Every year there are multiple layers of themes and hot topics at the major security conferences. The most visible (and invariably the most mocked) are the ones generally found in the press and all over the vendor pitches. The latest batch includes: Cloud, APT, WikiLeaks, Mobile, and anything that starts with “Cyber”.
Having been in the industry and attended these events since the mid-1990’s, I’ve learned to look for those interesting areas that have been simmering for some time, and suddenly hit a tipping point. Where previously, there was just enough interest to have SME’s and academics offering perspective here and there, suddenly every thought leader in the joint has worked it into their talk and they are literally educating the masses. This year is all about deconstructing what we currently think of as Risk Management within information security and preparing for the real deal.
In lieu of having the data that would normally be required to show causality or control efficacy, we’ve been busy creating sophisticated methods of defining and modeling risk based on the limited data and knowledge that we do have. But there is no shortage of voices at RSA this week reminding us that just because what we do today may be the best we have, this does not make it equivalent to scientific method. Many of these sessions talked more about psychology and economics than they did about security, and challenged audiences to begin expecting the same level of critical treatment applied to science.
Multiple examples have been cited where attempts to reduce human risk with “common sense” sorts of controls actually result in no effect, or even behavior that is more risky – the seatbelt being a favorite. But they remind us that as more data sets begin to roll in, we should not be surprised to find that our priorities and “best practices” are not necessarily achieving what we hope they are. One example of this is the apparent disconnect between spend on anti-virus and firewall technologies when the latest data seems to show that these just aren’t the attack vectors with greatest risk.
It will be fascinating to watch the industry adapt over the next few years as customers increasingly make data-driven decisions on security spend and as the CISO moves closer to speaking in terms the business can actually use.