeted at the data contained in the applications which are published to the world. It’s the old crunchy shell vs. chewy center problem.
Point number 2: As alluded to above, in many cases the data and applications most important to the enterprise are being published to the internet or to trusted third parties in such a manner that perimeter controls are next to useless in protecting them. We must start thinking of ways to protect the data where it sits and ensuring that the applications we publish are developed as securely as possible.
Point number 3: Finally, Mr. Coviello said that information security must become business aligned. We used to be fear driven, i.e. we must protect ourselves from the evil out “there”. That has morphed into our current situation where we are often compliance driven, i.e. regulation x must be complied with therefore we must do y. The next step is to be business driven. We need to understand what the business needs to accomplish, what the keys to the kingdom are, and how to protect them in a manner that is risk appropriate and as unobtrusive to the user as possible.
I agree with all the points he made. It will be a challenge, but we will benefit greatly if we can become an integral part of the business process and start protecting the crown jewels instead of the walls that contain them.
Managing your own Security Career
Chris Batten – Managing Director, Acumin
Mr. Batten offered some insight into how to manage you information security career. His prescription for managing your career is summed up in three statements:
- Know yourself
- Know others
- Do a gap analysis
Know yourself: If you don’t know yourself, i.e. strengths, weaknesses, goals, how can you plot a course to get you to where you want to go.
Know others: If you don’t know what others expect or how they perceive you, how can you navigate the course you have plotted to get to where you want to go.
Do a gap analysis: Once you know yourself, know others and have determined where you want to go, do a gap analysis of where you are now and what the next step is in your chosen course. Notice the next step part.
He mentioned that planning for ten years down the road is probably not the best use of your time. Things change. Another statement he made is the career path should be your career path, not the company’s career path for you. Determine what you want to do and make that happen either.
A Dialogue with ENISA
European Network and Information Security Agency
In this press only event, ENISA presented two white papers, one which has already been published, “Security and Privacy in Massively Multiplayer Online Games“, and “Web 2.0 Security and Privacy” which will be released in the near future. The summaries were both interesting.
I never realized that there was so much real money at stake in the virtual worlds that have been developed in the last few years. Time became short, so we did not have a chance to talk much about the Web 2.0 paper, but a couple points that were raised are that users are going to be faced with more and more behavioural marketing and that the browser is the new OS. Not suprising, but intersesting none the less. I will be reading up on it when it is pubished and will report back then.
While I went to several other talks, these three were the most interesting to me and this is long enough already :) Updates for Days 2 and 3 will be along in the next couple days.