Friday, June 26, 2015

CIO/CISO Summit Boston

We all have our pet peeves when it comes to security technologies and practices. One of mine is the hesitancy of security practitioners to openly share their experiences lest they expose a serious weakness to the world. Trust me, if you have large vulnerability issues the bad guys already know about it! You are much better off talking with peers in your industry to find out what works for them so you can learn from them and make progress.

The healthy exchange of security ideas from enterprise leaders was one of the reasons I was excited to be invited to the CIO/CISO Summit held last week in Boston. This conference provides an opportunity for CIO/CISOs to participate in roundtable discussions, absorb highlights from presentations and otherwise network with peers. It is an inspirational idea that seems like time well spent.

A few points resonated with me from one of the sessions:

Strong security processes can lead to user fatigue, and user support is critical for security. We sometimes overlook the impact security decisions can have on our people. A CPA friend bemoans that accounting guidelines call for a separate un-memorizable password for each and every client and that passwords must be regularly changed. So of course he writes them all down in multiple obvious places so he can work from home or office ... and now has a jaundiced view of IT security recommendations. Ridiculous. If you are on a security team, be sure to consider the impact on users and avoid being invasive "for security's sake" whenever possible.

Technology is important, but be careful of a false sense of security. Every vendor promises the next great thing, and many products are indeed great. But no product does everything great. SIEMs are cool, but your data is already lost by the time any event is recorded; user analytics are a fascinating approach to detecting the presence of malware, but there will be false positives in anything based on behavioral scoring. One takeaway is that fundamentals are fundamental for a reason - be sure to have and enforce standard operating environments for important servers, efficient processes to patch critical vulnerabilities, documented processes to rebuild after attacks, and only run the latest releases of software. Killer technology is best when supplementing a security program focused on strong fundamentals.

Reserve more of your security budget to embrace new user activity. In the last 5 years where has your organization changed the most and how is your security program adjusting to those changes? This is a difficult question because security likes to control stable processes and technology, but things cannot always stay the way they are. This may mean that capabilities you fought hard for just a few years ago are suddenly worth a lot less to you now (can you say MDM?). It is easy to see the growth of the cloud and mobile devices so instead of trying to force them to behave like your physical infrastructure isn't it more pragmatic to have security get ahead of user activity? Be willing to change security processes with the times - even if it means leaving good legacy stuff behind.

I was impressed with the program put together by the CIO/CISO Summit. I am hoping that your region has something similar. While it is always nice to socialize with peers, it is even better to have challenging security conversations.