So far, I’ve listened to three talks - sadly I wasn’t allowed to attend the keynote given by CESG – and will be returning after lunch (I’m currently camped out in Café Nero regaining some charge on my laptop and iPhone) to hear some more.
Information security isn’t sexy enough…
The first session I attended was called ‘Are organisations prepared?’ and was presented by Ed Hamilton, PwC. If I’m being completely honest, the crux of this presentation – based on old survey data – was much the same as a hundred other sessions I’ve endured in the past. The audience discussion it provoked, however, made my attendance worthwhile.
Hamilton advised the audience to use the words ‘cyber security’ when talking to the board rather than ‘information security’. He implied that many experienced information security professionals are too “old school” to embrace this term, instead trapped by the old-fashioned title information security professional.
Ed Hamilton sure knows how to pick his audience. Unsurprisingly, in a room full of information security professionals (Again, unsurprising given the conference is run by the Institute of Information Security Professionals, IISP) the backlash he received on this comment was significant.
While the majority of the audience were keen to argue (and support the argument) that the title was largely irrelevant, and that using a “sexy term like cyber” doesn’t change their focus or the problems, there was also an acknowledgment from one member of the audience that “the word cyber does have traction. I was able to get a larger budget because I threw that word around. You may feel like you’re selling your soul, but it has traction”.
“Cyber security works at the board level. Information security does not. Talk about cyber security and the board will listen – talk about information security and the board will yawn and turn away”, Hamilton reaffirmed in response to the feedback.
CISOs: The bad and the ugly…
Next up was KPMG’s Stephen Bonner, who engaged the audience throughout with his creative use of slides, by distributing chocolates to anyone who ‘engaged’ in the presentation, and with his (admittedly, surprisingly excellent use of) information security jokes and humour.
His presentation was titled ‘Can CISOs rise to the challenge?’ and his conclusion was simple: Yes, but they’re not at the moment.
Bonner listed a number of CISO traits, mistakes and ideas. Here’s a selection of my favourite:
- “A lot of CISOs think the problem goes away once it’s written into a policy. If it’s on the intranet, it will all be okay, they think.”
- “What’s a rational thing for information security professionals to do? Invest less in information security so that you’re less likely to detect a breach.”
- “There are those CISOs that constantly seek out a silver bullet. They’re just focussed on spending money on stuff.”
- “Is the information security industry a dumping ground? Do people just land here through a sideways step?”
- “Let’s face it, convergence between and information and physical security just never happened.”
- “There’s an obsession with China and cyber espionage when we [The UK and the US] are doing worse. China just don’t brag about it in the NY Times”.
- Information security, as an industry, aspires not to be the worst.
- There is currently a war for skilled talent.
“CISOs can rise to the challenge. Those that thrive and succeed in the job are bright and trying to do the right thing. They have more focus and support than ever before– this is our time”, said Bonner. “Unless we change the way we do things, CISOs won’t rise to the challenge. We’re still not learning the lessons we got wrong in the 1980s with operating systems – we’re repeating the same mistakes on mobile devices.”
“We can learn from our mistakes and get better, but we need to do it now”, he concluded.
Thanks to Annonymous…
The final session before lunch questioned whether the current security model is broken. The panel recruited to answer this question was compiled of: Adrian Davis, ISF; Ian Bryant, De Montford University; and Alastair MacWillson, Accenture and IISP chair.
The general consensus of response to this question seemed to be not that we have a broken model, but that we don’t have a model. “There is no consistent world view as an industry. If we don’t have a shared language, how can we learn and share?” questioned Davis.
We have the same problem with standards, confessed Bryant. “If you don’t like one, you can always find another. There are more than 100 organisations working on various information security standards, and every five years we recruit a new chairman and move the goal posts”, he said. “We can’t even agree what we need to protect.”
“No standard will protect you from an advanced targeted attack”, said Davis. “You can’t write a standard against a unique attack. But you can have a framework that will enable you to deal with the consequences.”
The average age of the software development cycle is decreasing, agreed the panellists. Programming is taught for two weeks of a three-year web design course, said Davis. “That’s what we’re up against. These students will be the ones coming into your organisations, and demanding things are done this way. The consumer doesn’t care either – they just want the product.”
Annonymous, Davis said, have done us a favour. “They have raised awareness significantly, and helped get security onto agendas. They have proven that it doesn’t always take an APT or sophisticated techniques to break into people’s businesses.”
In conclusion, Davis told the audience to understand three things:
- You are a target. If you haven’t already been targeted, you will be.
- You will not be able to stop it.
- You need a plan to make your business work even when an attacker is inside your business.