Security Forum 2010: Day 2 Keynotes-At-A-Glance

Last week, I wrote a blog post summarizing the Day 1 opening keynotes at Forrester’s Security Forum.  This week, I’d like to recap the Day 2 opening keynotes. The second or last day at any event is always a challenge; attendees are always tempted to leave early or to stay in their hotel rooms to get some work done or if the event is in Vegas, squeeze in some craps (my favorite) or drop a few coins in a nearby slot. Luckily, we held the event in Boston and the lobsters have nowhere to run, so most attendees were happy to stick around until the end of the day. Not only did we have great attendance on Day 2, but there was a palpable buzz in the air. The audience asked tough questions and no one was spared — Forrester analysts, industry guest speakers, and vendors. While the main topic of Day 1 seemed to focus on risk and overall strategy, governance, and oversight, Day 2 focused on coming up with the specifics — the specific plans, the specific policies. As Andrew Jaquith stated in his keynote, to provide better data security, “you don’t need more widgets, what you need is a plan.”

Below are some of the highlights from the Day 2 keynotes: 

  • Andrew Jaquith discussed his suggested approach to controlling information. There is no silver bullet when it comes to controlling information. It is a complex issue that requires a complex solution, and as we struggle to implement the next security “widget,” our information piles up and makes our task that much larger. It’s quite the vicious cycle. Andrew attempted to simplify the solution by breaking it up into four categories: Oversight, People, Process, and Technology. He extracted keys to success for each category and presented us with pervasive immediate recommendations. If you missed this keynote, be sure to take a look at Forrester’s Security Maturity Model for more information.
  • Chenxi Wang asked her panelists the tough questions about security and the cloud. She directed the discussion to focus not if security is possible, but how security professionals can enable their organization to take advantage of this new frontier. “Cloud security” sounds like an oxymoron, but if you are able to accurately evaluate and assess your company’s environment while taking into account some of the standards out there like SaaS70, NIST, etc., the cloud can become secure enough for your company. In fact, Eran Feigenbaum, Director of Security for Google Apps, threw out a challenge to the audience — given the state of enterprise security today, are you sure that the security offered by major cloud providers is not better than what you can offer internally? Eran and Archie Reed, Chief Technologist, HP Cloud Security, also had a lively debate about whether internal, private clouds were in fact clouds. Chenxi also urged the audience to become involved in the cloud security discussion. Cloud security standards are in their infancy; it is important for you to join a community, such as Cloud Security Alliance, and make your voice heard.
  • Andrew Jaquith hosted a panel on how we should look forward to being attacked. Andy was joined by Hugh Thompson, Chief Security Strategist, People Security, and Dan Geer, Sc.D., Chief Scientist Emeritus, Verdasys. Contrary to popular belief, we don’t want to get to a point of zero attacks, because it becomes impossible to disambiguate between whether your company is actually secure of if you’re just lucky. Unless you have something to calibrate with, then you’re left guessing. We have to accept the inevitability of attack and focus our attention not on prevention, but how we can recover faster.
  • Chris Darby (CEO In-Q-Tel) asked the audience to think not in terms of money, but national security. In today’s political reality, there are highly skilled cyber-terrorists motivated by terrorism, not money, and private businesses need to prepare against them. We as security professionals need to prepare our businesses from being facilitators in any such attacks. Chris challenged the audience to not say “no,” but look to what we can do and how we can improve and make it even more secure.

While Forrester’s 2010 Security Forum was a major success this year, I’m already looking forward to next year!

And, as always, if you attended the event or weren’t able to make it this year, we are interested in what you have to say, so please leave your comments.