If you’re in charge of keeping your company’s information assets secure, and you think the state of modern information security is overly and needlessly confusing, you’re not alone.
With over 30 years of insight into information security triumphs and failures in his mental database, Art Coviello has been in a unique position to observe how technology and security companies have responded to the explosion in internet connectivity and criminal activity. The former chairman and longtime executive at RSA Security is one of our principal advisors involved in the planning of Structure Security, and we’re thrilled that he’ll be kicking off the conference on September 27th with a talk on the modern state of security.
Coviello observed a shift in security thinking about five or six years ago from reactive security (finding and plugging holes in perimeter defenses) to intelligence-based security, in which the notion of risk is much more thoroughly identified and analyzed. However, while that concept has been embraced by the information security world, applying that concept to real-world situations has proven more difficult, he said in a recent interview.
“The problem isn’t just expanding attack surfaces,” he said, referencing the explosive growth of cloud and mobile computing as well as the coming challenge of the internet of things, “but the ability to take the model from the 50,000-foot level to street level.”
There are three somewhat-overlapping issues that contribute to that problem, Coviello said:
- The Skills Shortage: I’ve heard this time and time again in conversations leading up to Structure Security, and it’s going to be discussed in several sessions: information security leaders are having an extremely difficult time finding (and retaining) qualified security professionals. (Coviello’s fellow Structure Security advisor, Jay Leak of Blackstone, touched on this earlier this year.) All the modern proactive security-focused thinking in the world doesn’t matter if you can’t find people who understand how to make those concepts work in practice.
- The Firefighters: Assume you’ve managed to hire the right people to implement the right risk-based strategy. Can you figure out a way to allow those people the time and space to get that job done while making sure your organization is safe in the interim? People like to bemoan “fighting fires” — the notion of dashing around fixing security problem after security problem — but deciding which fires can quietly smolder and which fires need attention right now (after all, fires are bad) is not a simple process.
- The Decision-Makers: Information security has been treated as an afterthought in many organizations for too long, and the people who are running those companies — executives and board members — can have wildly different perspectives on the importance of security thinking balanced against time to market, overhead, or strategic focus. Think about financial services companies, which purchase and implement a ton of technology products and services every year to manage vast amounts of money, yet who are often run by people that lack technology expertise, let alone security knowledge.
So how do we move forward? Coviello plans to outline some strategies for getting past these obstacles in his talk, and I won’t spoil the surprise here. But here’s a hint: strategies you consider vital to your core business — such as careful resource planning and treating your vendors with healthy skepticism — will serve you well as you look to protect your organization in a world of growing threats.