This is cache of http://feeds.feedburner.com/~r/AntonChuvakinPersonalBlog/~3/266696559/rsa-impressions-2-compliance.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
RSA Impressions - 2: Compliance "Megatrends"
2008-04-08 17:47:00 by Dr Anton Chuvakin in Anton Chuvakin Blog -
 

So, one more impression for today: I am sitting at BUS107 panel session titled "Compliance Megatrends: The Future of Information Security" and there is actually some interesting discussion going on. Here is my account of this session:

  • One person said that 'a common theme recently is that "those breached were compliant"' (meaning TJX and Hannaford). I question: is this really so? I think the truth is everybody, compliant or not, is 0wned, not that "those compliant are 0wned"
  • All panelists predicted that governments (US and European) will be influencing security more in the near future: more laws, more regulation, more enforcement (and that governments will do more to secure their own systems)
  • One person proclaimed that 'law enforcement model of security (detect->respond) doesn't work anymore', but said nothing about what comes next, instead, etc. I just hate empty posturing like that ... but wait! There is more from the posturing department: one more panel member said 'we need to not buy software products unless "absolutely secure".'  Hellooooo, is anybody home? :-)
  • ISO27001 is hot. Really? A lot of people in the audience seemed to like ISO27001. So, is it enough to predict its takeoff in the US? Somehow I am still skeptical ...
  • GRC was mentioned... in passing.  Everybody heard about it - and nobody cared. One person said "GRC... hmmm... so, how do you know you have it?'  :-)
  • One more person said that "plausible deniability [about security] is dead" - companies cannot pretend that information security doesn't exist anymore ... Again, no matter how much we want this to be the case, is this really true? I think many smaller companies are kinda still in the same bin?
  • A bizarro opinion on PCI DSS was voiced by one panel member: she said that she dislikes PCI since it is "too prescriptive" and it got turned into a mindless checklist (losing the original intent of improving security). She also disliked that PCI compliance evaluation is bad: based on a "dumb" control checklist, not on measuring effectiveness of "meaningful controls." I think this is true to some extent; but I'd hate to blame it on PCI DSS standard itself.
  • Finally, panels' take on "What will happen in 5 years?" Their predictions: catastrophic events ("Estonia-like" - eeeeh, you mean somebody is fined $1642?), 'integrity of data' attacks which are "exceptionally scary" (data loss -> data change!), growth in data volume (huge!) with total lack  of how to control it, increased dependency on the Internet - without a corresponding increase in security, SaaS and Web 2.0 will change security and so will virtualization (now, that's original :-))

So, it was all good fun!

About me: http://www.chuvakin.org
 
Tags: security, information security, change security, data change, data, panel, bus107 panel session, pci dss standard, data volume
 
 
 
 
 
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia