This year’s conference kicks off with a session from none other than Dr Hugh Thompson of the RSA Conference Program Committee. Thompson, who also serves as CTO and CMO for Blue Coat, delved into security trends as his main focus this morning. This introductory session looked at some of the major shifts in the security sector, the economics driving these shifts, and the trends that are shaping current and future decisions for business around the world.
Thompson starts by welcoming us all for coming to this event—especially those who have travelled far from overseas (I was on that ship!). He quickly navigates through his slides and lands upon what describes as how businesses have to deal with striving for compliance and the consequences actually being compliant. Today’s organizations have to swallow the fact that disclosure laws mean that the consequences of failure have tremendously increased. The shift in technology means that most of the applications and transactions now operate over the web.
These are some of the key points that Thompson covered from an organization’s point of view:
- The Cloud is now changing our notion of the perimeter
- Worker mobility is redefining the IT landscape
- Shadow IT is becoming Enterprise IT
- Majority of web transactions are now encrypted
“Pick up the newspaper any day and all you’ll see is more and more attacks on intellectual property” said Thompson. “You can be totally compliant and totally insecure at the same time,” he added.
Thompson then proudly unveiled his own “made up noun” – Hackernomics, which he explains as a social science, concerned chiefly with the description and analysis of attacker motivation, economics, and business risk. Hackernomics is chartered by five fundamental immutable laws:
- Most attackers aren’t evil or insane, they just want something
- Security isn’t about security; it’s about mitigating risk at some cost
- Most costly breaches come from simple failures, not from attacker ingenuity
- In the absence of security education or experience, people naturally make poor security decisions with technology
- Attackers usually don’t get in by cracking some impenetrable security code. They look for weak points like trusting employees.
On conclusion, we should not blame those who we have not armed with the knowledge or tools to protect our weak spots. We are not robots nor will we ever be, at least not this side of the next election.
There are more levels of access than ever; extranets, partner access, customer access and identity management to support them all. We must not leave any stone unturned when sensitive data is so easily obtained.