With an impressive list of distinguished speakers, this year's keynotes and debates offer insights on the industry's hot topics.
The entire information security industry will gather at London's Olympia for Infosecurity Europe this month. More than 11,000 visitors are expected to attend, taking advantage of the free education programme that addresses both strategic and technical issues and draws on the skills and experience of senior end users. This year's show will be busier than ever, with 300-plus exhibitors, including 100 vendors launching new solutions.
The keynote sessions are the highlight of the education programme. They bring together the industry's leading independent experts, government officials and end users from high-profile corporations and take an in-depth look at some of the big ideas of the moment.
The opening keynote speech by Lord Broers, the chairman of House of Lords science and technology committee, explores some of the considerations from other countries the committee has gained in the course of its inquiry into internet security.
In his special address, Derek Wyatt MP, chair of the all-party internet group, highlights some of the key measures that will be put in place to assure the security of the 2012 Olympic Games.
Phil Cracknell, UK president of the Information Systems Security Association, leads a panel on wireless security with Andy Yeomans, vice-president of global information security at Dresdner Kleinwort and John Meakin, group head of information security at Standard Chartered Bank.
"With recent survey's showing more than 80 per cent of UK businesses now having a 'wireless policy', you would think it would be a case of 'job done'," says Phil Cracknell. "However, on closer scrutiny, it would appear that corporate wireless users have only scratched the surface. Little, if any, provision is present for the increasingly important issues of wireless scanning, rogue hotspots, evil twins and drifting clients."
Lord Erroll will lead a panel debate on identity management, examining how to pick the right tools for the job. The panellists will include Toby Stevens, vice-chairman, BCS Security Forum; Andy Kellett, senior research analyst, Butler Group; and Maury Shenk, partner, Steptoe and Johnson LLP.
"Identity management is one of the most misused expressions in modern computing," says Stevens. "The vested interests behind identity cards, biometric technologies and single sign-on systems have created an environment where it is almost impossible to distinguish between technology fact, science fiction and commercial propaganda. The heated debate around these issues is eroding public confidence in the industry's trustworthiness, and it is high time that we adopt a more transparent dialogue about system capabilities - and shortcomings - so that we can create identity assurance systems that serve providers and users alike."
"There is increasing recognition that different identity management solutions, ranging from strong password policies to multi-factor authentication to biometrics, are appropriate to different applications, in order to deal with the commercial and legal risks of particular situations," adds Shenk. "This is a significant contrast to the tendency to propose global 'one size fits all' solutions that one saw during the dotcom boom."
Paul Simmonds, global information security director, ICI; Jason Creasey, head of research, ISF; Stuart Okin, senior executive, Accenture; and John Reece, CEO, John C Reece & Associates LLP; make up the panel that will discuss whether network security is dead, led by John Riley, managing editor of Computer Weekly
"If you think about it, the idea of application and data security at the network level is not a viable solution. Try asking a firewall salesperson praising the merits of deep-packet inspection how they handle HTTPS," suggests Simmonds. "So I'm as interested in the counter-arguments as I am looking forward to the debate."
As applications move towards architectures with components running on multiple hosts and local units, the edges of systems are blurring, according to Okin. "Essentially, applications are becoming a cloud that end users interface with, rather than a controlled black box - and IT staff may not control all of the elements of the system, especially with an internet backbone," he says. "With the additional corporate trends towards sharing and outsourcing services, these clouds of applications are also found within a traditional enterprise environment. As a result, the perimeter is no longer well defined. The challenge for organisations is to identify who is connecting with these application clouds and establish their intent."
Qualifications and working practices
With a myriad of qualifications available, the biggest question for information security directors remains: how can appropriate qualification be recognised, and what are the right educational tools for the job that your staff are doing? This issue will be evaluated in a seminar chaired by Nick Coleman, CEO of the, IISP on "Professionalism: Where are we in 2007?". Panellists include Jeremy Beale, Head of the CBI's e-business group; Chris Ensor, head of profession at CESG; and Robert Coles, director EMEA, head of information security and privacy, Merrill Lynch.
The keynote presentation "Are You Even Remotely Secure?" will examine new threats in the wake of changes in working habits, and explore ways in which organisations can mitigate them. Chair Brian McKenna, security journalist, is joined by Steven Furnell, professor of information systems security, University of Plymouth; Steve Robinson, head of IT security Europe, Lehman Brothers; and David Perry, principal analyst, Freeform Dynamics.
The danger with mobile devices is that data is being stored in an inherently more vulnerable location, with less protection than it would receive in the workplace. "If we specifically consider devices such as smartphones and PDAs, then not only does the size and mobility of the devices render them far more susceptible to loss and theft, but they are also more limited in the security options that are available," says Furnell. "Also, while we might be happy enough entering a ten-character password to access a laptop, this would be less acceptable on a PDA. Indeed, such devices are often left entirely unprotected against unauthorised access."
"The pressure to 'get me the data, now' from a senior level can lead to rapid deployment of mobile data, without a sufficient security framework" adds Perry. "Deployment of mobile applications is one of the key areas of future competitive advantage, but this opportunity must be developed alongside a comprehensive security strategy."
Keeping up with telecoms technology
Marika Konings, director of European affairs at the Cyber Security Industry Alliance, leads a panel on how to secure the latest telecoms technologies with Cate McGregor, DFN, director OGDS and agencies, Defence Communications Services Agency; and Roger Cumming, head of advice and delivery, Centre for the Protection of National Infrastructure.
The convergence of communications networks, devices and content has enabled service providers to deliver newer, faster and more advanced services including voice, data, video and applications, all over a single IP network. "While these rapid technology advancements have tremendous benefits, they have raised questions from policy-makers about whether security can keep up,"says Konings. "It is vital for the information security industry to stay engaged with our policy-makers as they evaluate the impact of these new technologies."
Every business is subject to crime every day, but at what point does it become sensible for you to report it? The keynote presentation entitled "Should You Always Report Crime?" is chaired by Geoff Smith, head of information security policy, Deprtment of Trade and Industry. He is joined by Tony Neate, managing director, GetSafeOnline; Philip Virgo, secretary-general, EURIM; and Jonathan Coad, partner, Swan Turton.
To confess or not to confess, that is the question. Whether it is smarter to suffer the slings and arrows of outrageous media coverage by reporting a crime, or hope to avoid the repercussions while risking even more of them by staying quiet. Coad says: "From my experience as a media lawyer, reporting crime to the police is a double-edged sword as invariably the press have found out about it, with my client hitting the headlines within 24 hours as a result."
And we must stop patronising small firms and consumers if we want them to do serious business online, argues Virgo. "How do they find out whether their system has been recruited into a botnet? The time has come to respond to the needs of the customer for security tools they can understand, realistic advice, guidance and support on how to use them," he says. "We also need reporting systems that will route their enquiry to someone who will respond - be it law enforcement or technical support."
To round up events, author Bruce Schneier will debate the psychology of security in his keynote session and Bob Ayers, associate fellow, Chatham House Information Security Programme, will lead a panel discussion on the increasingly important issue of insider threats. Finally, Jon Fell, partner at Pinsent Masons, will chair the hackers' panel, which returns in the wake of a year of legislative change. Expect a lively discussion from a range of "experts" in hacking practice and legislation.
WHERE AND WHEN
Dates: 24-26 April 2007
Venue: Grand Hall, Olympia, London
More information www.infosec.co.uk