I'm just back from the Gartner Security & Risk Management Summit 2013 held outside Washington, D.C.
The main mission of the event, of course, is for highly regarded Gartner analysts, such as our friends Avivah Litan and Anton Chuvakin, to discuss bleeding-edge research and offer insights into topics like Gartner's own five-year vision of the security future.
We always talk about 'deputizing the user,' and mobile gives us that opportunity.
But there is a great deal of discussion outside the main conference rooms, and I was privileged to participate in many talks with thought-leaders from security solutions vendors - and not just U.S.-based vendors, either. I met with leaders from companies headquartered in Canada, South Korea and even China.
Everybody, it seems, has an opinion on what are the most serious of the advanced threats and why most organizations are ill-prepared for them. One of the thought-leaders I met, Brian Laing of AhnLab, even wrote a timely new minibook, "APTs for Dummies," which instructs on how to protect organizations from unknown malware and APTs.
If the conversation didn't center on advanced threats, then it focused on the mobile explosion and why organizations need to expedite their shift from device management to data protection.
The topics can get repetitious, but if you ask probing questions and really listen to the responses ... there is valuable insight to be gained. If I were to distill everything I heard at the Gartner event, I'd have two main takeaways:
- Our entire approach to security breaches is dangerously outdated;
- The mobile explosion gives us a fresh chance to get it right.
Regarding our fundamental security posture, Tom Cross of Lancope says we're misdirected. Rather than focus on breach prevention, which is increasingly difficult because of the insidiousness of these advanced threats, we need to shift resources to incident response, Cross argues.
"When you look at these incidents, you get to the point where [you realize] there really wasn't a business process you could have put in place that would have prevented this attacker from being successful at compromising your network," Cross says. "And you've got to ask 'What do I do now? Where do I go from here?' I think incident response is becoming more central as a part of how we defend our networks."
Joshua Corman of Akamai takes it further. He says our entire security posture is 10 years behind the times, and the security industry needs to hit rock bottom before it can rebound.
"No one changes until they're sick and tired of being sick and tired," Corman says.
His prescription? That we re-focus our security measures entirely on the adversary - the hacktivists, criminals and nation-states and how they approach intrusions. "I'd like to be much more sniper-like in who's attacking us, with which motivational structure, going after which assets within that structure, and what are their tactics, techniques and procedures," Corman says. "[This approach] essentially allows you to be very focused on the right counter-measures - on the right assets against the right players."
It's a bold stand and one that's bound to be a bit controversial. I'd love to see some response to it in the comments box below.
A New Opportunity
So, what about mobile?
Well, on one hand, mobile gives us the opportunity to repeat every security misstep we ever made with desktop devices. We can issue or support devices that lack fundamental anti-malware controls; give users far too much access to critical systems with too little authentication; and then we can just pay lip service to awareness and training, all the while bemoaning the "human element" that loses devices or opens bogus files, exposing our organizations to a Pandora's Box of cyber mischief.
Or we can take advantage of the paradigm shift (that term gets bandied around a lot, but this time it's legitimate) and use it as on opportunity to practice security differently.
We always talk about "deputizing the user," and mobile gives us that opportunity. If your employees are using their own mobile devices for work, then they've got a vested interest in keeping that data and those devices secure.
It's a not a leap of faith, then, to nudge these employees toward better security practices, including staying current on operating systems and anti-virus, using safe applications, practicing more secure authentication and confining mission-critical activity to secure networks.
The key is to approach mobile security holistically and with the end-user - not piecemeal. It's not about mobile device management systems or application security or the network or even training. It's all of the above.
Dave Jevans, chairman of the board of Marble Security, framed this challenge nicely.
"It's a new space, and so you have to come at it from a network security view and understanding of what's going on in the crime environment," Jevans says. "And that takes a different kind of expertise."
The same can be said, frankly, for how we move forward toward Gartner's five-year view of security and risk management. In many ways, to get from here to there does require a different kind of expertise. And it's our responsibility to develop it.
Again, I welcome your thoughts in the comments box below.