April 2011 Archives

Last week's sessions at Infosecurity Europe reminded me of the difference between compliance and real security. They are quite distinct objectives.They are in fact two of the three faces of information security.

Compliance is where most of the current action lies. It dominates the work of the internal security function and justifies the budget for security. Compliance spending is incontestable and repeatable. It sails through Investment appraisal processes even when capital spending is pulled. Unfortunately, it's all based on collections of ancient practices, with a heavy emphasis on documentation and audits. And if you don't want to pay for security, you simply accept the risk. Your security might be completely ineffective but your paperwork will gain you full marks.      

Business enablement is the side of security that we present to management. The board and the business loves you when you tell them that security will enhance your reputation, gain sales, underpin new product and enable new ways of working. It sounds great but it's no more than wishful thinking. Such a business case would never get past an investment appraisal board, nor would it be a sustainable source of future budget. But it makes you popular with directors and business managers. "This guy talks our language!"

Real security is the side of security that nobody wants to face. It's expensive, difficult and disruptive. It's about managing today's risks, not fixing last year's outstanding audit actions. It's about cancelling dangerous projects, scrapping insecure systems and eliminating bad practices. It's concerned with tackling advanced persistent threats and insecure SCADA systems that no one wishes to acknowledge. It means taking critical intellectual assets off the network, and telling your project managers to go back to the drawing board. It makes you unpopular, and potentially unemployable.

And this is why most organizations are sleepwalking into a future crisis.

This week's Infosecurity Europe seemed quieter than usual. It was no surprise of course as it bordered on the Easter holiday. But it was a good event, made enjoyable and interesting by a well-designed exhibition hall and the presence of many top CISOs and security personalities. It's an event that relies far too much, however, on legacy experience rather than innovation. That's not really good enough. In today's fast-moving environment, we should be aiming to stretch the boundaries, rather than repeat well-worn debates.

Certainly the education programme could have been more imaginative. It did not really live up the theme of "foresight". The acoustics in many of the theatres should also have been much better. But such is the power of the brand and the appeal of the subject area, that it was well sponsored and well attended. You could, in fact, learn a lot simply by talking to the people on the stands or in the surrounding avenues and alleyways. As with many exhibitions, the really useful information lurks behind the scenes, rather than being on show. You have to speak to the exhibitors, not just pick up the leaflets and free gifts.   

The most worrying trend was the lack of new solutions. Most products or techniques on display were simply variants of long-standing practices. I saw little that was new. It was good, however, to see a greater emphasis on cloud security issues, though much of the debate centred on compliance, rather than security. (See my next posting for a debate on that subject.) Next year should be better, given the range of new technologies that I know are under development. 

The most pleasing trend was the emergence of solutions aimed at small companies. For years the needs of SMEs have been ignored by vendors. Finally we are seeing products that are cheap and easy to use. Qualys has been a pioneer in this space, justifiably picking up the Best SME Security Solution at the SC Awards. This week Sourcefire also announced a lower cost version of their IPS product with a simpler user interface. These companies are smart, as this is a rapidly growing market that has ignored for far too long.

Qualys has to take the rosette for the best exhibition stand, with plenty of space, expert advice and generous quantities of beer available. Everything was on show, including slick product demonstrations, as well as the opportunity to meet Philippe Courtot, award-winning CEO of the year. Outside the arena, the Portcullis Arms takes the biscuit for continuing to maintain a consistently high standard for networking and entertainment.   

Infosecurity will continue to survive as an established institution. But like all such networks it needs to aim to stay ahead of the herd, rather than following in its wake.    

I had an email from Charles Pask yesterday, asking me for my opinion on "What keeps CISOs awake at night?" It's a good question. I thought for a bit and decided that "advanced persistent threat" was the most dangerous threat I could imagine. I was wrong. CISOs are more concerned with personal, immediate and certain problems such as building teams and running projects.

This illustrates two things. Firstly, human behaviour is mainly influenced by things that are personal, immediate and certain. (See my book Managing the Human Factor in Information Security for more on this point.) Secondly, it confirms the first of my laws of information security: The purpose of an information security programme is to cover the backside of the CISO, rather than prevent incidents.  

Perhaps the question should have been "What should keep CISOs awake at night?"