Tuesday, 19 February 2013

Hacker Halted: Security Challenges of 2013

EC-Council - Hacker Halted 2012

Firebrand Training recently went to Miami to pick up the Training Centre of the Year award from EC-Council - at their Hacker Halted conference. We learned some pretty scary facts from the last year:
  • 174 million data records were stolen
  • 96% of hacks weren't even slightly difficult
  • 85% took two weeks or more to discover
  • 92% were discovered by a third party (how embarrassing is that?!)
We also got a chance to interview Founder of Optima Consulting and C|CISO (Certified Chief Information Security Officer) - Juan Gomez-Sanchez – who spoke to us about the biggest security challenges we will face in 2013. Watch the interview below:

To embed this video copy the code in the text box below.

Video Transcript:
My name is Juan Gomez-Sanchez. I am the Founder and Principal for Optima Consulting. I have about 18 years of experience, specifically leading security organizations as a practitioner. I was invited to the CISO summit by the EC Council to talk about the security challenges in 2013 and beyond. I do welcome this opportunity. It is actually challenging times. There are game changers that are actually changing the way we actually react to all of these security situations and concerns as a whole. I would position those issues in four different buckets, so to speak.

The first one is one of the biggest issues that we have in the industry today is that security is actually tagged against compliance all the time. Unfortunately those are completely different things. So the question is compliance versus security. What we have seen overtime is that compliance has actually overtaken security, just because organizations need to be able to show compliance to any given regulation and falsely understanding or thinking that that is actually going to make them more secure. Organizations are dealing with this situation on a daily basis, whether it's here in the U.S. or anywhere in the world, where regulations are taking a foothold on how security  organizations are actually being effective or not.

So, what we have here is a myopic perspective on security trying to fit security when compliance is actually driving it. That absolutely is not a good thing. So, the right approach to this is to actually have a security program that, as a byproduct, shows you the compliance that you actually need. By the way, as a byproduct of a good security program, you also get other things. You get a good risk management process, and maybe even, if you want to think about this as a market differentiator, your competitors are actually going to be looking at you and you need to differentiate yourself. Security is actually more often being used as that differentiator. So you want it. Your customers want it. Your citizens want it. So why not use it as a business enabler rather than actually something that you have to comply with such as with regulations? So that's the first one is compliance versus security.

I would say that the second big issue that we're dealing with from an industry perspective is the fact that security is still being perceived as a technical problem. It truly is not. The technical component of this is minute. It's small compared to the big risk about dealing with security in a holistic perspective. Security is about organizations. It's about procedures. It's about, of course, technology. But that, again, is actually a small component of that. Case in point, risk management, all security programs should follow risk management process, which is, by definition, not an IT process. The perfect example is things such as background checks, which I understand it's not universal. There are countries and places where you cannot do this. But the fact that you have to impose under certain regulations or security programs background checks is not a technology issue. However, it's a very important control.

So what you have right now is security organizations being basically put into the technology field, which I believe is actually a contradiction to what we're actually trying to do here. Because technology is there to actually enable organizations to do things more efficiently, and so should actually be security. But the problem is that it actually goes beyond the technology component. That's actually a problem.

I would say the third problem that we're having to deal with is that security is still not viewed as a business enabler. As I said before, customers and citizens today demand security. The only good way to actually deal with this situation is to actually convince your CEOs, your CFOs that without the level of security for your organization and protecting the data
associated with your organizations, you're not going to get and achieve those business goals that the organization has set forth today. So security has to sit side-by-side with all the stakeholders from a business perspective to be able to actually go and make those decisions. That unfortunately is not happening.

Now, the fourth issue that we're dealing with is the fact that insecurity is becoming the norm. If you take a look across the world, the number of breaches and things like that, it's mind-boggling. The numbers are rising. 2011 was actually a bad year, and 2012 is actually becoming worse. What you are having to do is to react. The security industry is a reactive industry, and unfortunately every so often, every few years, the security industry gets slapped in the face saying, "Hey, you need to catch up."

About the Author:
Sarah writes for Firebrand Training on a number of IT related topics. This includes exams, IT training, IT certification trends, project management, certification, careers advice and the IT industry itself. Sarah has 11 years of experience in the IT industry.