Sex, death and Gartner IT security summits

Today was the opening of the Gartner IT Security Summit 2008 in London. It’s becoming a major event, attending by hundreds of people. And it was certainly an interesting curtain raiser: a mixture of pretentious aspiration coupled with fundamental security basics. 

The three introductory keynote sessions were a strange brew. The first one, by Neil MacDonald, a Gartner analyst, was quite surreal. It was probably over the heads of many of the audience. I suspect this, because several people commented to me that they had absolutely no idea of what he was talking about. But it had many good points, including the need to align security architecture with the human immune system. And it’s always a good thing, of course, to stretch people’s perceptions.

Neil’s presentation, in fact, had some great points about architecture, biology and de-perimeterisation, the sort of stuff I was preaching myself around ten years ago. Unfortunately, my early experiments with building real life models of the human immune system showed that this technology is not quite ready for prime time. However the concepts are good. And, as I often say, if you want real survivability, try building sex and death into your systems.

Interestingly, Neil advocated death as a recommended process, so he’s clearly on the right lines. He went on to suggest some very sophisticated ideas for architecture, suggesting CISOs should focus on tomorrow’s problems rather than the routine issues of the day. That’s a good point, but I expect that most executive boards would prefer a more immediate focus on long-standing issues.

Neil also emphasised the need to break down the traditional silos in information security. Unfortunately, he completely failed to mention anything about people or processes. Presumably they’re in a “too difficult or messy” silo. However, his session was followed by a contrasting session by Martin Smith, of the Security Company, and Andrew Strong, of Unilever, who both evangelised the importance of security education.

Martin and Andrew are absolutely right about the need for companies to get to grips with the issue. And they presented some interesting examples, including material designed to address the Generation “Y” community and their virtual worlds. But, unfortunately, their session was light on real content and practical advice. I guess that means you have to buy Martin’s product to get the real stuff. 

The third session returned to the surreal, with a discussion of “now and future” issues. This session would have been fascinating if it had been based on a CISO panel from the financial sector. But unfortunately it was a question and answer interview with a business development executive from CA, attempting to gauge the likely response from such organisations to today’s emerging issues.

But, overall, it was a good, mixed bag to set the scene. Not all of it came off, but at least Gartner are including some imaginative ideas and subject matter variety. That’s what people need today. And at least they’re addressing the human dimension, something that seems strangely absent from the agenda for RSA Conference 2009.