What's Next in Our Security Conversation

Posted on by Fahmida Y. Rashid

There were a lot of interesting conversations at RSA Conference last month. With everyone back home and back to the pressures of the daily job, what happens next? Where does all that energy and excitement go? Hopefully, it is being channeled into informal conversations and new initiatives.

One of the key themes was that security is broken and it needs to change. Every company needs a holistic security approach. We are no longer talking about silos or stand-alone solutions. Everything is interconnected, which means the threats are also linked. We can't just look at endpoint security while neglecting user behavior auditing, and that is just the beginning.

So where does that take us? Are security professionals engaging with their senior management and boards to discuss how they want to tackle security?

Security is a global problem. We saw in 2014 that retailers and healthcare are just as vulnerable to data breaches as educational institutions and financial services. Threats aren't just restricted to specific geographic regions or types of businesses. Larger organizations have to work with smaller suppliers and partners to protect all parts of the supply chain. No one is too small in the current security landscape.

And face it, we are all facing the same challenges. Organizations don't have a clear picture of what kind of data they have, where they are stored, and how they are stored. We are just beginning to realize just how valuable all these files and pieces of information sitting around on our computers and servers are.

During the conference, AlienVault surveyed more than 1,100 security professionals on the topic of ethics. I don't think anyone would be surprised that IT professionals use security breaches as a way to get more money for security budgets. But it is disheartening to hear that more than 20 percent of respondents said they’ve seen their company hide or cover up a breach. Or that 20 percent of respondents admitted to steering auditors away from major security gaps during an audit. I was much happier to see that 61.7 percent said that they privately disclose security flaws found on websites and enterprise systems.

The survey found that more than half of security pros use hacker forums or associate with black hats to stay up to date with the latest security threats and technologies. Considering the challenge security professionals face, of protecting large and vulnerable security networks from nimble and faceless attackers, it's not surprising they are willing to venture onto hacker forums to get the information they need. But it may be safer, and more effective, to talk with each other instead.

Many of the attendees were interested in visibility and metrics. Sessions that touched upon metrics—the kind of information security professionals need, the type of metrics board members are interested in, and even how different organizations are tackling security metrics—were highly popular. Why? Because the security industry has grown up. The conversation is no longer about what to do, but rather how to do it. Everyone wants to know what their peers are doing and to share best practices.

There's no reason that discussion has to end just because the conference is over. Let's bring some of that conversation here. Let us know what you would like to hear. Would you like webcasts or smaller virtual events geared towards digging into some topics? Should we bring some of the high-demand sessions online? Let us know so we can help you continue engaging with your peers.

Fahmida Y. Rashid

Information Security Journalist, Editor-in-Chief, RSA Conference

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community