I am just getting back into the swing of things after returning from our Information Security Decisions conference, which was held in Chicago Monday and Tuesday. I’ve always liked this conference more than just about any other on the annual schedule (I even attended it before I worked for TechTarget), mainly because the attendees are all security professionals who deal with the topics we cover every day and it’s a tremendous opportunity to learn from them and see what they’re dealing with at the moment. The speaker lineup was pretty amazing, including Chris Hoff, Dave Dittrich, Joel Snyder, David Litchfield and a dozen others. I also had the privilege of moderating a panel on the future of security that featured Bruce Schneier, Howard Schmidt and Eugene Spafford. As at many conferences, some of the best conversations happen after hours and away from the sessions themselves. Here’s a list of some of the things I learned from those conversations:
- Dave Litchfield is not only one of the top database security experts in the world, he also is an absolute savant when it comes to history. Despite being Scottish, Litchfield knows more about American history than anyone this side of Will Hunting. He quickly settled a barroom disagreement over how many U.S. presidents have been assassinated by not only naming the four unfortunate chief executives, but also the others who had had assassination attempts against them.
- Hoff has more energy than any one man should. In addition to giving a great talk on disruptive technologies in security and running the security show at Unisys, he somehow finds time to write 1,500 words a day on his excellent Rational Security blog.
- The security industry as it stands right now is on the endangered species list. Schneier and Schmidt both said during our panel discussion that a few years down the road, the industry will either be absorbed into the general technology industry and security will be part of the fabric of whatever products we buy (Schneier), or will collapse into a handful of large players (Schmidt).
- The threat of fines for failing to comply with regulations such as HIPAA and PCI DSS is no threat at all. The tiny number and amount of fines levied against violators is not motivating CSOs to comply.
- More and more CSOs and CISOs are moving–either voluntarily or otherwise–out of the IT department and into a variety of other business units, including risk management, legal or compliance.