Many of you, like me, will be attending Infosecurity Europe in London this week to see what’s new in the IT Security field. With hundreds of stands and dozens of presentations it’s a major challenge to work out how to optimize the opportunities on offer. At the last count there were more than seven hundred security technologies out there. Some of them must be good. But where do you start? For what it’s worth, here’s my view on what to look out for.
Firstly, for those lucky enough to get a ticket to the Jericho Forum Conference, listen out for tips on how to develop a security architecture for a de-perimeterised world. It’s not as straightforward as you might think, and the full technology to implement such a vision is not yet available, but it’s certainly coming. In particular, think about how it affects your choice of protocols, where to place your security controls in the network protocol stack, and how to operate identity management across a more open network environment. When it comes to access control and authentication, don’t think “employees”, think “colleagues”, including contractors, partners and customers.
Secondly, look out for security technologies that will help shine a light on the security events and risks associated with your applications and infrastructure. There is no longer any excuse for saying it’s impossible to know what’s going on. The technology exists. It’s just a matter of finding out what works with your infrastructure and how to make the business case.
Thirdly, watch out for products that will help you “close the loop” on compliance requirements. Legislation and regulation are here to stay and growing. PCI compliance is the big one this year for the retail sector. And there’s more in the pipeline. But policy and standards alone don’t make things happen. You need to check that controls have been implemented and are working. Doing this across a sizeable organization or infrastructure is labour-intensive without adequate tools.
Fourthly, keep an eye out for products that will help you defend against serious attacks, such as professional denial-of-service attacks or thefts of confidential information. Such attacks are generally outside the experience of most organizations. But they are becoming a real, growing threat to anyone with something worth stealing. And by the time you experience such an attack it will be too late to start thinking about where to start. So if you have valuable information or services worth attacking, start thinking now about how to raise your game. Because it’s probably only a matter of time before you will find yourself in the firing line.
Finally, don’t forget that it’s not just technology that you need. It’s also people and processes. So check out the stands offering professional standards, methodologies, education and training. Security has always been a holistic solution. And this season’s fashion is how to address human vulnerabilities.