David Lacey's IT Security Blog

There's talk that corporate security is now so ineffective that breaches are inevitable and the focus must therefore switch to detecting, containing and responding to intrusions, rather than aiming to prevent them in the first place. Information Week is the latest to report on this "notable change in information security rhetoric". They report that "instead of preventing all attacks from succeeding, many CIOs now acknowledge that getting hacked is a question of when, not if".

It's a remarkable and damning admission. I can see the problem: the threats are getting smarter and our security is not. But how do you explain this to an executive board? And how would you expect them to react?  "Off with your head" would be a likely response. Given the amount of money spent on security policies, administrators, technology, reviews and audits, executive boards would be entitled to assume that their security professionals are on top of the problem.

The problem is that for years we've been telling boards that security is fine, and it's even "enabling the business". That's a lie and it's time to come clean. The truth is that security is difficult, expensive and full of holes. Passing a Sarbanes-Oxley audit is easy. Keeping foreign intelligence services and organised crime out your networks is not.  

Where do we go from here? Do we now start to admit to customers that their sensitive data is not secure though there's a chance we might catch the culprits? Do we tell shareholders that we're producing lots of valuable intellectual capital but it's likely that someone will steal it at some point? I think not. This sort of talk is unacceptable.

We have to fix the problem. Security managers should be sent back to the drawing board. It's not reasonable to have hackers wandering around corporate networks and dipping into databases at will.  We have to prevent them getting access to sensitive data and services.

Now that's not to say that we shouldn't have measures to detect and respond to incidents. Such measures have always been part of a defence-in-depth model that has been universally practised for several decades. But what we need to do is change our approach to preventative measures. If the corporate perimeter is getting weaker, then we need to build security around the data and applications. If valuable or sensitive data cannot be protected within the enterprise network, it should be removed.

The fact is that information security as it's been practised for decades doesn't work in today's higher risk environment. Security managers should stop congratulating themselves and cease reassuring citizens, customers and investors that it's everything is fine and dandy. 

My crystal ball tells me that 2012 is a relatively predictable one. That's largely because we've experienced significant changes in the political, business and security landscapes, ones that are sufficient to inspire some form of predictable short term action. Amongst other things it means some interesting action items will percolate up the management agenda. Here's my top six predictions for 2012.

Space weather creates concern

Even if you're cynical about the forecasts of widespread electrical disruption, it's certainly worth dusting down the contingency plans and filling up the generators. At the very least, increased solar activity will probably cause a few minor annoyances to GPS users. The larger concern, however, is that it might take out mobile communications, power supplies or perhaps anything with a GPS chip. Not quite Y2K in impact, but longer, less predictable and much less researched and publicised.

Social networks get secure

Why have we been waiting so long to deploy a solution to insecure social networks when it's not that difficult to achieve? The answer is our lack of imagination. This will change in 2012 as easy-to-use products emerge to secure Facebook and Twitter communications, just in time for a Springtime wave of citizen uprisings. I'm already playing with an alpha version.  

Big data is the new black

Yes, we've all known about the information explosion for decades, arguably for centuries. The problem is that no one has done much about it. But big data is now becoming interesting, both as a challenge to existing security processes and an opportunity for data mining and fusion opportunities. It's a timely catalyst for change as the real future of security lies more with smart information exploitation rather than industrial-age quality management systems. I detect an increasing number of security vendors exploring this area. That's good news for a security community that's lacking in imaginative ideas.

The electronic Pearl Harbour strikes home

I've been forecasting the electronic Pearl Harbour for more than a decade. In 1999 I predicted it would not happen until at least 2006. That analysis was based on technology road mapping exercises.  Last year I forecast it would finally hit home. It didn't, but the integrity of many of our critical services continues to survive on borrowed time. Expect a big catastrophe this year. It's long overdue, and much needed to shake up the current lacklustre order of battle in the cyber security space.

Public clouds fail to hit the spot

Why are public cloud services so reluctant to give security assurances? Now that's the bit I don't get. You can't make money without talking up your products. There are plenty of liability considerations of course. But that's precisely why big customers are holding back. If vendors can't deliver cast iron guarantees then big companies will not buy the services. If any cloud services catch on they are likely to be private or hybrid implementations. Public clouds might seem like a good idea in theory but they have a long way to go in practice.  

