If the Gartner IT Security Summit is the best the industry has to offer, then IT Security is dead. I've come away from it not merely disappointed, but frustrated. Frustrated that I've been sitting through presentations from speakers reciting the same old woe: lots of malware - we know; financially motivated hackers - no shit Sherlock; changing risk environment - yawn. It's like watching a weather forecast telling you what the weather has been doing. It rained today. Really? And there was me wondering what that cold, wet, miserable stuff falling out the sky was.
And the answer to all these ills? Buy software! Buy hardware! Buy some more over-priced, under-specced rubbish that you'll never fully implement, never be able to properly integrate into your network because you'll not bother to send your techies on the training course, and you'll forget all about it after three months because nobody knows what it's really doing.
Look in the newspapers: today we read about a camera sold on eBay containing images taken by MI6, yesterday we read about somebody who purchased a VPN device from eBay, switched it on and was automatically connected to a local government network. We've had secret documents left on trains, stolen laptops, lost disks, lost memory sticks and so on. What IT security device is going to solve these problems? Answer: none. So why do we keep on putting up with listening to this junk about IT being the solution.
Some people get it. For example, Martin Smith and David Lacey have been pushing out the message for years that awareness and training are the foundations of good security. And it's cheap. Much cheaper than buying over-hyped and over-priced Data Loss Prevention software, for instance. But I'll bet you'll have an easier time getting the DLP spend past the budget committee.
I wont deny that we need to have decent technology but don't kid yourself that it solves problems. Putting up an umbrella does not stop the rain. And here's the real crux of the matter. Seminars such as this Gartner summit are talking to the wrong people. Telling IT Security people that they need to have better security is like showing porn to a sex addict.
There needs to be a business security summit, with not a single techie in the room, where presenters who can do more than draw graphs on PowerPoint and read bullet points off their slides present to an audience of real business influencers and get the right messages across. I'm up for presenting at that one but who could get the marketing right to draw in the right people?
And the answer to all these ills? Buy software! Buy hardware! Buy some more over-priced, under-specced rubbish that you'll never fully implement, never be able to properly integrate into your network because you'll not bother to send your techies on the training course, and you'll forget all about it after three months because nobody knows what it's really doing.
Look in the newspapers: today we read about a camera sold on eBay containing images taken by MI6, yesterday we read about somebody who purchased a VPN device from eBay, switched it on and was automatically connected to a local government network. We've had secret documents left on trains, stolen laptops, lost disks, lost memory sticks and so on. What IT security device is going to solve these problems? Answer: none. So why do we keep on putting up with listening to this junk about IT being the solution.
Some people get it. For example, Martin Smith and David Lacey have been pushing out the message for years that awareness and training are the foundations of good security. And it's cheap. Much cheaper than buying over-hyped and over-priced Data Loss Prevention software, for instance. But I'll bet you'll have an easier time getting the DLP spend past the budget committee.
I wont deny that we need to have decent technology but don't kid yourself that it solves problems. Putting up an umbrella does not stop the rain. And here's the real crux of the matter. Seminars such as this Gartner summit are talking to the wrong people. Telling IT Security people that they need to have better security is like showing porn to a sex addict.
There needs to be a business security summit, with not a single techie in the room, where presenters who can do more than draw graphs on PowerPoint and read bullet points off their slides present to an audience of real business influencers and get the right messages across. I'm up for presenting at that one but who could get the marketing right to draw in the right people?
It often surprises me how many businesses also completely miss the point. Basics like using role-based access control and disabling old employees accounts are forgotten, and instead time is spent investigating so-called incidents reported by kit that never got configured correctly and therefore is about as much uses as a chocolate teapot.
Basically, this means low-tech but very common breaches of security happen on a daily occurrence with no intervention.
The happy mixture of over-reliance in out-of-the-box kit and the epidemic of 'i paid £xxxx for this kit and i still got infected/compromised etc - i want answers from the kits vendor' causes even more problems; when something noticeable does happen (that old web box with an ancient un-patched version of PHP gets compromised) you find people i) blame everyone else (outsource the kit, outsource the problem mentality) and ii) are in such a mess that they don't actually response to the incident.
More and more I think the problem is all to do with people being accountable, and sensible. Accountability is a dirty word in IT, especially security, but I don’t think IT is 100% to blame. No room exists for ‘problems’, so IT spend too money on bad kit that doesn’t help and forget the basics because they are scared about what will happen to them when these ‘problems’ strike.
For me, security needs a major shake up as so many people are getting it wrong. Build from the bottom (physical security, RBAC, AUP’s, user training) up, not from an un-trained IDS/IPS down! Also, people needs educating about ‘problems’ in IT, and that the sooner we accept they will happen the sooner we can respond to these incidents effectively and, very importantly, learn from them. This will allow people to become accountable without putting their heads on the chopping board every 5 seconds.