David Spark here reporting for Tripwire at the 2010 RSA Conference in San Francisco.
I attended a really good panel of security industry analysts tackling many different security issues. On the panel were:
- Jonathan Penn, Vice President at Forrester
- Christian Christiansen, Program Vice President, Security Products & Services at IDC
- John Pescatore, Vice President at Gartner
And moderated by Asheem Chandra Partner of Greylock Partners.
The group bounced around a lot of industry issues, so here are just some bullet points from their discussion:
- Compliance drains security budget in the long run.
- Here’s how the business thinks about the guys in IT security: Compliance doesn’t make you important to the business. You’re a check box.
- It’s not a compliance issue. It’s an audit issue. What is important is what the auditors do and say. You can be building an infrastructure for the auditors. Because you can be out of compliance, but if your auditors can show where you are and show how you’ll get back into compliance. That can actually be fine for some organizations.
- People can’t install applications on an iPhone outside of the iTunes store without jailbreaking the phone. Unlike email, people aren’t sending executables via mobile. The mobile hacking threat is overhyped.
- Penn argued that mobile will give rise to smarter malware that will get into a device and then ask itself, where can I find vulnerabilities in this device?
- Vendors are going to be selling more security services that will be embedded into existing products.
- While Microsoft has been the poster child for vulnerabilities, they have made changes to the development process, and organizations like Adobe are playing catch up to where Microsoft is today in terms of being quick to report vulnerabilities. Other vendors are going through now what Microsoft had to do three years ago.
- Microsoft knows that it will take them over ten years to fix their reputation and their security. Christiansen was shocked with Microsoft’s response because he’s never seen any organization have a ten year plan.
Check out more of Tripwire’s coverage from the 2010 RSA Conference in San Francisco.