The new global game

For decades we lived in the shadow of a largely invisible cold war dominated by pervasive espionage aimed primarily at military or diplomatic targets. It had little, if any, apparent impact on everyday citizen and business interests. Few of us noticed, or cared what was going on. Today it's different. The new battleground is our global business infrastructure, and the targets our trade secrets. It's no longer realistic for governments to turn a blind eye to hostile attacks, or even attempt to keep the new game under wraps. As exploitation of stolen secrets becomes increasingly visible, then we should expect an overt response to any covert attacks. It's time for soft targets to strike back. 

As we near the close of 2011, I find it instructive to look back and see just how accurate my forecasts proved to be. At the start of the year I forecast three major shifts in thinking during 2011.

Firstly, I expected that we would experience a major security incident involving the integrity of critical national infrastructure - perhaps an easy forecast, given the discovery of Stuxnet in 2010. Yet surprisingly it didn't happen. 2011 was perhaps a lucky year for CNI managers, but many insecure legacy systems continue to survive on borrowed time. 

Secondly, I forecast that emerging security technologies, based on virtualisation and trusted computing, would encourage user organisations to develop non-traditional approaches to securing enterprise infrastructure. Unfortunately, as Bill Gates pointed out, we have a tendency to overestimate what happens in the short term and underestimate what comes to pass in the longer term. Many existing solutions were found wanting in 2011, but innovative alternatives have yet to be adopted. 

Thirdly, I predicted that we would finally see some action in response to the growing need to encourage small and medium enterprises to implement security. I'm pleased to say that this forecast was nearer the mark, with the launch of the ISSA-UK 5173 standard, the US Government "Small Biz Cyber Planner" and a host of vendor solutions from the likes of Qualys, Sourcefire and Dell.

I also suggested that 2011 could see the start of a revolution in security thinking, which would last for most of the next decade, a period that might prove to be a new age of enlightenment for information security. On this one I probably jumped the gun. I still believe this will likely happen, but not until next year, judging by the reaction I get from my lectures to universities and conferences. 

Well done for Shell for drawing public attention to the serious hazards presented by cyber attacks on physical machinery. Unfortunately it's much too late. Today's critical infrastructure is riddled with security vulnerabilities and insecure external connections. SCADA systems have been under attack for more than two decades, many since they were first deployed. Yet security standards remain weak, despite continuous growth in the power and sophistication of both the systems themselves, and the threats to them.

Many government and industry authorities think the answer is better awareness and public-private dialogue. Unfortunately, that's far from sufficient.  We already have plenty of that. What we're missing is better solutions and incentives. In the case of SCADA security, I expect that all the major players are generally aware of the risks, but the available solutions are inadequate or unpalatable.

Fixing the problem cannot be left to the marketplace. Companies will not willingly rip out insecure platforms, disconnect operational systems or spend a small fortune on higher security solutions. Tougher regulation is the only solution. But there remain two barriers to building an effective stick.

The first is that today's security standards do not guarantee high security. They are based on outdated collections of controls, designed for a business environment that was less connected, less externalised and less threatened. They promote light-touch security management systems rather than strict engineering disciplines.

The second is that few of today's so-called best practices are incapable of withstanding a professional attack. Security has become a commodity, based on cut-and-paste policies, commercial off-the-shelf technologies, and testing based on routine platform scans rather than imaginative attacks. We have built a dangerous monoculture of identical defences which have been progressively eroding. 

The security community needs to raise the bar rather than embrace low cost, convenient solutions. No less than a revolution is needed. Compliance is not healthy unless it encourages innovative solutions and enforces effective rather than commonly accepted standards. Unfortunately such thinking is far too radical for most regulators and standards committees. 

I was concerned to read a recent report of a study by SecurityMetrics, a vendor of merchant data security solutions, which claims that 71% percent of the merchants who took part were found to store unencrypted payment card data. This is direct violation of the mandatory Payment Card Industry Data Security Standard (PCI DSS). And it apparently reflects an increase of 8% on last year.

