As we've seen, we can't just keep doing what we've been doing. The cost of not ensuring the confidentiality, integrity and availability of information is on an upward ramp and, at some stage - if not already, we will reach the tipping point where the cost of not having an effective security program will overtake the cost of having one. Throughout the day we have seen the scope of the attack and we've built a picture of what defenses are required. With limited resources the appropriate defenses cannot be put in place overnight. We need to decide where to start and how to internally "sell" the adaptation of existing programs to meet this growing threat. In this session we'll discuss this and answer such questions as:
- How to change the current mindset to get executive sponsorship for upgrading a security program for this threat?
- Where should limited resources be focused first, on which technologies and processes and where?
- Which specific mandates, like the inspection of all encrypted traffic and data classification, should be implemented?
- How do we make compliance with a chosen set of security policies a minimum "floor", as opposed to a "ceiling", achieved only for a brief period of time?
- Is it negligent to create a product or service that has not had any security built into its development lifecycle? Is it negligent to put a product into service without demanding assurance that it was created securely?