This week the beautiful city of Paris played host to the 17th annual ISSE Conference, bringing together a raft of security professionals and experts from around the world to discuss, debate and shape the future of digital identity.
“This is the Year of Identity and Security, and ISSE has never been more relevant,” wrote Jon Shamah, chairman of the event organizers EEMA, in his welcome message. “It is no exaggeration to state that digital identity and security in its many meanings has become center stage.”
Over the two days, the concept of digital identity certainly did take center stage, with fascinating discussions on its importance on the internet and how ever-increasing identities impact the interconnected relationships they produce just a couple of examples of explorations into the topic. There were also engaging presentations on the challenges of the Internet of Things (IoT) and the benefits of machine-based learning technology.
However, with such a busy schedule of great speakers there were also several other thought-provoking discussions on some timely subjects, and here are some of our highlights from a brilliant couple of days in Paris.
Challenges of the Security Team
First up was a great presentation from Adobe’s senior manager, secure software engineering, Mohit Kalra, who outlined the hurdles security teams face as they attempt to keep pace with progressive workloads and cyber-threats, highlighting the following challenges as key:
• Scaling security work in a small team
• Growing and diverse company product portfolios
• Business critical products versus legacy applications
Conversely, Kalra also put forward the three steps he considers crucial to overcoming the above challenges:
• Establish the minimum bar with baseline tasks for every team
• Treat security as a shared responsibility across the organization, and not just the responsibility of the security team
• Set up product teams for security success with their security practices
“Security is about making choices,” he said. “You don’t fix everything in security in one day.
“As a security team, the question is who do we engage with the most? Do we engage with everyone and give them equal time? How do we prioritize that time?”
"The IoT revolution is almost a ‘silent’ revolution"
The Silent, Unprecedented Revolution of the IoT
Next we heard from Andreas Ebert, Microsoft’s regional technology officer for Western Europe, on the ‘invisible revolution’ of the IoT.
“The IoT revolution is almost a ‘silent’ revolution, because by and large what is happening is happening underneath; it’s almost invisible for many people because it’s embedded in other things in life.”
Furthermore, what is unprecedented about the revolution of the IOT is its scale, owing largely to the simple fact that the cost of IoT devices continues to drop, making them more accessible for the consumer, he added.
However, the plethora of security risks (including insecure design, disclosure of personal info, update limitations) that follow are issues that must be addressed if we are to reap the benefits (such as identifying threats, better decision making, availability) as the revolution continues to gather pace.
What About Spies?
Taking a slightly less obvious but no less entertaining approach was Dave Birch, director of innovation, Consult Hyperion, who issued a challenge to digital identity experts of the future to aid government spies, stating that whilst it is “easy to make a fake passport”, it’s actually extremely hard to “make a fake Facebook profile” without it being brought into question.
Birch’s argument here was that we now live in a world in which an individual’s credibility is often judged and verified by their digital identity; your social media, LinkedIn account etc., but what about people who have genuine reasons to live with false or fake identities (such as spies and those in the witness protection program)?
“Spies are perfectly legitimate,” he said. “How are you going to build an identity system that allows spies” without revealing their secret?
It’s really, really hard for spies to pretend to be real people, he added, but if you have a quick look at the newspapers, it seems it’s very easy for ordinary people to pretend to be spies!
“If you’re going to come up with a plan (for the future of digital identity) your plan has got to fix both of these problems.”
Data Protection Failures and Enforcement Trends
Lastly Jacqueline Zoest, barrister at Campbell Miller, reflected on recent high-profile data failures at TalkTalk and Sony Pictures and what enforcement trends teach us about the future of cybersecurity fines.
Data breach monetary punishments are on the up; “they do seem to be increasing” Zoest said, adding that complimentary audits are playing a more prominent role as a result.
“One of the factors that can be taken into account in terms of whether a fine is to go up or down is behavior. An aggravating factor that would increase the fine is a lack of cooperation between the organization that has had the breach and the ICO – a lack of cooperation could include not submitting voluntary audits, for instance.”
This suggests a greater trend towards better collaboration between the ICO and the organizations it regulates with the intention of changing behaviors to help all parties get data security right and ultimately avoid hefty fines as result, she added.
As you can see, plenty to ponder and consider from a very enjoyable event, and I’m already looking forward to ISSE Conference 2017!