I visited the Northeast Security Leaders Summit in the Roosevelt Hotel in New York City yesterday. The summit is an industry-sponsored one-day event that looks to bring together CISO-level individuals to talk about a range of topics. While I was a little sceptical going in, I have to say that I was not disappointed. The topics on the program were fairly interesting, decent speakers presented, and the overall ambiance was very good.

While, in a group like this, I expected to hear a lot about how Cloud is going to change the landscape and <fill in the rest for yourself>, the term was not mentioned once. I am not sure if that means that the Cloud-hype has passed and it has moved into business-as-usual, or that it had not made it to the radar of the group that we had together yet, but it was interesting (and refreshing) to not year Cloud in every other sentence.

One recurring theme that kept on hearing here, and also at SOURCE Boston last week was how Big Data is going to change the surface of the infosec space again. We'll see how that goes. Also mentioned frequently was the whole bring-your-own-device movement. Personally, I feel that we cannot stop it from happening (even if we wanted to), so we might as well deal with it. It is time to move away from putting the focus of our security posture on devices anyway; how about we look at people for a change (or, heaven forbid, focus on data!)?

A topic that (surprisingly) came back a few times was the relevance of good metrics to make security decisions. While infrastructure teams have a fairly simple metric of success (uptime), security teams do not really have anything that takes that role in our field. Mostly, the point was made that the current way of thinking about success in security revolves around trying to measure the absence of something (data and/or system breaches), but since it is impossible to prove a negative, proving good security by focusing on the absence of bad things is going to be hard.

Dr. Mike Lloyd of RedSeal Networks postulated an interesting thought. One way to measure success in cyber security depends on having wide-spread adoption of cyber insurance. If enough people have cyber insurance, breach information will be known by insurance companies, who have been historically good at using actuarial data to determine risks. Hence, if everybody has insurance, and the insurance companies parse that data, a measure of success in information security could be 'anything that reduces my insurance premiums'. Interesting concept, for sure.

Another point that Lloyd made, and that I have heard before, is that using metrics may lead to a focus on the wrong things. If you metrics track activity (busyness, as he calls it), you will become more active. If your metrics track posture, your posture will improve. Picking what to measure, or rather, what to manage, is indeed an important decision to make.


There were some other discussions also. One presenter stated that information security should not be seen as a business enabler, rather information security should be viewed a business facilitator. To illustrate the difference between enablers and facilitators, his example was that an IT department is indeed a business-enabler, since it provides business units with the tools and techniques to do something and add value. The information security role guides the use of that technology through risk analysis and by providing direction to maintain the risk at acceptable levels. In that role, it also provides value (i.e., information security should not be seen as merely a cost center), but it doesn't actually enable business to take place.


All in all, it was a day well spent. The fact that I met some very interesting people, that lunch was very good, and that there was an open bar at the end did not hurt either. The only drawback is that I did not win any of the drawings ;)