Last week Gartner held its annual Security and Risk Management Summit outside of Washington, DC. The event draws hundreds of CIOs, CISOs, and decision-makers in IT and security from organizations all over the world. The conference schedule was aggressive, covering a broad range of important and controversial topics in security and risk management. We attended both high-level and prescriptive “how-to” sessions, and saw four important themes emerge. Here’s a closer look our top takeaways from the event:
1. There’s no such thing as a perfect security solution.
In almost every session we attended, Gartner analysts were sure to make one thing clear: There’s no magic bullet for fighting off threats. If a business purchases every security solution on the market, it’s still no guarantee that its data will be protected from APTs or hackers. While this concept alone isn’t new to IT, Gartner’s suggestion for how to respond to it was enlightening.
Instead of working to check off boxes on a list of security layers (firewall, secure web gateway, antivirus, etc.), or rushing out to buy the latest and greatest solution, IT and security teams would be more effective if they focused more on understanding business objectives and introducing stakeholders to the risk continuum. Raising key decision makers’ awareness of the chance of a security event, and the impact it could have on those business objectives, is an essential step toward getting a budget for a new security solution.
2. Legacy security vendors and enterprises alike are looking to startups to fill the innovation gap.
We’ve talked often on this blog about how legacy security vendors are struggling to keep pace with today’s technological changes. During his keynote on Tuesday, Symantec CEO Steve Bennett explained that the future innovation path of the security giant is dependent on partnerships and integrations. When pressed further, he was candid, saying, “We bought growth. We never asked our engineers to be innovators.”
So who will innovate? During a panel discussion later that day, leaders of security start-ups like Bromium and CrowdStrike shared insight on why startups are more equipped to serve the current and future needs of the market. Put simply, these agile young companies aren’t held back by history. There’s no innovator’s dilemma keeping them from building and adapting products to solve new problems. And the analysts are now hearing more enterprises ask which companies beyond the old guard they should be evaluating.
3. Securing BYOD is really hard, and no one has all the answers.
Putting an effective security strategy in place for corporate-owned mobile devices is hard enough, so attempting to apply universal policies to employee-owned devices can seem downright impossible. Acknowledging that it’s an uphill battle, Gartner Analyst John Girard suggests scoping the initial mobile device policy first from the perspective of what’s possible for BYOD, and concentrating policy around the platform that the majority of users choose today (for many organizations this is iOS).
Analysts suggest that using application control and MDM will become increasingly effective for securing devices owned by the business. Securing employee-owned devices, on the other hand, requires a solid investment in educating and partnering with end users. And of course, making trades. Analysts also suggest educating users on the broad impact of lost data or productivity, and shaping security in the context of employee rights and responsibilities.
4. Whether threats are advanced and persistent, or just annoying, we need to adjust the way we secure against them.
Many are guilty of broadly describing cyber attacks as Advanced Persistent Threats, when perhaps we more accurately mean to say malware distribution networks or botnet infections. So it was great to see several of the presenters at the summit exploring a deeper analysis of the much-hyped phrase. Dave Monnier, Security Evangelist at Team Cymru, suggested we shift from focusing on the idea that these attacks are advanced (they’re not, he says) and start focusing on their persistence. He explained, “You can put in multiple layers of prevention technologies, but you need to spend more time on detection and mitigation. No matter how tall a wall you build, something will eventually scale it.”
Gartner Analyst Lawrence Orans expanded the conversation, suggesting that as a security community we’ve got to do better than complacently expecting traditional security solutions to universally protect against threats. The issue isn’t the evolution of the threat itself, it’s where the threat makes an attack – opportunistically leveraging our once-clean device supply chain, and our massive cloud networks. Orans suggested we’d be well served to prioritize securing mobile devices that leave the secure corporate environment and heighten security for cloud networks.
What are your thoughts on security at large, legacy security vendors vs. startups, BYOD, and advanced persistent threats? Leave them in the comments or share with us at @getumbrella on Twitter.
Security