Gartner Security and Risk Management Summit
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  gartner ibm security risk
0 Comments | 10,675 Visits
This week is the 17th annual Gartner Security and Risk Management Summit. There are lots of leading experts from around the world in attendance, including many IBMers, and we wanted to take this opportunity to make sure that some of the content was reaching folks who aren't able to attend the event. That is why over the course of the next several days we'll be bringing you highlights from around the conference. I am going to continue updating this single blog, even after the conference ends, and hopefully you find it to be a helpful resource regardless of whether or not you are in attendance.
I should mention that I am not personally at the event. The observations are that of a teammate of mine, Sydney S. Johnson. She is our acting security correspondent in the field. I should also mention that you can view IBM's agenda at the show by clicking here.
I will continue posting the most recent news at the top of this entry.
(6/22) David Pogue, Tech Columnist, New York Times
David spoke about how technology drives culture. 95% of cars today now come with an iPod adapter, but what he finds most interesting is not the technology itself, but rather how it changes us. Using the example of apps, David spoke about how you can quickly bring a new technology to the consumer market. Millionaires have been made overnight. David believed this factor was an important new characteristic of the way that technology is changing our lives and he believes that augmented reality is one of the next big steps we will see. David points out that new technology does not necessarily replace what came before it either. TV was supposed to be the end of radio. But radio didn't die, we just changed the way we interact with radio.
But the question is, what does all of this have to do with security? The answer, of course, is that is has everything to do with security. All of these cultural trends seem to be driving us online, and that trend sets up security to be an increasingly desperate requirement.
(6/21) 9:30 AM. Social Media and Security and Privacy
This session featured Marne E Gordan (@MarneEGordan), Regulatory Analyst, IBM Corporate Security Strategy. Marne began by talking about the enormous benefits that social media has brought. People are communicating, in real-time, in exciting new ways. Business are reaping the benefits because social media is inherently high in impact and low in cost. However, with emerging technologies also come new risks and challenges. This does not mean that we avoid new technologies (I am blogging about this), but rather that we take a strategic and thoughtful approach so we can more confidently use and embrace what's new.
Marne looked at a few examples where we can see why there are legitimate concerns about social media. We've seen online harassment, the leaking of private and corporate information and the scandals that resulted, questions around privacy and finally, how we control the convergence of our professional and personal lives. These are not easy questions to answer, and Marne used some statistics from Osterman Research (http://www.proofpoint.com/outbound) to illustrate this point. According to what Osterman learned, 30% of organizations have already seen a negative business impact due to social media, 47% of organizations reported not having a social media strategy and 53% are concerned about the risk of an information leak due to social media.
However, there are things that organizations can do to help mitigate these risks.
Marne concluded by talking about the 5 "must haves" organizations need to have when it comes to social media.
5) Have a contingency plan: If something is inappropriately communicated you should have clearly defined steps and actions you can take.
4) Personal Communication: When you are thinking about the way you are presenting yourself as an individual, always consider if you have identified yourself as a corporate spokesperson.
3) Corporate Communication: Getting approval for things that are questionable is not a bad thing.
2) Clearly define appropriate use: Make sure to be even-handed.
1) Have a documented policy: Enough said.
(6/20) 2:30 PM. The Future of Privacy
This was a panel discussion featuring Harriet Pearson (VP Security Counsel & Chief Privacy Officer, IBM Corporation), Bojana Bellamy (Global Data Privacy Compliance Lead, Accenture), Mary Ellen Callahan (Chief Privacy Officer, U. S. Dept of Homeland Security-Privacy Office), Robert Quinn (AT&T Services, Inc., Senior Vice President-Federal Regulatory and Chief Privacy Officer), Laura Riposa VanDruff (Attorney, Bureau of Consumer Protection, The Federal Trade Commission) and Heidi Wachs (Director of IT Policy and Privacy Officer, Georgetown University). The opinions expressed by the panel participants are their own and do not represent the opinions of the companies they represent.
This group of panelists were asked the question, in 2015, will privacy be over-regulated, appreciated or ignored?
The group began by addressing the first possibility, that privacy will be over-regulated.
