Having attended and spoken at ISACA's Oceania CACS conference in Wellington NZ the past 3 days, I noticed a few themes coming up repeatedly. This piece expresses my personal perspective but I must stress that I didn't attend every session (not least because of the three parallel tracks) or speak to everyone of the 200-odd people present. I'm sure other attendees would have their own opinions ...
"Risk" remains a core concern. Compared to risk, there was less discussion around controls to mitigate risks, and almost nothing was said on risk avoidance, risk acceptance and risk transfer. Even IT audit seemed less prominent as a seminar topic than in ISACA conferences I have attended previously. However, despite our common interest, "risk" clearly has different meanings to different professionals at the conference, and no doubt to many of our business colleagues. I'm sure there were many misunderstandings as a result of subtly different interpretations and emphases - including my own of course.
Information security incidents involve both unstructured and structured data e.g. spreadsheets and databases. Whereas databases tend to hold much larger amounts of data, computer users often have quite sensitive and valuable information on their desktops. Databases tend to be secured (although the lack of patching and complexities of securing large systems are often issues), while users tend not to take sufficient care to secure their systems and unstructured data.
As "compliance" slides gently into the background, "governance" is an issue on the ascendance. People are thinking more deeply about the distinction between governance and management, and most accept the need for information security direction from senior management (e.g. through documented strategies).
Capability Maturity Models are popular, along with COBIT 5, RiskIT, ValIT, ISO27k and ISO38500, as ways to make sense of the complexities associated with information risk management, information security, governance and related matters. Unfortunately, however, the models and frameworks are evidently being considered and adopted rather superficially by some: the subtleties and complexities behind the pretty diagrams aren't always appreciated. I'm convinced that deeper analysis will generate better insight and more value from the models, but at least the basic structures and concepts are becoming commonplace. It's a start.
Mobile technologies and social media are on unstoppable upward trajectories, despite the substantial risks (e.g. roughly half of tested mobile apps were malware-infected, and there are lots of vulnerabilities associated with smartphones). "Gen Z" young employees are not just comfortable with the associated technologies and practices, they are almost dependent on them and will insist on using them even if they have to use their own devices at work (whether BYOD or carrying multiple devices). Some, at least, are blase about their own privacy (perhaps as a result of naively believing that they are only disclosing private stuff to their friends and families, and that they are trustworthy), raising concerns around how they will treat personal information in their care at work.
Cloud computing is another unstoppable trend. There wasn't much discussion about the specific risk and security issues arising from cloud computing, however: several speakers expressed the opinion that it was 'just outsourcing', betraying a naive understanding of the field. One speaker identified that cloud computing suffers the same security risks as more traditional forms, plus a load more that are slowly being appreciated: some are hidden and will only become issues in a few years when the early adopters of cloud computing start trying to extract themselves from their contracts.
Research into various security and privacy breaches has identified some surprising findings with implications for the ways we perhaps ought to be addressing the risks. For example, the possibility of being detected and suffering personal consequences are deterrents: organizations that patently don't take much notice of the security logs, alarms and alerts, or who fail to do anything much about incidents they do detect, are in effect training their employees to ignore the rules. The possibility of adverse consequences for the organization is of less concern to individuals than the direct threat of being disciplined, sacked or prosecuted. So much for employee loyalty.
Unsurprisingly, I spotted numerous references to security awareness in various contexts, and was particularly pleased that several people mentioned the need to raise awareness at senior management level using language that suits the audience - in other words, expressing information risk, security, compliance and governance issues in business rather than technology terms. I was surprised to find that a few attendees still appear to be myopically focused on IT or technical security, and several referred to training and awareness interchangeably. On the other hand, I was fascinated to hear that some infosec professionals are making the effort to express information security issues to their colleagues using terms such as safety, trust, resilience, protection, agility, efficiency, compliance, comfort etc. rather than banging on about confidentiality, integrity and availability.
Information security metrics came up in several places too, besides my own presentation. Something that really caught my imagination was the idea that creative risk analyses should identify the 'early warning signs' of impending incidents, as well as identifying, characterising, scoring and ranking risks. Normally, risk analyses and related processes lead to the listing of mitigating controls in the main, but I am intrigued at the possibility of identifying predictive metrics and leading indicators that perhaps things aren't quite going to plan. For instance, the risks relating to malware are usually addressed through antivirus and firewalls, plus resilience and recovery measures such as patching, incident management and backups. But what about the detective controls, the indications that malware activities are on the rise, unusual types of network traffic are occurring and so forth? Major incidents don't often happen totally out-of-the-blue, but are usually preceded by various little tell-tale signs that something is going on - things such as probing and enumeration on the network before a hack, or minor frauds before a biggie, or a catalog of minor issues with the power before a black-out: if we are lucky, someone notices the signs in time to do something positive to forestall or prevent a crisis, but 'being lucky' is not a sound strategy! Developing metrics and instrumenting risk-laden processes, networks and systems, and even people, accordingly represents a more proactive and sensible approach.
Aside from the seminars, the social side of the conference was excellent. It was a fantastic opportunity to meet and chat with peers from the Pacific area, particularly New Zealand and Australia plus some from the US and South America.