A Day Out at CRESTCon & IISP Congress 2015

Written by

Security conferences in London are not in short supply, with several occurring this week alone. Given this state of affairs, standing out from the crowd is not an easy task – but it’s a challenge that CRESTCon & IISP Congress approached head-on.

Organizer Ian Glover, who I spoke to yesterday while the event was in full swing, certainly believes that his conference offers something different: “This is our sixth year of doing it. Before there were very few technical security conferences – we were trying to fill a bit of a void in terms of providing a platform for technical presentations.”

This targeted approach is borne out of CREST’s status as a non-profit, Glover told me, saying that “if this was a commercial venture then you’d try to hit the lowest common denominator – delivering something that is a bit of a compromise.”

But there was more to this event than pure technology. Due to the partnership with IISP Congress, there were two content tracks designed to “pull the two communities together – the security management people with the technical community. There was a certain element of distrust between those two groups, so anything we can do to try to draw them together is a great opportunity.”

Indeed, the need for greater collaboration between was one of the key themes of many of the speaker sessions I attended – and the mood from the exhibitors in the networking space certainly seemed to reflect that. Educational institutions rubbed shoulders with service providers and product vendors, with some animated discussions resulting.

This event came across like a microcosm of the industry at large, with highly technical experts enjoying deep-dive presentations in the CREST technical stream, and a wider business-oriented focus on offer in the IISP Congress stream. Both delivered a wide range of content, with the business track highlighting some key current debates within the industry.

Mark Hughes of BT, presenting on the ambitious theme of ‘What Does the Future Bring?’ delivered some predictions in the areas of mobility, big data, quantum computing, networks and IoT.

Hughes argued that “Data privacy legislation at the moment is not good enough for big data. This is beginning to run away from lawmakers pretty rapidly. We need a technical platform of dialogue so that any legislation doesn’t become irrelevant as soon as it’s made.”

“Greater visibility will allow us to get a view of real-time risk, but translating to business leaders is going to be a big challenge.”Andrzej Kawalec, HP

A subsequent talk from HP’s Andrzej Kawalec explored ‘specificity’ and the need to deliver more focused and actionable intelligence from the mass of data that companies generate. Communicating this up to the top of the business is a challenge that remains largely unaddressed, he said.

According to Kawalec, companies are failing most to understand “the two most important parts of the value chain,” namely the user and the data generated. There is a pressing need, therefore, to correlate big data against database intelligence.

“Greater visibility will allow us to get a view of real-time risk, but translating to business leaders is going to be a big challenge.” The need to articulate in a way that business leaders can understand is crucial, he said, adding that traditional distinctions between a risk discussion and a straight IT discussion will not suffice.

Over in the CREST stream James Chappell of Digital Shadows was trying to unpick the topic ‘Threat Intelligence – Marketing Hype or Innovation?’ Arguing that cyber-threat intelligence is not a new concept, he added that the current buzz was due to “innovation” within this space.

“We’re getting better at joining our systems up and involving human beings in the process of gaining intelligence,” he said. However, “very few people are using this human-based threat intel in an effective way.”

He added by way of prediction that, “We will see market consolidation and brokerage of data feeds through managed services.” In addition, “Sharing initiatives must become common – but how do you share enough without giving away the crown jewels?”

The afternoon sessions offered another wide array of topics – everything from coding hybrid mobile applications to the finer points of cyber-insurance. A personal favorite was the identity case study session under the IISP stream.

“We will see market consolidation and brokerage of data feeds through managed services”James Chappell, Digital Shadows

This conceptual presentation from Global Identity Foundation CEO Paul Simmonds and Capgemini’s Robert Lapes looked at the concept of barriers – or the “locus of control” – that security operations typically like to operate within.

In the boundaryless world, though, such loci are no longer relevant.  “If you build things too rigid,” said Lapes, “In the new way of thinking they won’t survive.”

In the boundaryless age, authorization, authentication, accountability and operability must take place outside the locus of control – and the way that ecosystems integrate identity is key to their success. But identity, in the modern age, must apply to more than just people. Code, devices, agents and organizations also need identities, and the integration and interplay between these, if successfully managed, will be key to how infrastructure is secured.

As if that wasn’t mind-blowing enough, this presentation also incorporated Hegelian philosophy, quotes from a science-fiction author, Yoda, and ended with sage words of advice the eternal optimist, Bob the Builder: “Can we fix it? yes we can.”

No doubt a successful day then, with each of the 350 attendees taking away something different. And as to Glover’s plans for CRESTCon, he feels it has outgrown this year’s home of the wonderfully historic Royal College of Surgeons.

“We need a bigger venue. I think we could increase attendance by another 50-60% without trying very hard. We are already trying to plan to give this a greater level of innovation. We don’t want it to be the typical conference.”

I look forward to CRESTCon 2016 already.

What’s hot on Infosecurity Magazine?