Wednesday, April 09, 2008

RSA Impressions - 3: CTO Panel

First, a desperate call to other security bloggers: is anybody attending this panel (BUS202)? It is FUN, but I have to run for a meeting in, like, 10 minutes.

Most trends discussed so far are kinda well-known (SaaS, in-the-cloud this and that, security of infrastructure-> security of data and now of "interaction", server, desktop and storage virtualization, etc), but "IT consumerization" is a huge f*ing elephant in the room. "Security in the age of 'IT by users', not 'IT by IT'" is indeed darn scary! I guess it would be the "New Wild West" :-)

I am also happy that somebody brought up 'everything that needs to be invented is already invented in security' and then dispelled this ugly and idiotic myth.

Another fun one mentioned is a change from "security of bad/good" to "security of flowing risk scale." It sounds deceptively simply, but it actually pretty profound: as opinions about, say, data criticality for business change, so does the risk/impact of said data loss. Not "loss of router = bad", but "loss of this data today = 3 of 10 'badness'"

I was also darn happy to hear that panelists accepted that our security defenses are not prepared for "unknowns" and that "attackers lead - security follows."   Also, it is neat that somebody also mentioned that "Security is an art!" today.

A lot of fun security implications of  "virtualization in the cloud" (like Amazon service) were mentioned as well: think 'your "own little IT" outside the company for $5 and all the security team will see is web traffic.'

Sorry, I have to  break my "transmission" and run to that meeting ...

Dr Anton Chuvakin