Harriet begins the discussion by saying that the importance of privacy regulations is likely to vary based on the specific area of privacy. In certain areas, we may favor strict government regulation (ex. children's privacy), but there are other times when we expect that the private sector may have effective privacy best practices in place and government regulation could make privacy policies less efficient. Mary Ellen built on that idea saying that because we tend to be reactive in legislation, the legislative agenda might be behind the work going on in the private sector, and we need to be careful not to have government regulations that conflict with the efforts of the private sector, especially in areas where the private sector has demonstrated success and leadership. Bojana added that in Europe, privacy is regarded as a human right, and developing privacy regulations and policies in specific countries is an issue being complicated by worldwide convergence. Robert points out that his company's industry - communications - is, in his opinion, over-regulated, and has been for years. He believes this over-regulation stems in part in order to ensure that law enforcement retains access to information that they need. Additionally, he notes that one of the challenges that exists is that many of the data companies who generate and leverage data don't have an actual relationship with a consumer group. When there's a data breach, who's got the relationship with the customer to go and tell them that their data has been breached?
From there, they moved onto the second question. Will privacy be appreciated? Will people care?
Laura begins the discussion by saying yes, people will care. The more people understand how their information is being used the more attentive and interested they are going to be regarding questions of privacy. She notes that social media platforms do have privacy options, a comment that Harriet then builds on. Harriet noted that sometimes people understand the immediate impacts of new technology, while in other times they don't discover them until later. She said that organizations must make decisions regarding when/how they will adopt privacy models. She commented that a check-the-box approach won't get us very far because organizations need to look at themselves and make deliberate, strategic choices. Robert also made a point that location based services were coming and asked the question of how do we retain "best privacy practices" amongst applications? He believed it was the obligation of companies to get out in front of this.
Finally, will privacy be ignored considering the growing volume of other risk-related messages?
About 6 months ago the FTC proposed a privacy framework that would include, "Privacy by design," "Simplified consumer choice" and "Improved transparency." (This framework is still in the initial phases of recommendation and the team is working to improve based on stakeholder comments.) Questions were then brought up around whether or not privacy could be enforced. In response, Bojana closed by talking about, "Privacy by design," and her hopes that privacy will one day be built into every product brought to market, transforming privacy into business enabler.
Gartner ended the session by doing an informal audience poll. Of the audience members who participated, 43% think privacy will be over-regulated by 2015, 43% believe it will be appreciated, and 14% think it will be ignored.
(6/20) 10:16 AM. Michael Chertoff (Co-founder and Managing Principal, Chertoff Group) is the next to speak and he was the former Head of the Department of Justice Criminal Division and was also U.S. Secretary of Homeland Security. Given his background, he spoke about how to effectively manage a crisis and brought it down to three key elements:
1) Planning You will need to adapt and manage, but in the event of a crisis, you should never be starting from scratch.
2) Communication It is about both what you take in and what you put out. Situational awareness is critical as you must know what is going on in real-time, otherwise you become a hostage to media and hearsay. Communicate to the public in a way that is accurate, creditable, and succinct.
3) Decisiveness Acting on your plans.
During the course of his talk, Chertoff also focused on the relationship between government and the private sector as it pertains to the internet. As an example of the conflicting thoughts in this space, he mentions that there are people who believe the government should have an internet kill switch and others who believe the private sector should be completely in control. Chertoff suggests more of a balance and that we need to focus on defining the overall doctrine/strategy. In his opinion, it is important that we become clear on what is government's responsibility, what the responsibility of the private sector is, and what their shared responsibility is.
He also makes the suggestion that we should not try to fit this doctrine into the existing legal landscape. Chertoff believes that we should adapt the law as needed, and if done correctly, we should be able to preserve the essence of the internet while also retaining trust and security and fostering economic growth.
Cherkhoff also had some interesting thoughts on wanting to get more of today's youth involved in security by emphasizing that defending a system can be as exciting as attacking one.
Looking into his crystal ball, Chertoff felt that cybersecurity was going to be one of the two critical national security risks in the next decade (the other being biological warfare).
(6/20) 10:00 AM. Vic Wheatman is the managing vice president of Gartner Research and is part of the security and privacy team.
This is the 17th annual Information Security Summit and this year there are over 1,800 attendees and 93 solution providers. Vic makes a number of key observations around "Enterprise Security Intelligence" or ESI. He says, this is not a market so much as it is a concept. The concept is based on the integration of technology and information and about how analytics can be used to make better decisions. It's not just about being able to collect information (which organizations are doing a pretty good job at right now), it's about being able to apply that information in a meaningful way (an area where organizations have an opportunity to improve).
He also commented on the changing profile of attackers. We are seeing a revival of cyber attacks designed simply to humiliate.