“Information security overload” pretty much sums up my takeaway from the 2012 RSA Conference recently held in San Francisco. Those of us ultimately responsible for information security management have so many issues to get our arms around, we have to step back and determine how we are actually going to accomplish all of it.
Just when you think you know a lot about your field, you end up seeing others who present challenges in a different light. There’s so much more we can all learn about information security and it’s up to each of us to make it happen. As Art Coviello, executive chairman of RSA, said in his keynote, “We’ve got to be able to see the big picture.” I couldn’t agree more.
Be it our networks, our IT operations, our people or our mobile devices, we cannot secure what we do not acknowledge. And oh so many of us are not acknowledging the things that truly matter.
Time and again, I see businesses spending time, effort and money on fancy data leakage prevention technologies, user awareness training and even spinning their wheels on quantitative risk analysis while, at the same time, they have porous network perimeters, unencrypted laptops, no smartphone controls, lax password requirements, vulnerable physical security control systems and the like. Their priorities are skewed.
Unless and until the low-hanging fruit is fixed, these businesses will continue to be at risk even though they perceive that security is working, because people are busy doing the things that make them appear to be productive and adding value to security risk management.
A critical element of seeing the big picture that Coviello conveyed is that we need to have people skills. We often have our “techie blinders” on and forget that what we do in information security is about — and for — the business as a whole. We need to be business professionals that happen to know a thing or two about IT and information security — it is as simple as that. Focusing on the business and what the business needs should be top priority. We should be asking “How?” rather than proclaiming “No!”
At the conference, it occurred to me that the field of information security is no different than the medical and legal fields. Things are in a constant state of flux with new, constantly emerging areas to keep up with. The things that I believe make the IT security field even more complex than others is people. In law and in medicine, things are cut and pretty cut-and-dry — if you need help in a certain area, then these are the steps you must take.
The continual battle that we have as information security practitioners is people telling us we cannot do what we know needs to be done. On top of that, we continually have users doing the very things we tell them not to do in order to minimize business risks.
It is no wonder that the RSA conference had a session on burnout in the information security field. We’re expected to be perfectionists, yet we cannot even come anywhere close to perfection. If we make the mistake of assuming perfection is possible, we can end up setting ourselves and our businesses up for failure.
All in all, the 2012 RSA Conference was a harsh reminder that I need to attend these shows on a periodic and consistent basis. I actually came back from San Francisco more humble than ever. I recommend you check out the RSA Conference in the future. It’s good for learning. It’s good for networking. It’s good for security. Somebody’s got to do it — it may as well be you.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With more than 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. He has authored/co-authored 10 books on information security including the best-selling “Hacking For Dummies” as well as the newly-released “Implementation Strategies for Fulfilling and Maintaining IT Compliance.” In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.