New York Forum Wrap Up: It’s a Risky World Out There!

Risk. On a daily basis we assume risk at a personal level without too much thought – we drive our cars at high speeds down the highway, we cross the street against traffic lights, we eat food prepared by strangers, we send our kids to schools run by people we’ve met (maybe) once or twice. Yet as information security professionals we’re still hyper focused on everything that can go wrong at our companies, often wondering how the latest virus or new mobile device introduction is going to affect us personally.

Earlier this week at IANS’ 12^th annual New York Metro Information Security Forum, nearly 200 area security professionals, from CISO through network architect, debated this quandary. Risk was the thread that tied all of our tracks – Information Assurance, Application Security, Security Operations, Risk and Compliance, Security Organization/Leadership – together.

But the common response to risk is often:

• “Move to the cloud? No! Too much risk!”
• “Allow personally owned devices on the network? No! Too much risk! Oh, wait, you mean *this* phone, *my* phone will be kicked off if I say no? Better re-think that…”
• “Open access to social networking sites? No! Too much risk!“
• “What is that you say? There is actually more risk in giving employees an email account than in letting them visit YouFaceTwitIn? OK, well, we do want to attract good, young talent so maybe open that up. Let’s just write a good policy and have employees sign off on it every year. That’s not frequent enough? Now what do we do….?”

IANS Faculty challenged delegates to think outside the box and come up with good strategies for driving down risk. If business is all about creating or preserving wealth, as presented by Jeffrey Ritter in his day 2 keynote, security professionals need to be thinking in and speaking the same language as the business and tying objectives back to it. Happily, IANS delegates “get it” and are already working with lines of business. Unfortunately, many delegates still speak security rather than risk to get their point across. During one roundtable session lead by Josh Corman, half of the delegates in the room said executives at their companies have a “tolerance” for security. Fortunately, in the two remaining categories of “fully support” and “do not support” security, the scales were tipped in favor of support for security. Could the problem be that security professionals are trying too hard to push a security manifesto?

The answer - according to many of the delegates with which the IANS team spoke at the Forum - is yes.

Although the topic of risk was everywhere, conversations inevitably morphed into discussion of tools and techniques that work / don’t work within their organizations. One CISO told me that, as a CISO, he doesn’t care about tools and technologies, that’s what his staff is for. He then turned around and asked me for a list of the leading vendors in the mobile device management space. Other delegates asked if the topic of cloud could be removed from the agenda since “no one” is doing cloud. Yet Dave Shackleford and Randy Sabett’s tracks on cloud were packed with attendees. Furthermore, participants were happy to share stories about speaking to various cloud services providers about configuration and contracts. If your organization is not at least thinking about moving to the cloud, your time may be better spent monitoring logs than waiting on hold for Amazon, Terramark, and RackSpace customer service reps.

So what’s the secret? IANS submits that, among the security professionals with which we spoke in #iansNY, we’re on the right track. People are starting to think along the right lines, now they just have to convert their thoughts into actions. Marcus Ranum suggested that the best defense is better defense; since no security team will ever accomplish proactive protection against all threats, breaches, and incidents, the best tack is to qualify risks then decide which ones are worth taking. Creating a solid strategy and developing awareness campaigns is a good first step. Partnering with business and “baking security in” is the next step in moving your organization past Security 2.0. Several delegates propose risk assessments as a key element to getting everyone on the same page as far as acceptable risk.

Whatever your organization decides is an acceptable level of risk, IANS encourages elevating the discussion above tools and technologies and expanding it to include asking for help from HR, legal, product development, marketing (one CISO regularly meets with his head of Marketing for help; “Who better than the VP of Marketing to help me with my pitch?”), and anyone else who might have a stake in mitigating risk…which is every business leader.

Let’s keep the conversation going: Attend an upcoming IANS Forum. Join us on Twitter (@IANS_Security). Email us at info@iansresearch.com. Comment on this blog post. Send us coded smoke signals. But tell us, what are doing in your security organization to containerize risk?

There is no right or wrong answer; what works for Big Mega Bank may not work for Small Healthcare Provider, and vice versa. Whatever you do, continue to think in terms of risk. Leverage peers within your organization and those in your extended network. Learn from one another and don’t get mired in the past.

Remember, at one point the key question was “are you a McAfee or Symantec AV shop?” Now, as declared by Peter Kuper, “AV is dead!” Think ahead and leverage good sense (we won’t suggest it’s common: the Prince of Nigeria might actually need help) and you’ll be well on your way to Security 3.0. Or at the very least, you’ll be able to explain risk to your organization and maybe even earn some budget to lessen it.