Database Security 3.0

Sitting here at the Gartner IT Security Summit in National Harbor, MD, something occurred to me. No, its not that the Gaylord Center is perhaps the nicest, most expansive conference center I’ve ever been to. And no it’s not the fact that I was able to book a $300 last-minute ticket into National, previously unheard of before this economic meltdown.

 

Nope. It’s the fact that the sun is out. And it’s shining on IT Security. OK bad segway.

There’s some considerable buzz here, and a few prevalent themes. Generally speaking, there was the usual buzz about cloud computing and securing those applications.

 

There was also a major buzz around the capabilities that come out of data-centric security applications like DLP, IAM and SIEM. From a world events perspective, Obama’s appointment of a cybersecurity czar was referenced more than a few times.

The one thread that really fed through every panel, both from vendors and analysts, was embarking on collaborative efforts between security and compliance – and then, proving an ROI to your management team from programs and spend.

Here are some of the session highlights to those I attended. (more on this in Part II as I report on some of the analyst prezos)  

First off, one of the keynotes brought up some interesting issues. The session My Role in Information Security was interesting because thy paired an interesting cross-section of panelists: a security engineer, an auditor, a CIO and a CISO.

Keynotes:

Ken Mory, the Chief Auditor for San Diego County was an especially interesting panelist. As the others debated security-centric stuff, I’ll paraphrase Ken here.

1. Compliance drives budgets – speaking from his own experience at the state level, compliance initiatives help drive security budgets. You need to meet a particular mandate? Well, that opens up spending, period. This was backed up by Daniel Nunez who said the same thing in a SecureWorks-sponsored session – when you have regulatory initiatives like PCI smack you in the face, all of a sudden there’s money.
2. Ken also commented that compliance helps managers keep their jobs – learn how to get away from security-centric speak and communicate a clear ROI – and you will get what you need.
3. Lastly, and most interesting was that he sees the IT department as the biggest threat to organizations – no, not external attacks, no not malware, but the IT department itself. Great stuff Ken, its refreshing to hear it stated so cut and dried. Now, why isn’t every CISO up all night worrying about compliance?

Great stuff Ken, its refreshing to hear it stated so cut and dried. Now, why isn’t every CISO up all night worrying about compliance?

 

The other guys had some good points too – Eric Cowperwaithe, CISO, Providence Health and Services, made a point saying, security really is the ultimate centralizing force within an organization where every other department is fragmented and decentralized. Basically, he’s saying that if you embrace this, you can win this battle.

Another interesting point in this keynote came up based on an audience question, which was around securing the cloud. Jeff Goeke-Smith, a security engineer from Michigan State, said that essentially, from the security operations side of the house, all that means is just sticking a whole bunch of apps in someone else’s data center.

Good stuff for a keynote, when typically these are too high-level for their own good and don’t accomplish much. Have another post coming I’ll review a few analyst and vendor presentations. Stay tuned.