I’m back from a good first day at the Gartner IT Security Summit being held in London. Two of the sessions I attended were particularly good.
Firstly, there was Richard Hunter of Gartner who presented on “IT Risk: Turning Business Threats Into Competitive Advantage.” I’ve seen Richard present before and he’s an excellent, eloquent, well prepared, and engaging speaker. In fact, I was so impressed I brought his book. The 4A Risk Management Framework that he describes and the importance placed on business continuity makes for informed reading and there’s plenty that can be put into practice.
Secondly, there was a case study session on “The IT Risk Management Framework” from Toni Bekker of Finnish mobile operator TeliaSonera. Toni gave the audience an excellent insight into how he’s gotten business engagement and support for information security programs within his organisation. The advice I particularly liked was about creating trust with senior business managers. “Say what you do – do what you say”, and he went on to describe the importance of bringing risk into the open. “Reporting risk solicits help, not punishment” was the advice that was given.
The day began with a couple of interesting keynotes. First one from Joanna Rutkowska of InvisibleThings.org had some good content around our lack of ability to know what bad things are on our networks and the impact of “stupid users” as she put it. Joanna has her own blog here where she echoes much of what she spoke about today.
John Pescatore, who has the grand title of “VP Distinguished Analyst” spoke on the subject of “Security 3.0.” Most interesting from my perspective was his assertion that data classification doesn’t work. His advice is to use content-aware security and keep better track on where data is flowing. John also re-iterated one of the Gartner top 10 predictions for 2007: By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. Good food for thought.