GoneGaryT's Journal: Infosec Europe Advisory Council

Well this was cool.

I was invited, along with the great and the good of corporate / police / gubmint / broadcasting IT security people, to join the first meeting of the Infosec Europe Advisory Council. Now, let me set you straight:

Infosec Europe is really the big IT Security exhibition held at London Olympia every spring, organised by (gigantic) European publishers Reed-Elsevier. Every year, there are keynote speeches and panel discussions on the topic, usually covering the hot issues du jour. For me, it's legal stuff that rings the bell, because that's really the foundation of all policy. There's plenty other stuff that's good, though, like security vis-a-vis B2B, trust relationships etc. And vendor-specific is banned, BTW, which makes it all the more valuable. (Gotta watch out for other agendas tho' - ain't paranoia beautiful!). The main thrust is "what do we need, who will sell it to us, how do we convince the Board?" Ah, the faint smell of money :)

Anyroadup, the Managing Editor of Computer Weekly, Dr. John Riley, gently chaired the meeting of about 25 guests (people from gubmint, BBC, big finance... and me [not telling which sector, but sole rep]) at Claridges Hotel, Bond Street, London W1 for a fruitful couple of hours discussion (plus nice lunch) about what bites our particular asses.

It turns out that we're pretty much singing from the same hymn-sheet and our problems are conjoined. The gubmint (unless I heard this wrong) thinks loss of reputation through confidential information leakage is overrated (-1) whereas we think it's (+1) fucking serious. Interesting.

Risk assessment is an infant science in this field, said one. Yeah, you got gross risk and net risk, by what yardstick do you assess either?. I thinks he's right, but we tend to fly this stuff by the seat of our pants and we pretty much hit the mark, so the science is a luxury to look forward to.

Physical security? ISO 17799 (was BS7799, "a British invention" (c) Raymond Baxter) covers this, and there was some discussion on the topic. We know that we fail it unless we can influence HR on the issue.

ROI on security figured large (we all gotta earn our crust) and it was generally agreed that we need explicit standards / protocols / minima (consequent of, if not described by, ISO 17799), not only to enable us to release budget on security, but to enable trust in B2B too. The 'Board' also needs to have a concise picture of the jungle if they're going to make realistic decisions. This points to a need for better, faster log contcatenation, analysis and summarisation - and I'd pay good money for that. Logs are everything in this game. If you can't measure it, you can't manage it, right?

Hand in hand with this go training standards. CISSP was mentioned, but was thought maybe not yet accepted, with the Masters degree from Royal Holloway College seen as superior. Neither were seen as prerequisites to the job; age and experience are perhaps still ahead. It's not as if there were a recognised "International Institute of IT Security Analysts" complete with professional exams, and that's part of the problem. It's a pretty dynamic field, though. There's something new every 5 minutes (dammit), so how do you avoid obsolete exams?

"Business must continue; if not, security has failed" bang-on, geezer - that goes on the wall, no dissent on that. This brought up issues of availability vs. security and confidentiality. Bit of an old chestnut, really.

Use of biometrics is still not seen as a single source of verification; there was talk of combinations like one or two biometric parameters plus a PIN, combinations of passive and active methods. (Hmm, just made those classifications up, BTW. Probably read them somewhere...)

Finally, talk of 'good governance' and 'the Board' taking responsibility for security, the failure so to do resulting in unmitigated disaster all round. Fair comment.

The feta cheese tarts were tasty too. And the wacky little prawn cocktail things. Neat. Very neat. It was cool, y'know?