At the ISSE 2009 conference in The Hague on Tuesday 6 October, Purser outlined four strategic objectives for information security for the coming years.
The highest priority, is to create an active security community. He said it is obvious that a security community is needed, but that so far, the industry has not managed to get it right: “we’ve set the bar too low”.
Security awareness is not enough on its own, the industry must contribute ideas and actions with the security community, Purser told the ISSE 2009 audience in the opening plenary welcome address.
He also called for a greater push on education on information security, saying that Luxembourg is already implementing information security into school curricula, and that more and more universities around the world are now offering courses on information security.
Common sense among end users would also not go amiss. The ENISA representative used the example of when someone phones you up at home demanding a range of sensitive information: most people would be wary to give sensitive information away. The same if someone approach you on the street. Yet, online, people seem to be more than willing to give away sensitive information about themselves.
People need to learn to behave in the e-world as they do on the ‘real’ world, he concluded.
The second strategic objective, is to focus on the public sector.
Purser said the public need a secure infrastructure and end-to-end security. Each possible weak point in communications / information exchange must be made as secure as possible.
However, security software is not enough on its own, a holistic approach is needed. Security software implementation is often based on an initial risk assessment, but risks evolve, and so the initial security software can become outdated, or simply not fit with a changing risk environment.
If the public sector does not take a holistic approach to information security, “it is like looking your door, but leave the windows open”, Purser said.
The third strategic objective for ENISA, encompasses the terms: identity, trust and privacy.
People have to deal with several identities for banks, social services, emails etc, and this list is growing. So how do people protect their identity?
When it comes to ‘trust’, Purser warned that no one knows exactly what ‘trust’ means. There are as many answers to that question as there are people out there, he suggested.
This lead him on to privacy, which is seeing a whole new risk profile as people are sharing more and more private information around the net.
Finally, Purser outlined the fourth strategic ENISA objective for the future of information security, economic security.
The security industry is often focused on risk, but the risk must we weighed against opportunity.
For example, if a country issues certain information security policies, it is important that these do not put organisations in that country at a competitive disadvantage from companies from other countries.
There is also a changing business environment where business structures are changing – through downsizing, mergers and acquisitions, or organic growth – and security policies and security software must be able to deal with these effectively.
Security software needs “flexibility and scalability”, ENISA’s Purser concluded.