Who is at fault? That's not difficult to pinpoint, given that Visa estimates that its smallest business customers account for 95% of its breaches. Why are small businesses to blame? The answer is that no one has bothered to educate them. Who should have done this? Industry and government are both at fault.

It is well over a year ago since the Information Commissioner's Office published my research into the availability of advice on security for small/medium sized organisations. It was pretty damning, pointing out that most advice was unsuitable, incomplete or in the wrong place. Amongst other things it pointed to the absence of any advice on PCI DSS on the major educational sites.

The report was widely discussed and presented. Yet little seems to have been done. Where does one look? A quick glance at Get Safe Online turns up a blank on PCI DSS. A pointer from Get Safe Online to a Business Link site results in a server error on the first question. A pointer from Get Safe Online to Microsoft's Small Business Centre contains no mention of PCI DSS. A click to a Symantec guide results in an "access forbidden" message.

So who should take the lead in leading on advice to small companies? Given that the UK Government has such a high-profile investment in cyber security, I think they should start to roll up their sleeves.  

Michael Colao's excellent presentation to the ISSA-UK Chapter last week on the legal implications of social networking got me thinking. Not so much about the letter of the law, but more about the consequences of taking it too literally.  

Social networking introduces or amplifies many legal hazards. And Michael's vivid presentation of them is enough to put many managers off allowing their troops to have access. But let's face it, there are numerous risks associated with empowering employees and contractors. They can steal from you, sue you and get you into all sorts of trouble. Running a business is certainly not for the faint-hearted.

Legal demands are just one piece of the rich tapestry of employment hazards. And laws are often unclear, contradictory, unreasonable or virtually impossible to implement.  To meet Health and Safety requirements to the letter, for example, you probably have to supervise every individual contractor. In practice, it doesn't happen. Otherwise no work would get done. 

The real art of compliance is establishing the minimum you can get away with to stop all work grinding to a halt. That's why we employ lawyers. A good one can steer you through the maze of compliance demands. The thing not to do is to attempt to interpret the legislation yourself, at least not without sound experience of the law or the subject area. 

We are perhaps fortunate that many entrepreneurs are ignorant, dismissive or foolhardy in their response to business risks and compliance requirements. Thank goodness for that. We'd not progress very far if we followed every single rule to the letter.

Information security practitioners have long been poor at developing awareness materials. Partly this is because misguided governance systems focus on legalistic policies and procedures that no one ever reads. (When was the last time you read an instruction manual?) It's also because security professionals are not trained in the art of designing effective communications materials. We need to tackle both of these weaknesses.

Unfortunately, the growing wave of regulatory compliance means that there is little prospect of the governance side being improved, as established security standards are rooted in an outdated, paper-based, quality model, designed more for churning out identical widgets rather than inspiring people to safeguard intellectual assets.  

Progress with the human aspects is likely to be show more promise. At least the problem is  recognised, though the interventions leave much to be desired. (The UK strategy appears to be to leave everything to a single underfunded web site, Get Safe Online.)

On the bright side, however, more and more academic courses are including human factor considerations. It's a big subject and expertise is thin on the ground. Lessons can however be learnt from other fields. Safety is one. A good place to start is to study the art of designing road signs. The BBC News website has an interesting feature on this, which makes some excellent points.

It also raises the obvious question of why we don't have universally recognised warning signs for information security risks. Now that would be a good idea, though it's unlikely to be taken up by a community that believes that hundreds of pages of policy guidance are the answer.  

Postscript:

Many thanks to Andrew Yeomans for pointing out there is an excellent example of the use of warning signs in the SPIDER project by Pete Burnap, Jeremy Hilton and Anas Tawileh.

Experienced professionals don't need Machiavelli to point out that introducing change is difficult, not just from a technical perspective but also from a political or legal one. Outsourcing and off-shoring are especially challenging. Cloud computing is the latest frontier for the ambitious pioneer. And it offers plenty of scope for real or imaginary show-stoppers.

The latest scare is state-sponsored espionage. POLITICO, a US political journal, reports that the Obama administration is engaging in diplomatic talks around the world to put to rest fears in foreign capitals about government authorities gaining access to data held by service providers under the PATRIOT Act.

