I had the opportunity once again this year to attend the Gartner Security & Risk Management Summit, and it always serves as a fascinating barometer of what’s top of mind for information security professionals. I wanted to briefly highlight my list of the top five issues that seemed to resonate during keynotes, sessions and while informally chatting with attendees.
5. Dodd-Frank Act compliance: As I wrote about this week, the Dodd-Frank regulations could be a major new compliance headache for many organizations, especially those that haven’t been paying close attention. A number of the law’s mandates, interestingly enough, may in some cases discourage employees from coming forward to report fraud. What may be more disconcerting is that the government is still in the process of writing the rules that will govern Dodd-Frank corporate compliance, meaning nobody really knows how onerous it will be.
4. Mobile devices & consumerizaton: Ignored for far too long, employee-owned mobile devices have always been a security problem waiting to happen. These smartphones – and now tablets too – have been rife with sensitive corporate data for a long time, but they were either overlooked as a security risk, or seen as too challenging to rein in. Now enterprises are beginning to understand the risk these devices pose, but it remains to be seen whether emerging device management technology, data-access restrictions, user security policy, or all of the above will be the answer. It’s a topic that seemed to leave more than a few infosec pros scratching their heads (if you’re one of them, be sure to check out Marcia Savage’s great feature, IT consumerization drives new security thinking, from the June 2011 edition of Information Security magazine).
3. Cloud computing reality check: The cloud computing hype has been off the charts for a couple years, but for the first time I started to sense more confidence among information security pros. Why? They now understand the vast majority of today’s enterprise cloud computing is Software as a Service, and not the more complex platform or infrastructure variations that surrender a lot more control to third-party providers. That realization buys security teams some time to not only reassess the cloud computing services in use today and ensure they’re secure, but also to develop a more comprehensive cloud computing security policy so when organizations want to double down on more advanced cloud computing technologies, security teams can be willing partners, not obstructionists.
2. APT & wave of attacks: It started with news of the RSA SecurID breach earlier this year, but since then it seems there’s been a surge in high-profile and advanced attacks unlike anything we’ve ever seen, including Sony, Lockheed Martin, Citigroup, Sega, the UK NHS and the U.S. Senate. It’s a who’s who of the most prominent organizations in the world, and yet they’ve been seemingly powerless to protect their most important data. The two most common reactions I heard this week were, “Yeah, that’s scary stuff,” and, “I’m glad it didn’t happen to my organization.” But this is the age of the advanced persistent threat (APT), which means it’s increasingly likely your data is being stolen right now and you have no idea it’s happening. I heard a lot about APT this week, much of it off the record unfortunately, but what can safely be said is that criminal networks are now commonly penetrating organizational defenses and exfiltrating large amounts of data over a long period of time using complex techniques that even veteran infosec experts find stunning. Marketing hype aside, the APT threat is real, and until the U.S. decides to point the finger squarely at the Chinese government as the driving force behind many of these attacks, you’re pretty much on your own.
1. Risk management: What’s the common theme tying all these issues together? For most enterprise security groups, it’s simply not possible to muster the technology, time and resources to fully mitigate each of these risks. I was struck this week at how the compilation of all these issues has reignited interest in the often-ignored, yet crucially important discipline of enterprise risk management, namely figuring out how to determine which specific threats pose the greatest risk to an organization and then using that information to create an organizational risk profile. The difficult reality of being an information security pro is that not all problems can be solved, especially not all at once, and with security budgets unlikely to get a significant boost anytime soon, investing precious resources in the right place has become a make-or-break proposition.
I know many security pros have focused on risk management for a long time, but to hear a number of attendees verbally acknowledge the importance of formalizing their risk management strategies was fascinating and inspiring. It’s been a tough year so far for security, with one big breach, vulnerability or attack after the next, but seeing so many optimistic security pros at Gartner Security Summit 2011 ready to tackle what’s next made me feel very good about the small role we play in helping you do your best.
About the author:
Eric B. Parizo is senior site editor of TechTarget's Security Media Group. His rants can be heard each month on SearchSecurity.com's Security Squad podcast.