Tuesday, April 08, 2008

RSA Impressions - 2: Compliance "Megatrends"

So, one more impression for today: I am sitting at BUS107 panel session titled "Compliance Megatrends: The Future of Information Security" and there is actually some interesting discussion going on. Here is my account of this session:

  • One person said that 'a common theme recently is that "those breached were compliant"' (meaning TJX and Hannaford). I question: is this really so? I think the truth is everybody, compliant or not, is 0wned, not that "those compliant are 0wned"
  • All panelists predicted that governments (US and European) will be influencing security more in the near future: more laws, more regulation, more enforcement (and that governments will do more to secure their own systems)
  • One person proclaimed that 'law enforcement model of security (detect->respond) doesn't work anymore', but said nothing about what comes next, instead, etc. I just hate empty posturing like that ... but wait! There is more from the posturing department: one more panel member said 'we need to not buy software products unless "absolutely secure".'  Hellooooo, is anybody home? :-)
  • ISO27001 is hot. Really? A lot of people in the audience seemed to like ISO27001. So, is it enough to predict its takeoff in the US? Somehow I am still skeptical ...
  • GRC was mentioned... in passing.  Everybody heard about it - and nobody cared. One person said "GRC... hmmm... so, how do you know you have it?'  :-)
  • One more person said that "plausible deniability [about security] is dead" - companies cannot pretend that information security doesn't exist anymore ... Again, no matter how much we want this to be the case, is this really true? I think many smaller companies are kinda still in the same bin?
  • A bizarro opinion on PCI DSS was voiced by one panel member: she said that she dislikes PCI since it is "too prescriptive" and it got turned into a mindless checklist (losing the original intent of improving security). She also disliked that PCI compliance evaluation is bad: based on a "dumb" control checklist, not on measuring effectiveness of "meaningful controls." I think this is true to some extent; but I'd hate to blame it on PCI DSS standard itself.
  • Finally, panels' take on "What will happen in 5 years?" Their predictions: catastrophic events ("Estonia-like" - eeeeh, you mean somebody is fined $1642?), 'integrity of data' attacks which are "exceptionally scary" (data loss -> data change!), growth in data volume (huge!) with total lack  of how to control it, increased dependency on the Internet - without a corresponding increase in security, SaaS and Web 2.0 will change security and so will virtualization (now, that's original :-))

So, it was all good fun!

Dr Anton Chuvakin