Some potential customers will be deterred by this risk. Others will be happy to accept government assurances. And many will dismiss the thought as merely a spot of fear, uncertainty and doubt put about by jealous rivals. But how paranoid should we be about the threat of government eavesdropping? The answer is that it's impossible to eliminate the risk.

If you're really concerned about such foreign espionage, you should also be picky about the sourcing of your technology, your employees and the contractors you use. For absolute safety, you might consider avoiding email altogether and perhaps disconnecting your systems from the Internet.

In practice it's easier to ignore the elephant in the room. That approach enables you to take advantage of huge savings from offshore technology, staff and services. Sometimes too much knowledge can be a hindrance to progress.

Lots of people, even my neighbours and relatives, are asking me what I think about the UK Government's new National Cybersecurity Strategy. It certainly attracted a fair bit of surprising degree of publicity, which is rather surprising given the limited scale of the investment and the lack of anything remotely controversial or unusual.

Of course any investment in cyber security has to be welcomed, so we have to congratulate the chaps at the Cabinet Office for negotiating their way around the cutbacks. But let's keep this in perspective: £650 million is not an insubstantial amount, but it's a drop in the ocean when spread over four years and shared across several departments.

One might also have expected a little more innovation in how to spend this money. A new strategy is a terrific opportunity to drive through change or create a new paradigm. And existing approaches to security are failing so we need fresh thinking and forward looking solutions.

Yet it's the same ideas that we've seen before: continue with the existing agenda; talk to the private sector; hold a summit; restructure a few organisations. The most innovative idea is to provide expertise to the private sector. This might help with the funding, but it's an approach was tried and abandoned by many big companies back in the nineties.

Strategies can be excellent vehicles for inspiring a community and focusing its efforts, but this one adopts a bit too much of a scattergun approach. Strategies don't need such detail. I recall hearing one Chairman announce to senior management that the new strategy was that "we're going to be bloody good at running this business".

The real danger, however, is that this strategy is seen as having solved the problem resulting in complacency or acting as a brake on new ideas and initiatives. A small step forward is not the answer to a problem that demands a great leap forward. 

I find it surprising that after more than 30 years of experimentation of risk assessment, many security practitioners continue to apply risk assessment in such a non-intuitive way. There seem to be some rather widespread misconceptions about the nature of the process. I cringe when I hear experienced professionals suggest that risk assessments must be objective and repeatable. Where on earth did they get that impression? Were they taught this on a course? Or did they read it in a standards document? It's not something that occurs in practice.

This has prompted me to try to debunk some of the myths of risk assessment. Hopefully, by speaking out, I might encourage future practitioners to approach the subject with a more critical eye, rather than merely copying the flawed practices of previous generations. So here is my attempt at nailing six common myths of risk assessment.

1. Risk assessment is objective and repeatable

It is neither. Assessments are made by human beings on incomplete information with varying degrees of knowledge, bias and opinion. Groupthink will distort attempts to even this out through group sessions. Attitudes, priorities and awareness of risks also change over time, as do the threats themselves. So be suspicious of any assessments that appear to be consistent, as this might mask a lack of effort, challenge or review.

2. Security controls should be determined by a risk assessment

Not quite. A consideration of risks helps, but all decisions should be based on the richest set of information available, not just on the output of a risk assessment, which is essentially a highly crude reduction of a complex situation to a handful of sentences and a few numbers plucked out of the air. Risk assessment is a decision support aid, not a decision making tool. It helps you to justify your recommendations.

3. Risks assessments should be focused on assets

This is not recommended. Asset-based risk assessment is the most expensive, long-winded and uncertain method available. There are thousands of assets to consider and most are shared by numerous users. It's a cross between painting the Forth Bridge and nailing jelly to a wall.  And it's not the way that business risk management operates. It's far simpler to focus on business processes or areas of responsibility, rather than individual assets.

4. Risk assessment prevents you spending too much money on security

Not in practice. Aside from one or two areas in the military field where ridiculous amounts of money were spent on unnecessary high end solutions (and they always followed a risk assessment), I've never encountered an information system that had too much security. In fact the only area I've seen excessive spending on security is on the risk assessment itself. Good security professionals have a natural instinct on where to spend the money. Non-professionals lack the knowledge to conduct an effective risk assessment.

