ASG's Phil Aronson (foreground) welcomes the crowd along with The Sage Group's Ron Worman (right).
Photo credit: (G. Kohl/SecurityInfoWatch.com)
Seattle, Wash. -- The ASG Security Summit/The Great Conversation packs an amazing amount of high-level thinking into just one day. I honestly am not sure how they do it, but I wanted to distill some of the best thoughts I heard in 24 hours into something you can read in 5 minutes. So let’s go. Here are some excerpts from the 2012 ASG Security Summit:
Wisdom from Mike Howard, Microsoft Global Security:
Computing is going to the cloud, said Howard in the event’s keynote. Your IT department is moving its services to the cloud. Microsoft (like Amazon and Google and others) is committed to the cloud. So, if you’re not already thinking about how your security department can use the cloud, you need to start.
Mike used a great analogy where he compared the cloud to municipal utilities. It goes like this: You don’t make your own water or build your own water system, but when you turn on the faucet, you expect water to come out. You don’t run a power plant or manage a global telecom network, but when you plug into an outlet you expect electricity, and when you pick up the phone, you expect a dial tone. Cloud is the same way – you don’t have to own the server to have instant access to the storage.
The cloud will be perceived as a threat to some of your employees whose job is tied to managing local servers. To them, cloud will be a threat. They have to adapt.
There are four types of clouds: Private cloud (cloud inside one organization), Community cloud (a private cloud shared and operated by multiple, interoperating organizations, such as a community cloud for law enforcement agencies), Public cloud (the Internet cloud: Microsoft Azure and others), and Hybrid cloud (a cloud that blends two or more of the other three types of clouds, such as a cloud that leverages private cloud data with public cloud applications).
Wisdom from Fredrik Nilsson, Axis Communications
What about security? What about bandwidth? Who will have access? Fredrik Nilsson pointed out that all of the same questions people are raising today about cloud computing are the same questions they raised a few years ago when IP video really started to gain interest.
Wisdom from Jeff Slotnick, OR3M
Slotnick is one of the preeminent thinkers on risk and resilience, and he warned the crowd about silos. Risk, he said, doesn’t just belong to "security." It’s part of an entire company and how you mitigate those risks affect your entire organization. Contrary to popular thought, said Jeff, "Silos are not 'cylinders of excellence'." Rather, he said, "silos create inefficiencies."
Wisdom from Arnold Bell, Domestic Security Alliance Council, FBI
One of the leading risk vectors is state-sponsored hacking, said Arnold Bell, who was at the conference to help educate corporate security end-users about the FBI’s Domestic Security Alliance Council (get more at dsac.gov). "I’m not going to dance around it. I’ve been around too long and I no longer dance, so I’ll say it: China is kicking our butt. I’m not sure what their approach is, whether they want everything or they just think they’ll figure out what they want later, but they’re grabbing it [U.S. companies’ data] now." That said, Bell added that government and private industry have woken up and are diligently taking steps to protect themselves from state-sponsored hacking.
Wisdom from William Raisch, InterCEP at New York University
Bill Raisch is on the cutting edge. Is your security organization monitoring social media? If not, why not? Social media has been used for violence protests, crime-oriented flash mobs, plus it’s also a wonderful pulse of human perspective. So, monitor it! But also engage it. Misinformation and rumor can propagate quickly on social media, so if you’re managing a situation, engage social media to get the truth out.
Bill raised this wonderful "Great Conversation" discussion point: Does security have a filtering challenge? We’re faced with a fire hydrant of information, he said. So how do we vet that data today and how do we do it quickly while it’s still actionable?
Wisdom from Mike Faddis, technology group manager, Microsoft Global Security
Warning to product manufacturers: Get moving on standards. Standards-based technology is so important to an organization like Microsoft Global Security that if your technology isn’t standards-based, there will come a time when a big client like Microsoft won’t even consider you. To buy non-standard technology would be to invite risk into the organization. Faddis isn’t to that point yet, but I don’t think it’s that far in the future. Since standards affects the end user the most (that’s really who obtains value from standards), end users also need to be key stakeholders in the standards development effort.