User privacy has gone and is proving to be a new challenge to solve.
Speaking at a panel debate at the RSA Conference Europe in London, program committee chairman for RSA Conference Hugh Thompson asked how equipped the industry was to build a privacy programme, given dramatic changes in privacy legislation and how equipped multi-national companies were able to keep up.
Greg Day, EMEA security CTO at Symantec, claimed that concerns about information and the enabling of bring your own device (BYOD), as well as the separation of personal and business lives, led to a challenge for businesses about the boundaries.
“Let's be flexible and dynamic, privacy is bubbling to the surface to create a whole new challenge for us to solve,” he said. He also claimed that it may be too late to save personal privacy as so much information is uploaded to social networking sites and duplicated around the internet.
At the start of the conference, RSA executive chairman Art Coviello said that privacy advocates are slowing the progress of the security industry and preventing people from being fully protected online.
Coviello said that ‘cries of Big Brother' from privacy groups over more stringent security measures were not helping the industry, saying that privacy advocates "think we should be able to endure reasonable danger to protect privacy", and said that this was 'dangerous reasoning' as the "true depth of the problem remains hidden".
He said that privacy laws should be overhauled into a new cyber security model that "doesn't focus its efforts on an increasingly porous defence of the perimeter".
At the panel debate, Thompson said that companies can Google a potential employee. He referred to Angela Duckworth's 'Grit test', a series of 12 questions that can accurately predict how likely someone is to be successful one, two or ten years from now.
He said: “I don't think there are any laws or understanding to deal with something like that.”
Paul Simmonds, co-founder of the Jericho Forum, said that in his previous job as CISO of a pharmaceutical company, privacy was ingrained and he said it is about ingraining privacy into your future.
“If you get the principles right, the technology follows from that. Cloud risks driving a coach and horses through privacy to use an old English phrase, but the Information Commissioner's Office recently released its guidance on cloud computing and it says what professionals have been telling management for some time – if you put data in the cloud, you are still responsible for it. If you put it in, think about encrypting it and keep the keys.”
Wolfgang Kandek, CTO of Qualys, said that from a US perspective, there was not much legislation on privacy and there was a precedent in the US with patients exchanging medical experiences on their ailments. “There is no visibility into this, no one knows as the data is segregated, so it makes it more freely available so there are benefits,” he said
Simmonds later referenced work done by his Jericho Forum from 2003 about deperimeterisation and the commandments that followed in 2004, and said that "people quote them back at us now".
“They are there and developers have them laminated in their cube at work on how to architect deperimiterised. There is a huge human aspect here, security works best when it is not bolted on and we keep bolting on, the future is to link the perimeter with identity and make rich risk-based decisions. Risk-based transaction needs to be expanded into everything we do.”