RSA APJ 2015: Accept failure
What happens when policy makers and world reknowned security experts are together in a room? Pull all their experience and knowledge together into a large pool, and at the disposal of hungry media and analysts, and what you get is a wide range of ideas and insights bouncing off the walls, as well.
Which this journalist did her best to capture.
Here’s a little compilation of these ideas.
Build the right competencies
The main big idea that resounded during the whole conference, and not just at the APJ business panel that was hosted by RSA and moderated by Blue Coat’s Hugh Thompson, is that there is a mindshift.
Minds are shifting towards accepting data breaches and compromises etc will happen. A quick question of RSA President Amit Yoran during his media Q & A session, about how ready security vendors are at providing what business need in the next few years, yielded this as answer – security thinking is moving from prevention to realisation that security breaches will still happen.
“And every one of these breaches over next few years, would have (a security technology).”
In retrospect, it is scary how that answer is worded, because it implies there would be no way of knowing or pin pointing exactly where or what part of defense has ‘failed’.
All we can be certain of is that the only way to prepare for it, is to build a competency of people, processes, technology around failure (of security systems) and recovery.
If data compromises must happen, Blue Coat’s CTO and SVP Hugh Thompson proposes that there is a business need for predictability to the cost of damage, at least.
Vendor messaging that confuses
RSA CTO Zulfikar Ramzan finds that in the Silicon Valley at least, so many start-ups are going into cybersecurity, largely for the wrong reasons.
“These are by people who haven’t done it before. And they are going to talk to customers and confuse them further,” he said.
This makes it a very good time for the industry to think about the right criteria for each security technology, and also how to further evolve the technology, people and processes criterions for technologies like SIEM (security incident and events management).
Can we start to have some kind of guarantees from the security community, vendors and service providers alike?
“It’s the responsibility of the vendor, for transparency first. This wasn’t necessarily the case for a long time,” said Thompson.
“It also didn’t help that the end users do not have expertise at computing level to evaluate (solutions). I think this is changing a little now.”
According to him also, as it has been problematic for buyers to understand what a solution was offering, or what they were getting, it had been important for a third party like service providers to come in.
When it comes to guarantees, security certifications is one way of ensuring that there are standards that security vendors actually comply with.
Ernst & Young’s APAC Cybersecurity leader, Paul O’Rourke also shared about certifications for service providers like CREST.
On its homepage, it states, “CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up to date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers.”
It’s going to get worse…
It’s going to get worse before it gets better, especially in this region.
Australian Strategic Policy Institute, senior analyst and director, Tobias Feakin observes that a high rate of mobile adoption and an extremely thriving start-up ecosystem, makes legislation to support and protect these opportunities, rather hard to do.
There seems no right way to balance managing security risks whilst allowing mobile technologies and startups to innovate and thrive in this fertile environment which is Asia