I’m very pleased at how well the theme — navigating the new security & risk reality — resonated with the two hundred security execs that joined us in lovely San Diego.
For those who attended, let me send out a big THANK YOU. I know it’s a lot to take two days out of your schedule and, as always, we appreciate your attendance. And remember, you can head to the link above to get all of the presentations.
But now we must return to work and start implementing all of the insight we discussed. To help, I thought I’d take an opportunity to summarize this year’s top three takeaways, in no particular order.
Takeaway 1: Giant squids are the stuff of horror movies, and stand-up comedy. For those of you following along, you’ll know I struggled with whether I should incorporate the recent squid invasion of San Diego in my opening remarks. I did — and it went over well. I shall live to host another event.
Takeaway 2: It’s critical for security execs to master a shift in ownership. Ok, the first takeaway isn’t of much help, but I couldn’t help myself. So this one is for real.
The entire event was organized around three shifts in the security and risk management landscape: 1) a shift in business expectations; 2) a shift in data ownership; and 3) a shift in security architecture. The shift in ownership proved to be the most critical.
Why? Because a new generation of outsourcing and the consumerization of IT are usurping control from IT. The introduction of cloud computing gives IT the flexibility to tactically outsource IT services.
At the same time, the enterprise workforce is demanding more flexibility, and employees sporting consumer-grade gear are eroding traditional security controls. As a result, today’s organizations don’t own their data anymore.
This leads me to . . .
Takeaway 3: Security execs hate Twitter. I’m not joking. This year’s audience was most excited when two speakers — Marcus Ranum and Hord Tipton — denounced the use of Twitter. On day one, there was loud, thunderous applause when Marcus mentioned that he is adamantly against Twitter.
This was repeated on day two when Hord mentioned he, too, didn’t see the value in Twitter. Ironically, I was tweeting during both accounts (search for #FSF09 if you’re interested in my observations), but I digress.
In all honesty, this makes perfect sense. Twitter is a scary. There is the chance that intellectual property could be leaked; that users could click on malware links ingeniously disguised in tiny URLs; or that your company could be liable for inappropriate comments tweeted from a corporate device.
Of course, all of that is added to the fact that there is a misconception that Twitter is just filled with nonsensical observations like, “The line is long at Starbucks right now.”
But I was still a bit shocked by the audience reaction. It’s very clear to me that we’re at an inflection point in information security. What we called a “shift in ownership” will be the challenge of all CISOs heading into 2010.
It’s no longer sufficient — and definitely not necessary — to denounce the use of social media. Security has to find a way to let enterprises security embrace consumer hardware and software. Stay tuned for more research and blog posts, but in the meantime I’d love to hear your thoughts. Can security execs continue to simply prohibit apps like Twitter?
Let me know. Oh, and feel free to email me. I know you won’t tweet me your thoughts. (But just in case, it’s rwhiteley0.)