Infosecurity Europe 2011 preview: APT, mobile security at fore

From mobile security to advanced persistent threats and infosec budgets, keynotes at this year's Infosecurity Europe conference will address some of the most pressing issues in IT security.

The UK’s biggest information security event, Infosecurity Europe 2011, is expected to attract 12,500 attendees, and to host nearly 300 exhibitors.

Combining an exhibition with keynote speeches, debates and technical workshops over a three-day period, the conference aims to attract everyone with an interest in information security – from the small company with just a single server to protect, to the global multinational.

InfoSecurity Europe 2011 keynotes
The main keynote sessions will tackle some of the most important areas of security today.

  • Mobile security - Nigel Stanley, security practice leader at Bloor Research Ltd., will lead a discussion on the rising threat of mobile security, especially smartphones.

    “Attitudes to mobile security reflect those held 20 years ago toward the humble PC,” Stanley said. “Back then, attacks were minimal, antimalware was yet to become established and hacking was in its infancy. Now, we are in a maelstrom of attacks against the PC, using sophistication and scale we previously thought impossible. The smartphone is next on the list.”


  • User awareness – Often ignored in the quest to find technical solutions for security threats, users can be the single biggest weakness in a company’s defences. And yet, good user awareness programmes can be not only extremely effective, but often delivered at little-to-no cost. Leading the session on user awareness, Martyn Styles, information security team leader at law firm Allen & Overy LLP, will share the details of his own highly effective awareness programme. “Given basic training, most employees will reward you with years of vigilance and timely responses to security,” Styles said.


  • Budgeting for security – “How do you know when to stop spending on security?” This question will be discussed at a keynote led by Andrew Rose, global IT risk manager at law firm Clifford Chance LLP. In other words, how do you know when you are secure enough, and how can you avoid turning security funding into a bottomless pit?

    “Risk can be mitigated but never eradicated completely. It is possible to make a massive investment in security technology, process and resources and still suffer an incident,” Rose said.

    The discussion will focus on gearing the company’s security according to its appetite for risk. “Documenting the risk appetite and building the risk management process around it can be hugely valuable to an information security team,” Rose said. “Such an activity drives a greater level of participation from business staff and ensures information security no longer remains just an IT issue.”

    By establishing a baseline of recognised threats, defined risk appetite and audit capability, security professionals can understand the developing risk profile within their firm and target their efforts, resources and money to support the business.


  • Advanced Persistent Threats – Organised cybercrime is well-funded and has the resources and time to infiltrate an unwary target to great depth. Professor John Walker of Nottingham Trent University leads a discussion to assess how seriously we should take these new advanced threats, and how we should review our defences against them.

    According to Walker, organisations leave themselves open to attack through an over reliance on fancy security management dashboards. “Some corporations have come to rely on high-level management reporting that doesn’t reflect the reality,” he said. “Some CISOs have become too focused on governance and compliance, and don’t understand the technologies that underpin them. There can be a disjoint between the technologists in some companies, and people handling governance and compliance, and this can create a false sense of security.”

    He said some companies have already recognised the problem and are restructuring their management to ensure a closer link between the technical aspects of security and compliance, and are working to eradicate a tick-box approach to governance. “Security has to move away merely from the comfort zone of dashboard reporting." Walker said. "It has to plug into the technical components below that to give a true picture of where you are.”

Read more on Security policy and user awareness