While RSA 2014 is barely out of the gate, there's already a ton of buzz about the opening presentations from RSA executive chairman Art Coviello and Scott Charney, corporate vice president for Microsoft's Trustworthy Computing group. Their messages covered a lot of ground -- namely the NSA and government surveillance, why their companies aren't complicit and what needs to be done about the growing chaos across the Internet.
I tend to have a different outlook on what we can do. It involves looking backward and fixing what we haven't yet mastered.
The takeaway -- that I heard, at least -- is that we need to do things differently. Lots of ideas were recommended by Coviello and Charney, but I tend to have a different outlook on what we can do. It involves looking backward and fixing what we haven't yet mastered. Observing the breach databases and annual studies from recent years and the ones already released in 2014, one thing is certain: We keep making the same security mistakes.
Here's what every individual, and collectively, every business and government entity can do to focus on first things first and address the information security challenges that keep cropping up:
- Stop ignoring the obvious. Most users know what their responsibilities are, yet they're not held accountable. The silly, ridiculous and inexcusable low-hanging fruit that's on every network (even those supposedly super-resilient federal government networks) needs to be found and eliminated.
- Address the technical and the political issues behind these repetitive failures. Executives need to get their heads out of the sand and realize the gravity of not reacting to the dangerous realities of the information security landscape. IT pros need to learn how to better communicate with management to get their messages across and gain credibility with those in charge.
More RSA stories
View all of our RSA 2014 Conference coverage
We have to fix the fixable. Every business has security problems. Management knows what they are and so does IT. Yet, as an industry, we're not seeing a lot of progress.
Be it 2004 or 2014, nothing's really all that new with security. Sure, the business dynamics, the technologies and the associated information systems complexities have evolved over the years. But I just don't see it with security. What is it about us that we keep ignoring the proven solutions? Maybe I'll find out later in the conference.
About the author:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic LLC. With more than 25 years of experience in the industry, Beaver specializes in performing independent IT security vulnerability assessments of network systems and applications. He has authored or co-authored 11 books on information security, including the best-selling Hacking for Dummies as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he's the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website, www.principlelogic.com, follow him on Twitter at @kevinbeaver, and connect to him on LinkedIn.