5. Risk assessment encourages enterprises to implement security

No, it generally operates the other way around. Risk assessment means not having to do security. You just decide that the risk is low and acceptable. This enables organisations to ignore security risks and still pass a compliance audit. Smart companies (like investment banks) can exploit this phenomenon to operate outside prudent limits.   

6. We should aspire to build a "risk culture" across our enterprises

Whatever that means it sounds sinister to me. Any culture built on fear is an unhealthy one. Risks are part of the territory of everyday business. Managers should be encouraged to take risks within safe limits set by their management.

Now don't get me wrong. Unlike Donn Parker I'm not against risk assessment. I take the view that it's unavoidable but can also be extremely valuable, perhaps one of the most powerful management tools available to an organisation. It enables managers to do whatever they like, in most cases with limited personal consequences, as long as they carefully document their decisions. We can all use a tool like that. 

Twenty years ago I drafted a document that was intended to reduce the effort required in information security management. Two decades later it has produced the opposite effect. That document was the first draft of what is now ISO 27002. Inspired by Donn Parker's 'baseline control' concept, it was one of the first, professionally compiled collections of established information security controls. And it was the first de jure standard developed and agreed by real business security managers rather than standards enthusiasts.

The standard aimed to remove 90% of the effort in risk assessment by documenting commonly applied controls. Unfortunately it was hijacked by a consultancy community who subsequently reintroduced the need for mandatory risk assessment. It was also intended to be sufficiently broad and deep to minimise the need for any further standards. Yet two decades on, it has inspired a family of dozens of near identical standards and guidelines.

The lesson from this experience is that we should be careful about what we wish for. A successful standard tends to evolve into a licence to print money for consultants, publishers and auditors. The more successful it becomes, the more likely it is to be mandated by regulators and to be policed by an army of trainee auditors.

Worse still, any attempt to replace a variety of competing standards by a single new standard is likely to only add further to the chaos. If there are already too many standards, then the sensible course is to leave well alone, or at least just focus on the bits that are missing.

The Cloud security community has clearly not learned this lesson. It has just released an important new document Security Guidance for Critical Areas of Focus in Cloud Computing V 3.0. This is a good document, setting out just about everything you need to know about Cloud security. But it will undoubtedly generate a new industry for consultants, auditors, support tools and interpretation guides.

Now don't get me wrong. I like this document. It is a well written guideline and an essential reference document on Cloud security. With a little more introductory text and a few examples it would make a fine book. But that is not its purpose. Its intended role is to serve as a basis for future standards and compliance. The authors see themselves as a "Cloud security standards incubator". So be afraid. It is the portent of more that is coming your way.

If you are a vendor or purchaser of Cloud services this standard will add to your burden. At 176 pages you will have to spend a fair bit of your valuable time just to read and absorb it. If you a busy manager (and who isn't) you will probably need to hire consultants to assess the implications. And unless you are a patient whizz at cutting and pasting long checklists and creating questionnaires, you will need to invest in a specialist tool to manage your response. You will need to carry out a detailed gap analysis to determine your compliance status. As the document points out: "The path to secure cloud computing is surely a long one".

Of course you might already have ISO 27001 certification but that is not enough, because there are numerous variations in the structure, wording and demands of the new guideline. As I said, it sets out just about everything you need to know about Cloud security. But just about is not enough. You also need to read it in conjunction with lots of other referenced documents.

The bad news for the security community is that Cloud computing is a trigger for generating dozens of new versions of ISO 27001. To paraphrase Eric Morecambe, we will find all the right words but not necessary in the right order. The Cloud Security Alliance document has advice on everything from risk assessment to business continuity, all the standard stuff we already know about but re-drafted in a new, though not necessarily improved style.  

It could have been different. What we could really use is a guideline that says "Cloud security is just the same as regular security except for these half dozen or so major differences". That would make everyone's life much easier. And the focus would be on the new things we need.

