TEISS is an information security conference, now in its 6th year. While the event itself was extremely informative across several dimensions, there were a few areas that stood out.
Examining these areas in detail is useful because it can serve as a barometer for the professional discipline as a whole; meaning, understanding the themes and highlights from one individual event serves as a microcosm of the broader considerations and challenges that surround how people do their jobs.
So, with that in mind, below are the areas that stood out as thematic highlights from this year’s event. Note that these were not the only themes – or even those from every track – however, they were those that stood out as particularly noteworthy and conclusions can safely be drawn, in terms of their broader impact.
The “ticking clock” of GDPR
It’s probably not a surprise that GDPR is at the forefront of peoples’ minds – particularly not for a European audience. However, the extent of the potential impact that could result might be – particularly to those of us “across the pond” or elsewhere in the global community outside of the European Union.
>See also: Change is coming: the GDPR storm
Specifically, most practitioners already know that organisations are given 24 months (2 years) from the time of publication (May 25th 2016) to become compliant with the requirements of GDPR, but what might be surprising – and that might be harder to see at first blush – are the cascading and global impacts that could result.
First and foremost, for those actually in the EU, many of those in attendance at the event felt that they were underprepared; the “ticking clock” of the two year window (of which almost a full year has elapsed) is very much audible.
Again, this may not be totally surprising. What was, by contrast, was the palpable global impact. Specifically, organisations that conduct business within the EU – or that otherwise connect to EU citizens, are impacted.
As such, they also need to take specific actions such as conducting a data protection impact assessment and appointing appropriate personnel (specifically a data protection officer.)
The global impact of this will likely be felt between now and May 2018 – and likely years beyond that – in a degree that (while probably not surprising to EU organisations) might be unanticipated from those in the broader non-EU community.
‘Real world’ cyber security impacts
Another theme that stood out was the impact of cyber security considerations from a physical world perspective; for example, the impact of cyber security on things like power production and distribution, “smart cities” (and notably the implications of a security event for the communities they serve), biomedical applications, and other situations that have potentially health and public safety implications.
Now, many will recognise that this is not necessarily a new consideration – this is a topic that has been discussed at some length across the broader security community.
>See also: GDPR: Out with the old in with the EU
However, the fact that it is now prevalent enough to have (multiple) sessions targeted to its discussion (both about prevention and response) as well as becoming a topic of numerous conversations in peer network is noteworthy.
Again, this should serve as both a wakeup call and a reminder – for those organisations that have systems that could have a potential for real-world impacts and also to the rest of us, as accounting for these issues could very well be an important consideration in our plans as well.
‘Intelligence-driven’ security
Last, there was a continued expansion of so-called intelligence-driven approaches (e.g. kill-chain analysis, understanding of threat and attacker tradecraft, etc.) throughout the event.
This extended from the session (one of the more interesting sessions that involved soliciting the viewpoint of a veteran crime science researcher and applying his observations and theoretical understanding of criminal activity to the motivations and actions of cyber security adversaries), as well as to the sponsoring organisations and vendors that supported the event.
This exemplifies an increasing understanding of intelligence-driven approaches by practitioners across the board and (likely) a corresponding expansion of these efforts in practice within enterprise.
Instead of traditional layered defences that operate in linear fashion (protecting the organisation from the outside in), these approaches are more “orbital” in nature.
>See also: AI-driven unemployment is ‘unavoidable’ and financial institutions are scared
Specifically, given that perimeter-defence models are decreasing in utility due to externalisation (due to cloud, mobile, and other new technologies as well as increasing complexity of the environment), how are organisations looking to protect themselves from the inside?
This is increasingly challenging as attackers will seek to minimise the time they can operate unimpeded and minimise their impact. Organisations should therefore continue to explore and invest in an “orbital” approach in order to stay current.
In such a fast paced industry, people are constantly presented with new developments that demand their attention and it might be difficult to focus on those that really matter.
These themes were certainly not the only ones from this year’s European Information Security Summit; however, these were the items that stood out most prominently, and that likely precipitate a call to action from our community in response.
Sourced by Ed Moyle, director, thought Leadership and research, ISACA