The three-day meeting at the Westin Resort gave delegates the chance to hear from top thinkers in IT security on the most pressing issues facing the industry, as well as an opportunity to network and exchange ideas off the record with peers and vendor representatives in an informal setting. Attendees also had the opportunity to earn continuing education credits from ISC2 through hour-long sessions held throughout both days.
Will Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, kicked off the event with an informative keynote that touched on an array of topics, including identity theft, laptop safety, and risks posed by disgruntled employees. A key part of his message, which provided a general analysis of the current threat landscape: "Cybersecurity is everyone's responsibility."
Session speakers who followed over the next two days focused on a range of topics, including implementing two-factor authentication, making sense of an increasingly intricate set of global laws and regulations, and dealing with insider threats. Others offered advice to organizations wrestling with increasing vulnerabilities and outsourcing concerns. Each session concluded with a question-and-answer session, with audience members participating freely.
As the program progressed, it became clear through speaker and delegate dialogue that the overarching concern for most was developing the right risk management techniques to tackle threats inside and outside the organization, as well as meeting compliance demands.
Other discussions, in sessions and over drinks and meals, centered on the fact that many delegates still have a more difficult time handling cultural issues than more specific IT problems.
"When it comes down to it, my biggest job right now is changing the attitude of my users and co-workers to be more security conscious," one delegate told us during the first night's cocktail reception. "No amount of technology can fix that, that's why it is so hard."
Relevant to that discussion was the session on insider threats lead by Lloyd Hession, vice president and CSO of BT Radianz. Hession discussed the dangers facing organizations from within by not just malicious end-users, but also by the oblivious and the dangerously curious. The more distributed the workforce is, the greater the risks, he said, while sharing some hands-on advice on employing better controls, such as minimum duration vacations and better separation of functional boundaries to keep employee activities in check.
But it wasn't just the employee threat that many delegates were worried about. Others attended to gain knowledge of how to reduce risks posed by partners with less-than-ideal security postures.
Stephen Scharf, a member of the international board of directors for the Information Systems Security Association, discussed best practices for auditing partners to reduce risks. Scharf gave advice on how to create an effective auditing program and offered his opinions on prioritizing partners based on their impact on the organization's security.
In a related talk, Jody Westby, CEO of Global Cyber Risk, weighed in on the dangers organizations face when outsourcing. She told audience members that companies must realize that many of the top outsourcing nations lack privacy laws. The burden, therefore, falls on the organization to establish a suitable contract with the outsourcing vendor.
The forum was not all work-related. Attendees received time to unwind from their daily routines by laying poolside, hitting the beach or taking advantage of the hotel's vast amenities.
FROM THE FORUM:
Words of wisdom
Seven leading information security thinkers spoke during May's SC Forum in Hilton Head Island, S.C., providing audience members with an informative and unabashed look at the industry's current events. Here is a sampling of some of their key points.
Will Pelgrin, director, New York State Office of Cyber Security and Critical Infrastructure Coordination:
- Cybercrime generates more money than the sale of illegal drugs.
- The best metric: Am I more secure today than I was yesterday?
Jody Westby, CEO, Global Cyber Risk:
- Compliance becomes especially problematic in outsourcing.
- The three top countries for outsourcing — China, India, the Philippines — have no privacy laws.
Lloyd Hession, CSO, BT Radianz:
- You may be secure from outside attacks, but insider threats never go away.
- Estimated chance of conviction for a hacker: 1 in 7,000.
Rick Baich, managing director, PricewaterhouseCoopers:
- Identity theft: Not if, but when.
- Risk is increased because of partners, which are an extension of your network.
Stephen Scharf, Board of Directors, ISSA International:
- Customers will make no distinction between you and the vendor; many won't return if there is a breach.
- Standardized assessment process must be developed; BITS working on it.
SC Forum 2006
- The next SC Forum will be held Oct. 30 to Nov. 1 at Silverado Resort in Napa, Calif.
- Contact Liz Lockard at [email protected] for details.