This is the 9th time that ISSA takes place. This year ISSA is co-sponsored by IFIP and the IEEE. The proceedings will be published as part of the IEEE digital library. This no doubt increases the visibility of ISSA papers.
The first keynote speaker is Mark Politt. He comes from a very strong law enforcement perspective. His talk is entitled “Information Security in the 21st Century. In the 1940 – 1980’s life was simple. Everything belonged and were controlled by the IT department – IT lived in a glass house. Then along came the PC… This gave IT new turf in the organisation. We thought we could control the PCs!? And then came the rise of the Internet. All was about eyeballs and bandwidth. Focus shifted to network/application from information/computer security. The threat became a very real economic threat.
So where do we stand today. Mark thinks we are better off today because we understand things better than say 5 years ago. But he qualifies his statement by saying that that is only because we were really bad five years ago… Today we need to manage the tradeoffs: cost vs tradeoff, complexity vs flexibility and ease of use.
But the coming of social networking change must specifically as far as human behavior is concerned. The youth of today define themselves by things such as Facebook. If they’re not on Facebook it’s (for them) as good as if they don’t exist. Sadly people are mostly oblivious to information/operational/personal security. Welsch‘s Theory of Media Ecology was mentioned, one of the interesting observations that people don’t really work in groups, but rather in flocks/tribes. Generally these kinds of environments get characterised by “freedom” rather than control. We need to mediate changes in behavior.
His conclusion: information can only be hardened, not controlled. Social behaviors will have a critical impact on security, technology enables “information citizenship”. We need to make information classification, privacy enhancing technologies and security education needs to work together to ensure that we get better at securing our information assets.
The next guest speaker was Johann van der Merwe from PWC. He says the we have exactly the same problems that we have a couple of years. Audit report findings look exactly the same as previous years – we are caught in a “hamster wheel of a pain”. Part of the problem seems to be that we only have perceived risk, based on experience since the complexity does not allow us to understand everything. Perceived risk is further influence by legislation and economic forces. But he sees the Information Security Organisation to operate silo-based, rather than as a business. He then described some things to do in terms of the ISACA Business Model and Value chain concepts.
After Johann, Elize van der Linde provided some information regarding the King III report and information security. The King III report of course explicitly makes the board responsibility for information security, ensuring that IT align with performance and sustainable objectives. The board must see that they implement an IT governance framework. The risk and audit committee must assist board carrying out its IT responsibilities. She then concentrated on the “I” side of IT Governance. Information governance is a shared responsibility between business and IT. It is complex, needs a multi-year project and a roadmap to be measured against.
OK, time for tea…
I will be blogging at least the keynote speeches and maybe selected individual talks throughout the conference.