And in truth, there are many new countermeasures included that you won't find in standards such as ISO 27001. That's mainly because of the vintage of the edition rather than the subject area. But some key issues are missing, such as how to go about due diligence for services in BRIC countries, how to enhance personnel security to address the more severe insider threat, and how to go about planning for a major catastrophe, such as a large scale data breach, rather a simple business interruption.

Unfortunately, the insight and creativity needed to produce a perfectly formed document is unlikely to be found in a committee of professionals from 120 enterprises that collectively volunteer to develop a 176 page standard. Its production is a marvel in itself. Full marks should go to Paul Simmonds for his sterling work in pulling this ambitious document together. The real challenge however will be to turn this impressive body of knowledge into something of practical use to busy security managers. 

One of my January forecasts for 2011 was that the need to encourage small and medium enterprises to implement security would finally be tackled. Judging by the current amount of activity in this area, I might have actually got this one right.

Earlier in the year the ISSA-UK published ISSA 5173, the world's first SME (SMB if you're in the US) security standard. This was quickly followed by the launch of a more ambitious (though more expensive) scheme by the University of Worcester and the NCC.

More recently the US government have announced the launch of a free, online tool, called the "Small Biz Cyber Planner", which is intended to enable business owners to create a customized cyber security plan.

Throughout the year we've also seen an increasing number of vendors, including Qualys, Dell and Sourcefire, launch security products and services aimed at the SME/SMB market. Some vendors have also published white papers on the subject.

I've also noted increasing numbers of executive round tables and conferences being held to address this issue. I've attended two Computer Weekly events in London and Amsterdam in the last month. There's an event tomorrow at De Montfort University, Leicester.

This is just the start. We can expect to see a lot more advice, standards and products aimed at SME security over the next year, including initiatives on Business Continuity Management. I'll even be bringing out a book on this subject next year.

But don't expect everyone to get it right. Big companies and regulators prefer to wave big sticks to secure their supply chains. Standards bodies believe the answer lies with a rewrite of big company standards. Consultancies prefer to think the answer is an expensive risk management exercise.

The most practical answer is to start from first principles and identify the minimum set of guidance for a small company with a limited budget and no expertise. Hopefully, the market will lead the way with practical products and services. 

Last week I was fortunate to be speaking at Cyprus Infosec 2011. It was a first class event with intelligent speakers, great debates and a smart audience. But yet again I seem to be the only speaker calling for a forward looking approach to security.

Too many of our thought leaders are locked in the past, preaching outdated standards and old-fashioned management systems. These tools might be necessary for compliance but they will not meet emerging security challenges.

The business landscape is changing from one that is relatively static, standardised and synchronised to one that is dynamic, devolved and diversified. Fast-changing threats can't be countered by static policies and paperwork. Internal governance systems can't control external supply chains.

The future demands new approaches to responding to external events. And this in turn requires new skills, better intelligence, and smarter technology. Security managers should leave the paperwork on the shelf for the auditors and start implementing countermeasures that are capable of preventing advanced persistent threats.

We closed the conference with a futurist who pleaded for simplicity and regarded users as stupid. He was wrong on both points. Networks encourage diversity and complexity. We can't and shouldn't hold them back. The answer is to increase the intelligence in our security controls. Stafford Beer pointed this out more than 40 years ago. And it's not users that are stupid but the people who design their systems. Safety experts learned that many decades ago. 

I spend a good deal of my time travelling around the world giving lectures and helping companies with consultancy. Last week I was in Amsterdam, the week before in Norway, and tomorrow I'm off to sunny Cyprus.

It's refreshing to interact with security professionals in other regions, as there are marked differences in attitudes, interests and priorities. There are many reasons for this, such as the influence of culture, economic outlook and the level of security maturity.

Local culture influences the level of understanding of human factors, as well as the nature of trust and loyalty. Economic outlook shapes business priorities and budgets. And the level of security maturity, amongst other things, determines the vintage of available solution.

Innovation and openness to new ideas also varies tremendously. London, for example, is a classic example of a well-organised information security community paralysed by Groupthink. There is too much socialising and job rotation to allow room for free thinking. I regularly raise eyebrows by challenging existing assumptions. In contrast, new thoughts and solutions are welcomed in continental countries that enjoy debate and tolerate mavericks. Travel further east however, and a herd mentality begins to set in, though for a different set of reasons.

