In this interview, Herbert ‘Hugh’ Thompson, Program Committee Chair for RSA Conferences and Chief Security Strategist at People Security, talks about challenges faced by information security leaders, privacy issues, social networking, and RSA Conference Europe 2012.
You spend a lot of time talking to information security leaders working in different industries. What keeps them awake at night?
In the field of information security, we often believe that we have a reasonable set of controls in place to manage risk. The truth is that we have very few risk metrics to work with. Our life is an exercise in managing known and unknown risks. It’s the unknown risks that leave security leaders sleepless.
In terms of topics: Highly targeted attacks are a very serious problem for large organisations. Attackers have moved from technical exploits to manipulating people. The human element of security has long been ignored in enterprise defense, yet, it is often the starting point for targeted attacks. I think we have a lot of work to do in this area.
Based on your experience, how has the role of the enterprise C-level executive dealing with information security changed with time? What challenges does such an executive face today that haven’t been part of the job description a decade ago?
Today’s successful C-Level security executive has to be a master of the “soft skills.” More than ever, security leaders need to be able to communicate effectively, all the way up to the board, laterally across their organisations, and down to rank and file employees.
We are in a discipline that can’t be boiled down to performance metrics on a PowerPoint slide. We operate in an arena of nuance, of uncertainty, and as a result, security executives need to be skilled ambassadors. Security executives also need to have the ability to deal with ambiguity and uncertainty.
Given all the potential privacy and security implications, is there a place for social networking in the modern enterprise? How can a large company expect to battle data leaks when so many employees are inadvertently over-sharing potentially valuable information?
I think that the over-sharing of information on social networking is both a technology problem and an awareness problem. It is a technology problem in the sense that we need to equip employees with easy to use tools and services that will help to preserve their privacy and protect potentially sensitive corporate information when they post to social networking sites.
Technology can help strip geolocation information from photos or context information from an update for example.
The greater challenge is the content of posts. Most employees don’t wilfully post sensitive corporate information online for attackers to find. In many cases, the problem is that they believe that the audience for the information they share is their friends, family or colleagues
If there were only one security thought you could have run through the minds of employees to help, it would be this: remember, attackers and competitors may be your audience. If employees looked at their behaviour online under that lens, and if you demonstrate to them how these information breadcrumbs are gathered up by attackers, I think they would naturally behave differently.
Despite a variety of anti-malware technologies, targeted custom malware attacks are causing a lot of financial damage on a global level. What type of shift do we need to counter such a unique and fast-changing threat?
Signature-based analysis of malware is necessary but not sufficient. We need to get earlier in the malware life-cycle. We need to study malware delivery networks, how they are run, and anticipate where the malware might be coming from. We also need to harden the workforce.
Most targeted attacks are successful not because of the technical brilliance of the attacker. Typically attackers get a foothold into the enterprise because an employee made a bad choice. Maybe they installed an executable, or browser plug-in. Maybe they were deceived into emailing out some sensitive information. We need to fundamentally rethink our approach to security and factor in the vulnerabilities created by well-meaning insiders that make bad choices.
What events and technological advances in the field of information security have shaped this year’s program for RSA Conference Europe?
After reviewing all the session submissions this year to RSA Conference Europe, a few key themes emerged. The first is mobile security. There is significant operational concern about how to implement an effective mobile security strategy in the enterprise. At this year’s conference you will see sessions on mobile security that range from mobile malware to BYOD management to creating a long-term mobile security strategy.
A second big topic was analytics. How do we get smarter about analyzing the massive volume of logs that we have internally? Can we anticipate an attack by mining threat information externally? You’ll see quite a few sessions at this year’s conference focused on this area. Outside of these topics, we have sessions this year that really span the breadth of our field: privacy, securing the human, APTs, forensics, GRC, authentication and more.
What speakers and topics would you highlight?
We are at a pivotal time in information security. Over the past 24 months we’ve seen a surge in targeted attacks, the popularization of hacktivism, and the rapid, almost universal, adoption of mobile devices in the enterprise. We’ve got a lot to talk about this year, and you can see these themes reflected in our keynotes. Bruce Schneier is going to talk about the nature of trust.
Misha Glenny and others are focused on the underpinning of freedom online. Several others are focused on threat intelligence and analytics. And we’re very excited to have Jimmy Wales close the conference. There are a lot of practical, implementation-focused sessions in the class tracks this year that explore issues ranging from detecting an APT to dealing with the demands of new privacy legislation. I think it’s our best agenda yet.