Security Forum 2010: Day 1 Keynotes At-A-Glance

Security Forum 2010 is upon us, and the stage has been set. After my welcome remarks this morning, Forrester’s own VP & Principal Analyst Khalid Kark kicked us off with a fantastic keynote: “Maturing The Security Organization.” Next up, Malcolm Harkins, CISO of Intel, spoke about the misperception of risk as “The Most Significant Vulnerability We Face." After Malcolm, Forrester was happy to welcome a quartet of IBM security experts and customers for a panel discussion on “Smart Security." Daniel Barriuso, CISO of Credit Suisse, finished up our morning keynotes with a presentation outlining the essential steps to build a “Holistic IT Security Management organization”.

Even though each of these presentations addressed different security challenges, in the end they delivered many common recommendations. For example, the need for strong governance and oversight and the ability to objectively identify and assess future risks. There were a few other key points that I want to highlight:

  • It is imperative to spend enough time assessing where you are before you can establish where you need to be. Many CISOs today think they have a firm grasp on where their security organization stands, but in reality, not many of them spend nearly enough time measuring and understanding where they stand now. Once you do this, only then can you put together a long-term road map for where you want to take your security organization. To help make this point, Daniel Barriuso quoted Confucius: “If I had 8 hours to chop down a tree, I‘d spend 6 hours sharpening the axe.”
  • The biggest vulnerability we face today is risk. Any particular risk at any given time is perceived through many different pairs of eyes. Often times this risk is exaggerated or underestimated, which causes people to either overreact or under react to a given situation. Don’t take a victim’s approach to managing risk. Take the time to educate yourself and others about different perspectives that define risk, and act accordingly.
  • The threat landscape is changing, and we need to react differently. In the past, hackers were motivated by fame and usually acted alone. Today, cyber criminals are professional and organized. It’s no longer a lone hacker; it’s organized crime -- and in some cases, it’s even a state-sponsored agents. Their motivation is money. Their attacks are sophisticated, targeted and hard to detect. Security professionals need to learn to take a proactive approach in combating this new threat landscape and need to have a plan in place for the unexpected.

These are just three short points from four hours of incredible content and delivery of just DAY 1 of Security Forum 2010.

Tomorrow, we have another packed morning of keynotes from Forrester’s Andy Jaquith and Chenxi Wang and industry speakers Herbert Thompson (Chief Security Strategist, People Security), Dan Geer (Chief Scientist Emeritus, Verdasys), Archie Reed (Chief Technologist, HP Cloud Security), Eran Feigenbaum (Director of Security, Google Apps) and Chris Darby (CEO In-Q-Tel). Plus we have another 6 track sessions tomorrow.

Follow us on Twitter: Forr_SR or search for Security Forum 2010 hashtag: #SF10


Problems are Soluble. Problems are inevitable

Problems are Soluble. Problems are inevitable - Professor David Deutsch

(Note: the following is mostly based on a talk by Professor David Deutsch on problem avoidance. In most cases I am directly quoting him except for the Cloud Computing bit.)

No amount of precautions can avoid problems that we do not yet foresee. Hence we need an attitude of problem fixing, not just problem "avoidance". An ounce of prevention equals a pound of cure, but that’s only if we know what to "prevent". If you’ve been punched on the nose, then the science of medicine does not consist of teaching you how to avoid punches. If medical science stopped seeking cures and concentrated on prevention only, then it would achieve very little of either.

The traditional Enterprise IT world is buzzing at the moment with plans on how to stop Cloud Computing from entering into the workplace. It ought to be buzzing with plans to reduce the security and privacy risks associated with Cloud Computing and improve data-portability and forensic capabilities. And not at all costs, but efficiently and cheaply. And some such plans exist, host-proof hosting, for example.

With problems that we are not aware of yet, the ability to put right - not the sheer good luck of avoiding indefinitely - is our only hope, not just of solving problems, but of making technological progress.