Security technology has always been popular in the US and the Far East, much less so in Europe. Continental Europe prefers to focus on people and processes. The UK is the home of bureaucracy and exports it aggressively. ISO 27000 is popular in Commonwealth countries but is frequently despised outside. Unfortunately, it is beginning to catch in cultures where staff pay little attention to policies and procedures.

Wherever you go, however, it's compliance that's the primary driver for security. Paperwork has assumed centre stage, as it ticks all the boxes and can be copied and implemented at little cost. In contrast, real security can only be achieved by careful attention to people and thoughtful use of technology. The most important asset for the future, however, is smart improvisation and innovation, and unfortunately that's thin on the ground across all corners of the globe.

This week's RSA conference in London was an unusual blend of predictability and surprise. As usual the networking, programme and event management was first class, which is the main attraction for me.

As expected, there was little new or interesting on show. As usual, the keynote speakers were mainly sponsor executives. But this year the messages and the mood were different. The general theme seemed to be that traditional security solutions are no longer effective.  

The conference started with a masterclass from Art Coviello on how to emerge from a massive data breach smelling of roses. Peppered with quotes like "What doesn't kill you makes you stronger" it was a superb piece of spin, reflecting a carefully constructed crisis response strategy. I even agreed with him that the future demanded greater exploitation of data mining and fusion.

Preceding that was a celebratory film about the cryptographers who invented public key algorithms. They are all heroes now despite the fact that they don't seem to have developed anything significant in the thirty five years since then, or the fact that we still can't get their inventions to work as intended.  

Following that was a good programme of panels and lectures. With six streams, you can only scratch the surface of what was on offer, but there was plenty for everyone.

The best learning point for me was from my own panel session on US and European data protection and encryption laws: the security community needs to engage urgently with the legal profession and the regulators to help promote efficient schemes for data breach reporting. The most impressive new product on display was the Visa CodeSure authentication chip card which ticks all the right boxes. The most useful give-away product was the Qualys spectacle cleaning cloth.

The conference ended on a flat note with a rambling rant from Tim Berners-Lee on what's wrong with e-Commerce and security. Most of it stated the obvious about the poor ergonomics and the lack of standardisation in today's security solutions. Tim clearly has a great vision but he lacks a cunning plan to overcome the obstacles to achieving it.

But we do need a few idealists to counterbalance my rather defeatist view that if security isn't painful then it probably isn't any good. This is not entirely true in theory but it generally turns out to be the case in practice. 

I was contacted last week by a company that specialises in harnessing influence. They claimed to be working for a top IT security solutions vendor and had identified me as a key "influencer" in the UK. They wanted me to answer a set of questions but refused to say who the client was and offered no references or incentives. Not surprisingly I turned them down - another case of the Cobbler's Children, where the influence peddlers are themselves lacking in influence.

But it set me thinking about who actually sets the agenda for security in Today's world. It's an interesting question, because the answers are not immediately obvious. Certainly the influence is not where you might expect it to be.

Analysts such as Gartner and Forrester have our ears, but they operate by repeating back what clients and customers tell them. They are primarily as a decision support tool, rather than a decision making one. The same goes for consultants, who are essentially overpriced sounding boards.

Academics could be highly influential but today's crop is short on ideas and prefers to ape the not-so-best practices of industry. Some new university courses are now focusing more on universal business skills, such as how to present a business case, rather than real security competences, such as how to secure an infrastructure.

Regulators are in a perfect position to set the agenda but they cannot be seen to be tilting the playing field, so they usually end up falling back on bland principles and universally agreed standards. You get the occasional exception, such as PCI DSS, but it's generally the result of a standard developed by experts rather than regulators.

Vendors should be setting the scene, but innovative technologists are very much in the minority, and most established firms are run by commercial managers seeking to squeeze every last penny from their cash cows. Meanwhile their PR companies dish out bland press releases which few people read as they are primarily designed to stroke the egos of their masters.

