Highlights of the event, at the ILEC Conference Centre near Earls Court, included the ‘Future CISO' debate, led by Professor Fred Piper of Royal Holloway College, and a session on the privacy threat presented by big data. This featured Emma Carr, director of the privacy group Big Brother Watch, who reflected on the legacy of whistleblower Edward Snowden.
But the most striking event of the day was a demonstration by Ken Munro, partner and founder of Pen Test Partners, who showed how cyber-criminals can attack ‘Internet of Things' devices, and why cyber-security professionals need to defend against this.
One delegate, Scott MacKenzie, CISO at Logical Step, gave SCMagazineUK.com his reaction: “The IoT talk by Ken Munro was very entertaining, informative and thought-provoking. It highlighted the growing ubiquity of internet-connected devices and the high risk due to security being an afterthought or not even a thought at all.
“Ken chose some novel examples of hacking IoT devices including bathroom scales, a child's doll, an internet dishwasher and an adult toy!”
MacKenzie added: “The Congress had a number of very memorable talks during the day.”
The ‘Future CISO' debate flagged the way cyber-security has become a broad business issue, with CEOs of data-breached companies like Target forced to resign.
CISOs have to respond to this, Professor Piper said, endorsing a comment from earlier speaker, EY's Mark Brown, telling the audience: “Change or you will be changed.”
Other speakers agreed. Andrew Rose, CISO of the air traffic control organisation NATS, said: “The successful CISOs I see have become much more business focused, the technology side is small part of their role. Most of the CISO's focus has to be on talking business strategy, on working with the board.”
Rose said many CISOs with no background in technology are still a success because they know how to implement change and work with ‘the business'.
Mike Loginov, vice chair of the National MBA Advisory Board, which recently pioneered the UK's first national MBA in cyber-security at Coventry University, said the course focuses strongly on business skills.
Meanwhile Sarb Sembhi, a leading figure in the ISACA security professionals organisation and director of Storm Guidance, agreed that CISOs “need to be less geeky and more Star Trekky” – to be less technical, and more focused on bringing out the best in their people.
Professor Piper said: “The future is there for grabs. You need a business focus but you do need the security skills. It will all depend on the nature of the company.”
Piper also said he believed that currently there is no CISO on the main Board of any UK company.
But questioning whether CISOs may soon become CEOs themselves, Rose said that many CISOs have “not had the aspiration to move on from the CISO role, it's a vocation for many of us and we don't want to become a CEO or CFO”.
The day's other main sessions dissected APT attacks and cloud security - reported elsewhere on this site - as well as the privacy threat of big data and how to develop a workable BYOD policy.
In the Bring Your Own Device (BYOD) session, an audience show-of-hands saw a brave 20 percent were willing to admit that they still do not feel they have BYOD sorted.
Mark Brown, executive director of cyber-security and resilience at Ernst & Young, reinforced this point: “There are still too many companies walking eyes wide shut into BYOD,” he said. “It's not Bring Your Own Device, its Bring Your Own Disaster.“
Brown said that, rather than seeing BYOD as a way to enable executives to use their own device or cut costs, companies should focus on doing something more transformational – using new technology to introduce new ways of working - otherwise “you are on a hiding to nothing”.
He was also critical of security software vendors in supporting BYOD, controversially commenting: “Vendors are a large proportion of the problem. There is so much snake oil in the security software products space that you almost cannot trust a thing they say.”
Brown said security pros looking to deploy consumerised IT need look at their own enterprise architecture, the assets they already own and what the new devices should be delivering – then judge whether vendors can actually fulfil that need.
In the big data session, speakers including Andrew Rose at NATS, Jeremy King, European director of the PCI Security Standards Council, and Carolyn Williams, director at the Institute of Risk Management, as well as Emma Carr at Big Brother Watch, debated a key problem: how snippets of data on customers or citizens, often collected for other purposes, can be combined by marketing to build a detailed picture of people, and create unforeseen sensitivities or threats to privacy. The example of pregnant women having their condition revealed to other family members, such as parents, via targeted marketing was cited.
In response, Carr urged companies “to think about privacy as part of your business model” and said the new penalties threatened by the forthcoming new EU-wide data protection legislation will make that approach even more necessary.
The Congress also featured nine breakout sessions on issues ranging from how to prevent network defences being breached to endpoint security for the modern enterprise. These were led by conference sponsors Vanguard, CipherCloud, Boldon James, Centrify, Forum Systems, Websense, Zscaler, Watchful Software and Code42, whose support enabled the event to be free-to-attend for delegates.