As momentum builds up towards Infosec at the end of this month, I’m reminded of all the previous Infosecs I’ve attended, as a punter, speaker and analyst. It’s quite a bizarre ecosystem if I think about it – in the perfect world of course, we wouldn’t need to see IT security as a separate industry from the rest, but the same argument could be applied to anything to which we say, “Why can’t we all just get along?” No doubt the same principle applies to world peace.
Sadly however, we can’t all just get along, with a number of effects. First there will always be ‘bad guys’ looking to exploit holes in the technologies we deploy, or indeed, looking to take quite innocuous capabilities and use them for undesirable effect. Just as ploughshares can be turned back into swords, so email can be used for spam, unprotected desktop computers can be used to host ‘bots’ for launching denial of service attacks (or indeed, generating spam – do all roads lead to spam?) and so on. The key to all of this would normally be diligence – remembering to lock doors, not take sweets from strangers and so on. But as well as malice, there are other undesirable human traits which make things harder.
First is complacency – that bad things only ever happen to other people. Were we less complacent as a race, no doubt we would raise our expectations on IT, to the extent it would be delivered with less holes in the first place. Second of course, we would more actively look to fill any gaps that remained, and we would allocate appropriate budgets to do so. Squeezing bood out of a stone can be easier than getting budget for security purchases, however great the risks may be.
On the subject of undesirable human traits, to complete the picture we need only to think of stupidity. It was not a bad person who left the laptop in clear view when he popped into the shop, and no doubt Mr Quick did not maliciously wave government secrets in front of press cameras. But stupid we are (I have a whole list of my own examples), and we cannot therefore rely on our own abilities to do the right thing.
It is against this background that the IT security industry has formed, evolved and adapted, as reflected by conferences like Infosec. Sure there will be vendors that ‘big up’ the latest threats – just this morning we took a vendor to task for claiming that insider jobs were in some way new – and there will also be organisations which offer highly appropriate solutions to real problems, but which will never get famous as long as the industry, and indeed the human mindset, remains as it is. Behavioural analysis company Tier-3 springs to mind, pragmatically ploughing their hype-free furrow.
So, what would we recommend anyone attending Infosec? First of all, we would re-emphasise that security products are a means, not an end – and the latter you have to work out for yourself. A good comparison would be with Christmas Shopping – how many of us have gone out in early December, in the hope that an appropriate gift for Aunt Maud would magically reveal itself? In security as well as shopping far better approach is to sit down and write a list beforehand, while can be tough to do but will achieve far more as a result.
As a second point, we would recommend asking the hard questions early. Don’t just accept as read what vendors are saying: ask what exactly one product set has that the competition doesn’t; why exactly a specific differentiator is relevant; what effort will be required to install, operate and manage, and so on. A great deal can be learned in terms of real-time competitive analysis, so don’t be afraid to bounce between the stands to confirm or otherwise what competing vendors are saying.
Then, and this is more a benefit than a recommendation, remember that Infosec brings some of the best people in the industry from the vendor community. Don’t be afraid to really pick the brains of some of the people on the stands or during the sessions, as a better source of free advice you are unlikely to find under a single roof.
Finally, and to summarise all of these points, set yourself a tangible goal. It would not be untoward for example for you to hammer out your security priorities for this year, or determine the realities of cloud-based security, or investigate the strengths and weaknesses of a certain set of products. If nothing else, as you are on your way to the conference list out the ten things you would like it to achieve, both for you and for your organisation.
IT security may be an anomaly in itself, a reflection of the vagaries of human nature and the immaturity of IT as a whole. Conferences like Infosec are a mirror onto this strange ecosystem, both evolving alongside and helping move things forward. We’re not expecting you to understand it all, if anyone could. But with a bit of preparation, and with a clear understanding of your own needs and priorities in your back pocket, the value of conferences such as this can increase tenfold.