13 Jun 2011
During the first week of June 2011, Quocirca attended the IT Security Analysts Forum in London which was organised by Eskenzi PR.
This is now an established annual event, having run every year since 2007, and it attracts a surprising number of US-based IT security analysts as well as many of the high-profile European ones.
That seems to be down to its unique (as far as Quocirca is aware) format, which involves two formal sessions over two days with plenty of networking in between.
Day 1 is a kind of speed dating for security vendors with analyst firms. The challenge for the analyst is to take on so much in one go from as many as ten individual vendor meetings.
For the vendor reps, the challenge is to tell their story ten times over without getting bored – something they seem to achieve admirably: most of them are still smiling at the final meetings scheduled to end at 18:00.
The event attracts a wide range of vendors, from the largest – HP eager to talk about its recent acquisitions that have seen it re-enter the IT security market – to the smallest – Iddapcom wanting to raise the profile of its software for testing firewall configurations. Perhaps the main reminder for Quocirca after such an intense session is that there is always more than one way to skin the IT security cat.
For example, a pressing issue is the protection of data. You can move it about on encrypted memory sticks (Kingston Technology), encrypt data on end points and during transmission (SafeNet), locate and make safe/wipe lost devices (Absolute Software), restrict access to data (Varonis), or stop it leaving the organisation in the first place (M86). Few organisations need all of this protection, but a wise selection will go a long way towards providing the protection needed.
Day 2 is chance to meet the real-world practitioners of IT security: the CISOs (chief information security officers). The event is now attracting some of the top UK-based CISOs. The Chatham House rules under which the event is run prevent Quocirca from reporting the names of the companies or individuals represented, but some of the biggest banks, oil companies, pharmaceutical manufacturers and media organisations were there.
Many of the topics discussed were raised by the CISOs themselves. Perhaps the most interesting thing was an issue not raised explicitly by the CISOs: cloud computing.
Although it has hard to avoid the topic in any discussion about IT these days, the old questions – "should we", "shouldn't we", "can if ever be secure" – have disappeared with an implicit acceptance that the cloud is now an integral part of the delivery of IT. As one participant said: "Well-run public cloud infrastructure can be indistinguishable from internal IT infrastructure."
It was agreed that getting the contracts right was as important as security when engaging with cloud providers. Some complained there was not enough choice. Others stated that due diligence was needed when dealing with smaller providers to ensure SLAs would be delivered on.
Having said that, some complained that standards of service may drop off when a small cloud provider is acquired by a larger established IT vendor. It was also noted that regulators do not really understand the public cloud.
With that in mind, the CISOs raised plenty of concerns about business risk and governance – for example, how to determine the impact of managing data across different environments and how to quantify and assess the impact of IT security failures. One priority here was to ensure a media strategy was in place for when the inevitable occurs, and this strategy must include new media.
Another issue accepted as a reality was the rising tide of IT consumerisation. First, this includes the acceptance and control of consumer-based cloud services such as Facebook and Twitter. Most CISOs accept the use of these as inevitable and now govern their usage thorough a mix of HR policy and technology.
Second, it covers the use of personal devices to access IT. The rise of the iPad, the iPhone and the Android smartphone were accepted, and most CISOs seek to enable their use (or, in some cases, saw no way of easily preventing it).
There was a discussion about working with auditors: are they friends or foes? Most agreed that, however you view of them, it is better to work with auditors, rather than against them, and that they could also be a source of free advice, with useful experience from a range of industries. Some CISOs said their agenda was largely driven by auditors.
And there is demand for all those vendors with products to help securing the use of data. Most CISOs said they enforce encryption, at least on Windows notebook PCs. Nearly all the CISOs said they had a policy for using secure USB drives ("if laptops are encrypted, why would you not enforce it on USBs too?").
However, it was agreed that more than encryption is needed, including controls to keep sensitive data of the network wherever it is possible to install them. Perhaps the most interesting admission was that, in the age of WikiLeaks, one of the best strategies was to be more transparent and publish data more widely, only protecting the data that really needs to be protected: "If only we could persuade users to classify it in the first place."
One CISO bemoaned the numerous sales calls he received and advised vendors to wait for him to call. This advice is unlikely to be heeded; the sales process will go on. One day he will be sitting a draft living room aghast at the size of the heating bill and a double glazing sales rep will happen to ring with a special offer: "How fortunate!" he will think.
The CISOs also had some advice for us analysts. Make it clear when personal opinion is being provided as opposed to opinion gathered through research. Don't just say what is happening today; say what is coming down the line. And keep reports short; there's no time to read long ones. Time to polish the crystal ball, and this article has probably gone on long enough already.
Bob Tarzey, analyst and director, Quocirca
Add your comment
Related Articles
