By Patty Donovan, The Open Group
Totaling 446 tweets, yesterday’s 2013 Security Priorities Tweet Jam (#ogChat) saw a lively discussion on the future of security in 2013 and became our most successful tweet jam to date. In case you missed the conversation, here’s a recap of yesterday’s #ogChat!
The event was moderated by former CNET security reporter Elinor Mills, and there was a total of 28 participants including:
- Chris Silva, Altimeter Group (@802dotchris)
- Chris Lockhart, Booz & Company (@chrisonea)
- Chris, BSides Dallas (@syntaxerr66)
- Dark Reading (@DarkReading)
- Kelly Jackson Higgins, Dark Reading (@kjhiggins)
- Mikko Hypponen, F-Secure (@mikko)
- Davi Ottenheimer, FlyingPenguin (@daviottenheimer)
- Framehawk (@Framehawk)
- Jay Fry, Framehawk (@jayfry3)
- Ian E. Savage, McAfee (@iesavage)
- Mandiant (@Mandiant)
- Richard Bejtlich, Mandiant (@taosecurity)
- Dave Lounsbury, The Open Group (@Technodad)
- Jim Hietala, The Open Group (@jim_hietala)
- Perimeter E-Security (@PerimeterNews)
- Andrew Jaquith, Perimeter E-Security (@arj)
- Andrew Barratt, PTP Consulting (@andrew_barratt)
- Andrew Wild, Qualys (@AWildCSO)
- JadedSecurity, security blogger (@jadedsecurity)
- Josh D, security blogger (@iam_joshd)
- Robin Robins, security marketing consultant (@azrobinr)
- SearchCIO.com (@enterpriseCIO)
- Trustwave (@Trustwave)
- Ryan Barnett, Trustwave (@ryancbarnett)
- Nicholas Percoco, Trustwave (@c7five)
- Dana Gardner, ZDNet (@Dana_Gardner)
Here is a high-level snapshot of yesterday’s #ogChat:
Q1 What’s the biggest lesson learned by the security industry in 2012? #ogChat
The consensus among participants was that 2012 was a year of going back to the basics. There are many basic vulnerabilities within organizations that still need to be addressed, and it affects every aspect of an organization.
- @Dana_Gardner Q1 … Security is not a product. It’s a way of conducting your organization, a mentality, affects all. Repeat. #ogChat #security #privacy
- @Technodad Q1: Biggest #security lesson of 2102: everyone is in two security camps: those who know they’ve been penetrated & those who don’t. #ogChat
- @jim_hietala Q1. Assume you’ve been penetrated, and put some focus on detective security controls, reaction/incident response #ogChat
- @c7five Lesson of 2012 is how many basics we’re still not covering (eg. all the password dumps that showed weak controls and pw choice). #ogChat
Participants debated over the necessity of standards. Most agreed that standards and policies are key in securing BYOD.
- @arj Q2: No “standards” needed for BYOD. My advice: collect as little information as possible; use MDM; create an explicit policy #ogChat
- @Technodad @arj Standards are needed for #byod – but operational security practices more important than technical standards. #ogChat
- @AWildCSO Organizations need to develop a strong asset management program as part of any BYOD effort. Identification and Classification #ogChat
- @Dana_Gardner Q2 #BYOD forces more apps & data back on servers, more secure; leaves devices as zero client. Then take that to PCs too. #ogChat #security
- @taosecurity Orgs need a BYOD policy for encryption & remote wipe of company data; expect remote compromise assessment apps too @elinormills #ogChat
There was disagreement here. Some emphasized focusing on protecting data, while others argued that it is the devices and networks that need protecting.
- @taosecurity Everyone claims to protect data, but the main ways to do so remain protecting devices & networks. Ignores code sec too. @elinormills #ogChat
- @arj Q3: in the BYOD era, the focus must be on the data. Access is gated by employee’s entitlements + device capabilities. #ogChat
- @Technodad @arj Well said. Data sec is the big challenge now – important for #byod, #cloud, many apps. #ogChat
- @c7five Organization will focus more on device management while forgetting about the network and data controls in 2013. #ogChat #BYOD
Participants agreed that using third parties will force organizations to rely on security provided by those parties. They also acknowledged that data must be secure in transit.
- @daviottenheimer Q4 Big Data will redefine perimeter. have to isolate sensitive data in transit, store AND process #ogChat
- @jim_hietala Q4. 3rd party Big Data puts into focus 3rd party risk management, and transparency of security controls and control state #ogChat
- @c7five Organizations will jump into 3rd party Big Data without understanding of their responsibilities to secure the data they transfer. #ogChat
- @Dana_Gardner Q4 You have to trust your 3rd party #BigData provider is better at #security than you are, eh? #ogChat #security #SLA
- @jadedsecurity @Technodad @Dana_Gardner has nothing to do with trust. Data that isn’t public must be secured in transit #ogChat
- @AWildCSO Q4: with or without bigdata, third party risk management programs will continue to grow in 2013. #ogChat
Q5 What will global supply chain security look like in 2013? How involved should governments be? #ogChat
Supply chains are an emerging security issue, and governments need to get involved. But consumers will also start to understand what they are responsible for securing themselves.
- @jim_hietala Q5. supply chain emerging as big security issue, .gov’s need to be involved, and Open Group’s OTTF doing good work here #ogChat
- @Technodad Q5: Governments are going to act- issue is getting too important. Challenge is for industry to lead & minimize regulatory patchwork. #ogChat
- @kjhiggins Q5: Customers truly understanding what they’re responsible for securing vs. what cloud provider is. #ogChat
Q6 What are the biggest unsolved issues in Cloud Computing security? #ogChat
Cloud security is a big issue. Most agreed that Cloud security is mysterious, and it needs to become more transparent. When Cloud providers claim they are secure, consumers and organizations put blind trust in them, making the problem worse.
- @jadedsecurity @elinormills Q6 all of them. Corps assume cloud will provide CIA and in most cases even fails at availability. #ogChat
- @jim_hietala Q6. Transparency of security controls/control state, cloud risk management, protection of unstructured data in cloud services #ogChat
- @c7five Some PaaS cloud providers advertise security as something users don’t need to worry about. That makes the problem worse. #ogChat
Q7 What should be the top security priorities for organizations in 2013? #ogChat
Top security priorities varied. Priorities highlighted in the discussion included: focusing on creating a culture that promotes secure activity; prioritizing security spending based on risk; focusing on where the data resides; and third-party risk management coming to the forefront.
- @jim_hietala Q7. prioritizing security spend based on risks, protecting data, detective controls #ogChat
- @Dana_Gardner Q7 Culture trumps technology and business. So make #security policy adherence a culture that is defined and rewarded. #ogChat #security
- @kjhiggins Q7 Getting a handle on where all of your data resides, including in the mobile realm. #ogChat
- @taosecurity Also for 2013: 1) count and classify your incidents & 2) measure time from detection to containment. Apply Lean principles to both. #ogChat
- @AWildCSO Q7: Asset management, third party risk management, and risk based controls for 2013. #ogChat
A big thank you to all the participants who made this such a great discussion!
Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.