By: Bob Tarzey, Service Director, Quocirca
Published: 24th May 2012
Copyright Quocirca © 2012
Following hot on from the InfoSec Europe trade show at the start of May 2012 was the IT Security Analyst’s forum, organised by Eskenzi PR, brought forward this year to avoid the Olympic events over the summer. As usual, the forum attracted analysts from most of the well-known firms from both Europe and USA.
On day two of the event, vendors and analysts got together for a round table with a group of fifteen chief information security officers (CISO) responsible for ensuring information security in UK enterprises. Hot issues discussed included:
The changing role of the CISO
One organisation said IT was now reporting in to a broader security function, raising the CISO above the CIO. Others were not sure this would be a good approach for their business. One CISO had recently been promoted to CIO, taking security knowledge and expertise to a higher level via another route. In some banks and technology companies the CISO is now a board level position or a direct board level report. All agreed there was growing board interest in IT security, although there was often a mismatch of priorities between the board and CISO.
There was general agreement that focussing on securing data was essential to achieving good overall security, although few CISOs believed they were really in control of their entire organisation’s data.
One CISO said the solution lies in focussing on “red data” which for most organisations is less than 10% of all data (but “which 10%?” asked another). Data loss prevention (DLP) and digital right management (DRM) tools provide insight, but users moan about interruptions to work flow. There is also a cultural shift required to get users to classify data, a necessary part of the overall success.
There was no doubt that user awareness is important, but there was debate how to go about ensuring it. One organisation put posts about IT security issues on the employee expenses portal; “the one place all are bound to visit”. One issue raised is as employees become more aware they are more likely to report incidents, driving up the statistics. The point was also made that training helps with mass market threats but will be less effective when it comes to advance threats. Awareness also requires joined-up thinking in businesses; one CISO noted that has department had been busy raising the awareness of the risk of e-Christmas cards while another part of the business was busy sending them.
Securing the use of mobile devices
Mobile devices were certainly top of mind when it came to information security, but there were doubts about some of the technology. Some CISOs felt that some of approaches to securing iPhones and Android devices in effect turned them into BlackBerry like devices, which took away many of the benefits that users were looking for. Some were creating guest networks for providing visitors to their premises with internet access. It was also pointed out that anti-virus and encryption only work on employer owned devices, but as more and more employees demanded to use their own devices control is lost; there is “no right to wipe, it is a shift in power, we have to make it happen” stated one CISO. Another said they we now “designing for BYOD” (bring your own device).
Securing the cloud
Some agreed with Quocirca’s own view that the main issue is perception; convincing the “control gods” said one CISO. The security considerations are not that different than those for internally deployed IT systems. Some saw cloud based services are just another form of outsourcing and they should be used when they are the most effective way of delivering a require aspect of IT and as with any outsourcing contract appropriate SLAs need to be in place. Others were less sure the cloud was like other forms of outsourcing and one stated “the [cloud] market is for small organisations”.
Identity and access
The cloud may enable all sorts of outsourcing, but one CISO was firm in their belief that “you cannot outsource identity”. There were also doubts expressed about single sign-on (SSO) which has been “promised for thirty years, it is a myth perpetuated by vendors, however, you can achieve reduced sign on”. Regardless of history, there is a growing recognition of the need for SSO especially when it comes to access software-as-a-service applications and application programming interfaces (API). There is also the growing need to manage machine identities, although when it came to mobile devices one CISO clearly felt it was the users that presented the problem “[we are] 99.9% sure it is the phone but only 80% sure it is the user”.
The first day of the forum had seen the usual speed dating between security vendors and analysts. This year Quocirca’s time table seemed to be dominated by security intelligence. This included:
Thanks to Eskenzi PR, the vendors who paid for the event and the CISOs for their time. Quocirca certainly came away with a lot more insight, albeit clear that in some areas there is no single answer to the thorny issues of IT security.
We have not received any comments against this entry. Why not be the first?
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761