If the Gartner IT Security Summit is the best the industry has to offer, then IT Security is dead. I’ve come away from it not merely disappointed, but frustrated. Frustrated that I’ve been sitting through presentations from speakers reciting the same old woe: lots of malware – we know; financially motivated hackers – no shit Sherlock; changing risk environment – yawn. It’s like watching a weather forecast telling you what the weather has been doing. It rained today. Really? And there was me wondering what that cold, wet, miserable stuff falling out the sky was.
And the answer to all these ills? Buy software! Buy hardware! Buy some more over-priced, under-specced rubbish that you’ll never fully implement, never be able to properly integrate into your network because you’ll not bother to send your techies on the training course, and you’ll forget all about it after three months because nobody knows what it’s really doing.
Look in the newspapers: today we read about a camera sold on eBay containing images taken by MI6, yesterday we read about somebody who purchased a VPN device from eBay, switched it on and was automatically connected to a local government network. We’ve had secret documents left on trains, stolen laptops, lost disks, lost memory sticks and so on. What IT security device is going to solve these problems? Answer: none. So why do we keep on putting up with listening to this junk about IT being the solution.
Some people get it. For example, Martin Smith and David Lacey have been pushing out the message for years that awareness and training are the foundations of good security. And it’s cheap. Much cheaper than buying over-hyped and over-priced Data Loss Prevention software, for instance. But I’ll bet you’ll have an easier time getting the DLP spend past the budget committee.
I wont deny that we need to have decent technology but don’t kid yourself that it solves problems. Putting up an umbrella does not stop the rain. And here’s the real crux of the matter. Seminars such as this Gartner summit are talking to the wrong people. Telling IT Security people that they need to have better security is like showing porn to a sex addict.
There needs to be a business security summit, with not a single techie in the room, where presenters who can do more than draw graphs on PowerPoint and read bullet points off their slides present to an audience of real business influencers and get the right messages across. I’m up for presenting at that one but who could get the marketing right to draw in the right people?