“Content security is not so much about technology but knowing what it is you want to protect,” said John Colley, CISSP, managing director, (ISC)2 Europe. “Increasingly, organisations must assess what their data is doing—where it sits; to where and how it moves and what it is used for. In other words, they must assess what their users are doing. This will allow organisations to finally get the basics right—establish policies and processes, live by them, understand them, enforce them, and thrive because of them. It begins with business units developing an understanding of what data they use, what data they actually need access to and, with help from the experts, how that needs to be protected.”
One presenter even suggested that much of the technology designed to keep the bad guys at bay, such as monitoring and intrusion detection systems, can be repurposed to track what users are doing. “These can be mapped to build up more business context behind data access...an understanding of what is happening at the endpoint, what devices have certain data and the applications that are there, ” said Leon Ward, senior security engineer, Sourcefire. “We can retrofit our defences to this context.”
Dr. Cheryl Hennell, CISSP, head of IT security and information assurance for Openreach (part of the BT Group) pointed out that information security managers have to decide whether users are the “angels” or the “demons” in their organisation and find ways to push the right buttons. “Business people are what they are” she said. “A business enabling model requires going back to the data owner and working with them. Training, education and awareness are three critical things that we should all be aware of, because if employees don’t know what they should be doing or understand it, they are going to find ways around it.”
Brendon Rizzo, data protection specialist with McAfee, concurred, suggesting that users shouldn’t be regarded as the cause of the problem but rather get the help they need. “Users are the cause of the problem only because they need help” he said, citing McAfee research that found 98% of UK office workers don’t see the protection of corporate data as their responsibility. He also pointed out that the industry today is “not concentrating on the data. Security products don’t actually secure information,” highlighting the need for users to play their role.
The keynote was delivered by Howard Schmidt, president of the Information Security Forum, and recently elected vice-chair of the (ISC)2 Board of Directors. Acknowledging the tough economic times, Schmidt said that “we have not seen a dramatic change in the desire to do security. Organisations are not putting security aside, because security is now part of the cost of day to day business processes. There is recognition that the bad guys aren’t sitting out there and saying that we are going to take a break. “
Looking forward, Schmidt said that a collective voice was demanding software that is secure and that a risk management approach will produce a focus on “reducing vulnerabilities,” rather than “strengthening systems.” In a world that is seeing the proliferation of mobile devices connected to the internet, he explained, vulnerabilities represent ever- increasing risk. “These things are no longer just for making phone calls. Can you imagine having an IP address for your pacemaker? What a great thing to have your doctor warn of a heart attack. Imagine what would happen if it got into the hands of a bad guy ...”