That leaves governments and journalists. The former are a mixed bag: of politicians who pursue fame and publicity supported by civil servants who prefer consensus. The latter are also divided: into loyal scribes who support their sponsors, and trouble makers who are looking for a good story.

So it's no surprise to find politicians and bloggers featuring strongly in SYS-CON's list of the "Most Powerful Voices in Security". The top three are Darrell Issa, US Representative for California's 49^th congressional district, William Lynn III, Deputy Secretary of Defense, and Bruce Schneier. I made it to 51 on the list, though my friends tell me that's because I have a loud voice that's difficult to shut up.  

I was deeply saddened last week to hear about the death of Gene Schulz. If a man is judged by the number of his admirers then Gene was a big man. (More than 730 people have signed the guest book on his personal site.)  But Gene was a big man in every way: a towering personality with a commanding presence, huge warmth and a great intellect.

Gene was an outstanding innovator, teacher and diplomat. His professional career was unsurpassed in its breadth and depth, operating across all sectors and encompassing teaching, research, consultancy, security management and product development. But more that he was a wonderful, generous human being. He leaves a gap that cannot be filled and will be sadly missed. Grief is the price we pay for love. 

Back after a longer than usual summer break, this is the fourth and last in a series of commentaries on what's wrong with information security and what needs to be changed. Previous postings have discussed the need for changes in the perception and sponsorship of security, the changes needed in standards and the future solutions needed to safeguard our future interests. This posting discusses the new skills needed to manage the emerging security landscape.

It has taken a few decades to develop, agree and establish mature professional development schemes. Twenty years ago there were no recognised information security qualifications. Now there are dozens. I have a friend with more than fifteen of them. In contrast I have none, though my consultancy day rate is higher - at least for the moment. If this trend continues however I will probably be barred from practising.

Of course having a licence to operate is no bad thing if the qualifications are fit for purpose. The problem is that the problem space is changing, many of the recognised skills are wrong for the future, and the level of education provided is inadequate. I think we'd all agree that security training needs a substantial boost, at all levels. But it must be based on a good understanding of the competences we need to encourage.

So what's wrong with today's security skills? The biggest problem is that management competences are rooted in industrial age thinking. Paper policies and scripted processes dominate the solution space, and governance systems operate on year-long cycles. Risk assessments and ISO certifications are useful background support tools. But they have progressively assumed centre stage.

Today's challenges demand speed, agility and a capability to influence large numbers of people across networks. We need smarter supply chain leadership and effective, real-time analysis and response systems. We need security managers who understand the psychology of human behaviour, as well as the tricks of the trade of the marketing world.

In a world of increasing reliance on trust in external enterprises we need audits, but they need to change from a 400 question, tick-box checklist to a more qualitative, due diligence process that sets out to gauge the degree of business risk associated with partners that prefer not to operate the same security policies. 

And we need better strategic response and investigation skills. Development of good crisis management skills has been constrained by procedure-bound disaster recovery thinking combined with scripted IT Helpdesk response processes. Smart improvisation and an ability to recognise and preserve the value of intellectual assets are the foundations of effective, modern crisis management. 

We also need superior investigative and forensic analysis skills to limit the damage of persistent, fast-moving attacks. But most importantly we need intelligent security testing and creative vulnerability management. At present we teach people to scan platforms for security flaws, but not how to assess and reduce the potential impact of flaws.

I regularly observe a procession of so-called "ethical hackers" scanning systems for flaws without a sensible consideration of the business impact of their findings. These people are neither ethical nor are they hackers.

Twenty years ago, when reviewing the security of a SCADA system, I would sit down with the engineers and identify the type of attacks that might bring a plant to a dangerous state. Today, a team of testers simply plugs in a scanning engine and generates a list of outstanding patches.

Security testing needs to draw on a good understanding of secure development techniques, an understanding of offensive strategies and a capability for real-time reverse engineering. These skills are thin on the ground.  

For all these reasons, I conclude that the competences we possess are inadequate for the emerging challenges we face. Will anyone respond to this need? "Probably not" is the sad answer, as professional development schemes are shaped primarily by the political interests of governments and institutes, the need for organizations to demonstrate a level of competence to regulators, and the revenues generated by training courses. Making the world a safer place is much lower on the agenda.