Got up very early this morning and drove my weary/almost recuperating remains across our state to an IT security conference. The initial impression I received was that this would be a painful day. Despite the lack of any food that was even close to being suitable for Passover (you know - the 'no leaven thing') it turned out to be a worthwhile day. (Oh - and I didn't have an appetite anyway.)
First session was a by a lawyer specializing in IT related defense discussing her actual cases (which her very large firm has more than enough of).
Discovery cases are huge and mostly unreported (wait until the boss hears that!)
Zubulake V cited along with Kessler. IT staff handles like Laurel and Hardy.
Big news - lawyer having done this for years continues to see corporate IT staffs as incompetent and untrustworthy - giving us plenty of examples.
Unfortunately, everything she describes is all too familiar.
And of course executive management is blissfully unaware of this until a lawyer gets called in and she has to cope with a system out of control.
I don't blame IT - it reminds me of the old "I Love Lucy" show where Lucy gets stuck on a malfunctioning chocolate production line. IT is compelled to crank out work without regard for maintainability and control. Executives don't want to hear about the problem or costs. Then Sarbanes Oxley hits and controls are forced into place with most companies complaining loudly about new costs. We are talking about basic controls that should have been required from day one!
Next session was principle from one of the Big 4 accounting firms.
Reaffirmed above - they see a lot of the Fortune 500 and see the same lack of basic controls. IT makes the classic mistake of applying technology as the solution when in fact the solution usually requires a change in business process which can be supported by technology. Big point is to 'operationalize' security.
RSA guy talked about smart cards and digital certificates - man is this timely. He basically reaffirms my little model - but to do it justice I should make a slide. The basic issue is that in all of the models today there is a weak link between the person and the authenticator. A key issue he raised about biometrics is what happens when you lose your biometric device - how do you reset that 'password'?
Keynote was about Cyber Security from the Washington DC perspective. He had some good points, but afterward I talked to him about Barnett and the need for a U.S. position on global cyber security strategy and policy. He was receptive, I'll need to follow up soon. Their [ITAA] biggest beef is lack of a U.S. cyber czar ('Assistant Secretary') to elevate national priority.
Finally heard CISO from University of Michigan. Schools like to believe they are so much different from businesses (lack of central hierarchy) but that just isn't so when looking at large global companies which are more like autonomous businesses. He discussed their strategies and CISO competencies which I found insightful. He mentioned that they didn't have firewalls and was surprised when I said that we are striving toward that.
Best line: Put protection closest to what needs to be protected. (anti perimeter security)
And I made it back home without getting a ticket or falling asleep at the wheel!
I'm pretty good at PDP-11 assembler and 10BASE5 (Vampire taps, anyone?, but all that other stuff is too trendy for me.
Posted by: Richard Bennett | April 28, 2005 at 08:29 PM
Oops - that comment belongs to the previous post.
Posted by: Richard Bennett | April 28, 2005 at 08:32 PM