When managing IT security, government infosec pros face unique challenges and unique risks. At the 2011 Gartner Security & Risk Management Summit, SearchSecurity.com Senior Site Editor Eric B. Parizo spoke with two government infosec practitioners about a variety of issues, including risk management strategy, cloud computing security and the consumerization of IT.
Read the full transcript from this video below. Please note the full transcript is for reference only and may include errors. To report an error, contact firstname.lastname@example.org.
Gartner Security Summit attendees on IT security, government issues
Skip Holler: My name is Skip Holler and I'm with the state of Ohio.
Eric Parizo: All right, and what are you hoping to learn here at the 2011 Gartner Security and Risk Management Summit?
Skip Holler:: I'm hoping to learn some of the latest techniques and security controls for a variety of domains within IT.
Eric Parizo: Any particular problems you're trying to solve in terms of security, compliance, risk management?
Skip Holler:: I'm looking at identity and access management, some issues related to that in the state of Ohio. Looking into that area at the state. Looking at securing identities, so I'm looking for different information related to that.
Eric Parizo: There's a lot of news lately about some pretty serious attacks. Everything from RSA to Sony to defense contractors to the US Senate. More big attacks than we've seen in quite a long time. Is your organization concerned about that?
Skip Holler:: I think every organization is concerned about it. I mean security is an ever moving target, there are no silver bullets. So what we try to protect today, what ever we use to protect that will change tomorrow. So you have to stay up on the latest and greatest techniques in order to try to combat these threats.
Eric Parizo: Cloud computing security [is] obviously a big topic right now in the industry. Is the state of Ohio using the cloud and any issues in terms of trying to make sure it's used securely.
Skip Holler:: Since we are a public entity cloud computing isn't something we're going to do anytime too soon sense we have citizen information we need to protect and kind of keep close. Especially so that we can share with the citizens information they need whenever they ask for it. So going to a public cloud environment, we're not ready for that yet.
Eric Parizo: Any talk about it thought in the organization in terms of, 'Gosh, if we go down this road, what are we going to need to think about in terms of cloud security?'
Skip Holler: I would think from a private cloud perspective perhaps, because we want to take advantage of the technology that comes with cloud computing. But going to a public cloud like Google or Amazon, I don't think the state's ready for that yet.
Eric Parizo: Another big topic, consumerization of employees bringing their own devices into the enterprise. Any thoughts on the challenges of maintaining security with that issue?
Skip Holler:: Absolutely, we're still trying to find the business need totally for that in state government but certainly the governor and people in office are wanting their employees to be able to use these tools for the collaborative purposes, not only with each other but also with the citizens of Ohio so there's going to be some challenges there. Were going to have to start looking at how we're going to secure that.
Eric Parizo: All right Skip, thanks very much.
Skip Holler:: You bet.
James: My name is James [inaudible] [03:26] from the Defense Information Systems Agency, better known as DISA.
Eric Parizo: Great, and here at the Gartner Security and Risk Management Show, could you jut tell me a little bit about what you're hoping to learn this week?
James: Well I'm here to learn about all the new security products that Gartner may have to offer. I've been to a couple of information sessions so far and they've been very informative. I'm looking to take something back to my agency. What we do is take pilots of new prototypes and we try to get them up and running within an 18-month time frame. So we're looking for something that's fast, efficient and we want to look at it. If it works, if it doesn't work, can it and look for the next one.
Eric Parizo: I imagine your job has to do with working security and so that process must be a pretty big challenge.
James: Yes, because doing that, and having that “18-month time frame” as we're getting that new technology and trying to get it fielded. The security aspect of it is very challenging trying to push that product and get everything, all the nuts and bolts tightened within a short time span.
Eric Parizo: So far what concepts or issues that you've heard talked about at the conference that have stood out for you?
James: Risk management, anything related to security, that's my background. Risk management all the different types of vulnerabilities we have, all the the different type of security things that's going on with the Internet. Yesterday, former secretary Chertoff talked about the Internet and talking about the government going to actually take over the Internet. That wouldn't be a good idea, people still want their own privacy. So it's things like that that my agency. With all the social media now becoming quote end quote mainstream. How do you manage that, giving employees the freedom to go out and network, especially the employees who have family overseas. Having that access creates better morale for the employees, but at the same time you have to manage that from a security perspective.
Eric Parizo: In terms of risk management, what challenges do you encounter when considering how to put a risk management program in place. Many organizations judge risk differently, so I would imagine from your perspective there must be different levels of risk with every project?
James: Yes. Risk management is basically a comfort level. What are you willing to accept, that's the simplest answer of risk management. Like you said, every manager is different. Every agency is different, the government also you have the private sector. With that being said, it's what you're willing to accept. That's a broad answer, but it's actually the best answer I can think of at the moment. We get all different types of risk that come in. And you say there's nothing we can do about that particular risk. We have to accept that risk if we want this particular program, we have to weigh the pros and the cons. There's going to be benefits for the agency, yes there's some risk to it but there's risk to our everyday life. Risk management is actually a part of everyday normal life. But in the IT world, it's very important also.
Eric Parizo: Cloud, computing, security, a big topic of conversation here this week. Is that becoming an issue for your organization?
James: That's been an issue for my organization since I've been there. Cloud computing has been a major issue within government actually, because DISA, we are the “Internet provider” for the Department of Defense. So with cloud computing, back 15 years ago when were doing things like consolidating the data centers and in that particular world cloud computing was big then, and it still is. So that issue is probably going to be around for another 15 years or so. With that being said, there's always going to be different ideas, different scopes, what was old before might be new now, what was new now might become old. So it's an evolving life cycle of cloud computing. It changes and sometimes it's a circle changes, it goes back to what we did 10 years ago. Hey this idea, we done that a long time ago, but it works. It's probably the most inefficient idea that you bring, in the future.
Eric Parizo: James, thanks so much for your time.
James: Thank you. I appreciate it.