RSS Alerts

Related Links

  • ENISA
  • ISSE 2009
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • What’s in store for 2010?
    The Noughties are behind us now, but memories of a decade of data breaches will continue to haunt the infosec professional. If only there was a way of knowing what the threat landscape would look like in the months to come. Well you’re in luck as Davey Winder has dusted off the crystal ball and spoken to a broad church of infosec professionals to get some informed predictions for 2010
  • Cisco annual information security report highlights
    Cisco has released its annual information security report for 2009 and the year-end analysis makes for some interesting reading, not least because it highlights the impact of social media on network security and the critical role that people - not technology - play in creating opportunities for cybercriminals.
  • Finding your way: An overview of information security industry qualifications and associations
    The proliferation of information security qualifications, standards and membership associations has reached a level whereby a degree of confusion is understandable. Peter Drabwell introduces some of the qualifications and associations out there
  • Loyalty cards: The security risks and the rewards
    Loyalty cards – with their numerous security risks and few rewards – have really taken off. Can we trust that the commercial organisations that store our data will take good care of it? Cath Everett investigates and finds there’s no such thing as a free lunch...
  • Social networking - a risk to information security?
    As the popularity of social networking sites continues to mount, it becomes increasingly important to consider the information security risks posed in the context of a wider data loss prevention and reputation management strategy. Cath Everett reports

News

ISSE 2009: We need an active security community

06 October 2009

An active security community is needed to meet the challenges of information security, said Steve Purser, head of technical competency department, ENISA.

At the ISSE 2009 conference in The Hague on Tuesday 6 October, Purser outlined four strategic objectives for information security for the coming years.

The highest priority, is to create an active security community. He said it is obvious that a security community is needed, but that so far, the industry has not managed to get it right: “we’ve set the bar too low”.

Security awareness is not enough on its own, the industry must contribute ideas and actions with the security community, Purser told the ISSE 2009 audience in the opening plenary welcome address.

He also called for a greater push on education on information security, saying that Luxembourg is already implementing information security into school curricula, and that more and more universities around the world are now offering courses on information security.

Common sense among end users would also not go amiss. The ENISA representative used the example of when someone phones you up at home demanding a range of sensitive information: most people would be wary to give sensitive information away. The same if someone approach you on the street. Yet, online, people seem to be more than willing to give away sensitive information about themselves.

People need to learn to behave in the e-world as they do on the ‘real’ world, he concluded.

The second strategic objective, is to focus on the public sector.

Purser said the public need a secure infrastructure and end-to-end security. Each possible weak point in communications / information exchange must be made as secure as possible.

However, security software is not enough on its own, a holistic approach is needed. Security software implementation is often based on an initial risk assessment, but risks evolve, and so the initial security software can become outdated, or simply not fit with a changing risk environment.

If the public sector does not take a holistic approach to information security, “it is like looking your door, but leave the windows open”, Purser said.

The third strategic objective for ENISA, encompasses the terms: identity, trust and privacy.

People have to deal with several identities for banks, social services, emails etc, and this list is growing. So how do people protect their identity?

When it comes to ‘trust’, Purser warned that no one knows exactly what ‘trust’ means. There are as many answers to that question as there are people out there, he suggested.

This lead him on to privacy, which is seeing a whole new risk profile as people are sharing more and more private information around the net.

Finally, Purser outlined the fourth strategic ENISA objective for the future of information security, economic security.

The security industry is often focused on risk, but the risk must we weighed against opportunity.

For example, if a country issues certain information security policies, it is important that these do not put organisations in that country at a competitive disadvantage from companies from other countries.

There is also a changing business environment where business structures are changing – through downsizing, mergers and acquisitions, or organic growth – and security policies and security software must be able to deal with these effectively.

Security software needs “flexibility and scalability”, ENISA’s Purser concluded.

 

This article is featured in:
Business Continuity and Disaster Recovery Compliance and Policy Internet and Network Security Public Sector Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water