Forrester security show stresses risk management

Enterprise security workers are starting to warm to the concept of comprehensive IT restructuring instead of simply adding new technology to the fold

Enterprise security decision makers have long been more likely to be swayed by flashy new technologies than by the notion of comprehensive IT restructuring to protect data and other corporate assets, but the situation is evolving rapidly, according to experts participating in Forrester Research's ongoing Security Forum.

Kicking off in Atlanta on Sept. 5, the two-day event will bring together a number of influential IT security consultants and researchers along with a range of vendors and end-users to debate pressing issues impacting enterprise businesses today.

Whereas such technology meetings, including Forrester's inaugural 2006 security confab, have historically focused more on the acquisition of new technologies or the latest trends in malware, companies are finally beginning to spend less time on investigating individual attacks and defense mechanisms and more closely examining the idea of broad-ranging risk management, show organizers said.

"There isn't any hot new technology being pitched at us these days. The process is less about shiny widgets than it is about cohesive programs that combine security and risk management," said Laura Koetzle, the Forrester analyst charged with pulling the event together.

"For a long time, the power in the security industry has been in the hands of the technology providers," she said. "But as enterprise security programs are maturing, we're seeing a shift to more coherent strategies that emphasizes specific business needs."

Koetzle said that the annual conference will have its fair share of security research reports on emerging threats -- including the latest on messaging security trends from specialists with Postini -- but the analyst highlighted increasing sophistication of the planned discussions, which focus on how companies can work with their customers and business partners to take a more organic approach to security.

"Many people growing up in the security discipline have seen a lot over the last few years, and now they're focused on working with business partners both inside and outside of their firms to get a more holistic view of what they want to accomplish, versus blocking viruses and filtering," said Koetzle.

"Today, security folks are much less likely to be a guy in a black hat in charge of some esoteric technology whom you never see, it's more about people who coordinate management strategy for companies and ensure that they have the right skills and partners in place," she said.

The Forrester analyst contends that security professionals are also no longer forced to fight for attention among the ranks of IT with c-level corporate leaders having woken up to the fact that their companies' operations and reputations can be severely affected by data breaches and security gaffes.

Among the scheduled speakers at the show will be representatives from IT vendors including Dell, Texas Instruments, and VeriSign, but Forester has also corralled customers from the financial services and healthcare industries to share their latest experiences.

Along with a slew of Forrester's own experts, academic researchers from Johns Hopkins University and Purdue University are also slated to speak at the show.

Representing Johns Hopkins will be Dr. Aviel Rubin, director of the school's Information Security Institute and a well-known expert regarding e-voting technologies and many of the issues that loom with the continued adoption of the systems.

Rubin, who will also be representing his Baltimore-based consulting firm, Independent Security Evaluators, said that he will explain to show attendees how many existing IT products can still be broken by sophisticated hackers.

"It will always be a fact of life that things can be broken and not always by the good guys who will publicize it, so it's important that people examine the way they handle incidents, and it's always good to encourage people to share their stories," Rubin said.

However, the researcher said he will also focus on the process improvements that many companies have been able to appreciate as their security efforts have matured.

"With the experience they've accrued, some companies, including vendors, are doing a better job of handling vulnerabilities and reporting," he said. "However, it's still useful to look at how things can still be circumvented and look at the measures that are being put in place to stop that sort of activity."

Also presenting will be Brian Contos, chief security officer at security management specialists ArcSight and the author of the well-known insider threat tome Enemy at the Water Cooler.

Contos agreed that the political battles that IT security pros needed to fight just to get attention and budget from business leaders have waned over the last several years and said that companies are getting far more aggressive in how they police their users and networks.

However, that shift has also created new challenges, he said.

"People want to monitor almost everything, but by adding more events, they are moving from megabytes of result information to terabytes and also trying to meld IT security efforts with physical security, which will be a long process," Contos said. "The main question we're hearing has become how companies can deal with this flood of data and turn it into something valuable, that's the challenge that many of these enterprise customers face going forward."

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies