27-29 October 2008 | ExCel London | Book at: www.rsaconference.com
The core challenge of IT security has got more complex: the job now is about protecting the whole business. What better occasion to discuss the key issues than this conference? By Jessica Twentyman.
Information security spending continues to rise, but few organisations feel safer today than they did five years ago. Does this mean that most are falling short in their efforts to develop effective information-security strategies?
RSA president Art Coviello thinks so. It's that provocative viewpoint he'll be putting forward in his keynote presentation at RSA Conference Europe 2008, a speech in which he has also promised to explore how information security professionals can “successfully balance the risk-reward equation”.
Those attendees working at the sharp end of information security might be tempted to comment that their working lives are currently characterised by too much risk and far too little reward.
The core challenge in IT security hasn't really changed in recent years, because it's still about granting the right level of access to data and information among people who need it to do their jobs – and keeping everyone else at bay.
What has changed, however, is not just the complexity and volume of threats out there, but also the context in which IT security is viewed. The job is no longer about protecting individual computers or networks, but the business as a whole. Organisations are expected (and legally obliged) to exert a higher degree of vigilance over their data than ever before.
That, in part, is why a good turnout can be expected for the keynote presentation by UK Information Commissioner Richard Thomas. As the government official in charge of naming and shaming organisations that transgress the UK's data protection laws, Thomas will be giving his verdict on the most recent high-profile data-loss debacles and what information security professionals can (and should) learn from them. An insight into how the powers of his office are being strengthened is also promised.
Aside from the issue of achieving and maintaining compliance so that their own organisations do not become the focus of Thomas's scrutiny, attendees will also want to learn about the latest threats to their information assets.
Even for noted malware-watcher Gerhard Eschelbeck, chief technology officer of anti-spyware company Webroot, the conference offers a great opportunity to discover what others have spotted on the horizon. “The threat landscape is very specialised today,” he says. “With new attacks specifically tailored to exploit vulnerabilities in SQL Server databases, VoIP systems or social networking sites, I need to connect with people who are researching these niche threat categories in depth and the people dealing with them on a daily basis.”
Eschelbeck will be giving his own presentation on the state of spyware and also appearing on two moderated panels. One is on “Software and security as a service”. In the other, entitled “Beyond tomorrow”, a group of industry CTOs tell SC Magazine editor Paul Fisher about the new and disruptive technologies they believe will have a major impact on the IT security industry in three years' time.
But there's plenty of content planned that will address the reward side of the risk/reward equation, too. Savvy information security professionals know that, if their function is to get its fair share of the overall IT budget, it cannot afford to be seen by senior business executives as an annoying layer of cost and inconvenience. Instead, security needs to be seen as an engine of employee productivity, new business initiatives and brand reputation.
“That depends on the ability of information security professionals to become ‘first movers', quick to identify and implement new applications of security technologies,” says Forrester Research analyst Bill Nagel.
Recently, Nagel has been researching the roll-out in Europe of national electronic citizen IDs (eIDs), based on government-managed public key infrastructure (PKI), that will enable citizens to perform secure transactions with public services. In his presentation, Nagel will focus on successes notched up in Sweden, where usage of eIDs is far higher than elsewhere, as well as how the Swedish example could serve as a model for similar initiatives in other countries, where uptake has been more sluggish.
Another key driver for increased appreciation and reward of the IT security function will be professional development, says John Colley, former chief information security officer at Royal Bank of Scotland and now managing director of industry certification body (ISC)². He is pleased to see that, for the second year running, RSA Conference Europe is running a dedicated professional-development session track.
“This highlights the importance of people in securing business infrastructures – from education and awareness through to gaining the business and management skills necessary to navigate the cross-organisational role that information security professionals now operate in,” he says.
He and his team, he says, are attending the conference not just to meet existing (ISC)² members but also to talk to prospective members looking to improve their professional status with an (ISC)² accreditation such as CISSP (Certified Information Systems Security Professional) and SSCP (Systems Security Certified Practitioner).
As RSA president Coviello will outline, balancing the risk/reward equation is a question of focusing on the key variables of “vulnerability, probability and materiality”. That's not going to be an easy trick to pull off. In tough times, information security professionals are going to need all the advice, information and expertise that they can get.
AN OLYMPIC SUCCESS STORY
Just three miles separate the ExCel conference centre, where RSA Conference Europe 2008 will be held, from the vast construction site at Stratford where London will host the Olympic Games in 2012.
The conference provides an ideal opportunity for Vladan Todorovic, Atos Origin's information security manager at the Beijing Olympics, to remind delegates that this year's Games were mercifully free of embarrassing IT glitches and to give them some insight into how that was achieved.
“The point of my presentation is to explain the basic challenges of the Olympic project from an IT security perspective, the methods we used to address them and the potential reusability of the solutions we implemented to standard enterprise environments,” he says. In Beijing, he and his team had to:
- Monitor more than 12,000 devices in 60 different locations in real time.
- Deploy equipment rapidly, with the vast bulk of the necessary installations achieved in under one month.
- Manage many high-risk IT system user groups, including volunteers, third-party IT partners and journalists.
- Process 12 million security events per day, with no room for human error.
A CROSS-BORDER PERSPECTIVE
Dennis McCallam, chief security architect at US-based aerospace and defence company Northrop Grumman, jokes that his top priority on his October trip to London is to see Fulham FC play a home game at Craven Cottage.
In reality, he has a far more pressing engagement that week. On Monday 27 October, McCallam will take the stage on the first full day of the RSA Conference Europe 2008, to address delegates on the shift away from perimeter protection to a more data-centric approach.
It is a subject that has been much discussed in IT security circles for years, but has only recently started to materialise in operational environments.
McCallam is well qualified to provide unique insights. He is responsible for IT security at a $30 billion global company, but also sits on a Nato taskforce charged with exploring the issue of network-centric operations security.
“I wanted to talk about this trend, because in the modern world data must be protected, whether it's in use on the network, at rest on the network, in use outside the network or in transit on that network,” he says. “It doesn't matter if you can breach our perimeter, if you can't access sensitive data once inside.
“One problem that we're all trying to solve is how to secure international collaboration, so this conference is a fantastic opportunity for security specialists from all over the world to meet up and discuss cross-border data-security issues,” he adds.
HOMAGE TO ALAN TURING
RSA Conference Europe 2008 promises to be a truly international affair, with organisers expecting some 1,400 attendees from over 60 countries to make the trip to London's Docklands, home of the ExCel conference venue.
The theme of this year's event – the life and work of Alan Mathison Turing OBE– should resonate with an international audience, too. Although he was born and spent most of his life in the UK, Turing's name is instantly recognisable to information technologists worldwide as the father of modern computer science.
Such is his global appeal that his name has been adopted by university computer laboratories in Puerto Rico and Colombia, by an annual conference at Istanbul Bilgi University and by an honours computer science programme at the University of Texas at Austin.
Using mathematical logic, Turing, based at Bletchley Park, Britain's secret code-breaking department, helped to crack the German military Enigma codes at superhuman speed during World War II. To celebrate his life and work, a number of cipher and Enigma machines will be on show at RSA Conference Europe 2008 and organisers say that supervised use of these machines by attendees may be permitted.
“We can only see a short distance ahead, but we can already see plenty there that needs to be done.” Alan Mathison Turing (1912-1954)