Is the security sector served well by the standards, regulations, and frameworks we have?
The security industry has been around for a good few years and we've understood the importance of standards. If you look at the way that standards, frameworks, and regulations work, it does take quite some time for them to come into place. In the early days, we had standards, which may have been around specific technologies, but they were quite general. So for example, we had the standards around wireless encryption. So, there are those sorts of standards. We have standards around technologies. We have standards around products. We have standards around organizations. So for example, the BS 5577, a long time ago, was what eventually became known as the ISO 27,001 series or the starting of it.
The standards came first, then as time went on, we had more frameworks coming into play. For example, the Cloud Security Alliance is having some frameworks, ISACA itself has got a great framework, couple of frameworks. And also you find that over some time, different regulatory bodies have created their regulations. So the finance sector has often had its own. Now, the challenge with all of these things is that because they are trying to cover so many things and be all and everything to many, many people, especially those people that sit on these committees, it takes a long time to negotiate them. And because it takes a long time to negotiate them, it also takes a long time to greet them and get them out there. There are a lot of standards out there and it doesn't mean we've covered all the things that we need to cover in security. So they are evolving as time goes on. And again, this 27,000 series has shown because you've got different components of that now. We are beginning to get to the point where some of the technologies are converging in a direction that's quite useful. You're beginning to see some of the convergence aspects that are fit as well. And IoT is a very good example of that.
I'd say, yes, those are a lot of standards. There are regulations and frameworks, plenty of them, plenty to choose from and definitely, the security industry is well covered. But that doesn't mean that we've got everything covered. It's well covered in that we've got a good set of standards already at the moment that we can build on to meet the changing needs that we may have.
What role do standards and frameworks have in a world where threats and risks are forever changing?
We're in an environment where technology is changing so fast and responses to technology are a little bit slow because we can only really work in retrospect in many respects, looking at where the threats are, where the risks are. We tend to think backward rather than forwards quite often in many of these things, partly because we're in a position where we've got limited budgets, we can't go round trying to cover every risk, we have to cover those that are the biggest risks. And we have to look at the likelihood that things are going to happen, and the impacts those things are going to have. Because there are so many variations that we need to look at and the threats that are out there, we start to figure out where we want to spend our money and we start to think about the changes that are out there in terms of the threats that we need to respond to. Our budgets need to be forward-thinking. Yet at the same time, we've got technologies that are always backward thinking. We're trying to think about what's happened, where it's happened, why it's happened, and what we need to be doing next. So in terms of the standards, we're in a position where many of these things came about some time ago, and although they came about some time ago, they were almost ready for yesteryear's threats that were out there. My session thinks about that and I'll be covering what it is, and why they were good for their times at some point. And the fact that today we're in a much, much faster-changing world, that our standards if they're not changing just as fast as the threats are changing, they act, they're beginning to feel more like checklists. And if you've got checklists, as good as a checklist may well be, it's nothing more than a checkbox exercise. And that's one of the things that many security professionals are often saying about standards, there are many organizations out there that have been breached and they've been breached even though they comply with certain standards, frameworks, and regulations that comply with them. But even though they're complying, they are still being breached. And that's partly because they're complying with these things that were written five, six, seven, eight years ago in many cases. What we need to be looking at is how can we update them in shorter periods to reflect some of the threats that are emerging out there.
What will you be covering in your session?
In that keynote session, I'll be looking at giving a couple of examples of standards and frameworks that were out there, and I'll be looking at how they meet today's environment and pulling them to pieces intentionally. I know some of the ones that I've chosen are due to be changed or in the process of being changed, but effectively, the fact remains that standards do take a long time to change. We need to figure out how we can make the best use of them in a way that they're more than just a checkbox exercise. And in many respects, some organizations that may not have any security, they're a brilliant starting point. Having a good starting point is great. But if that starting point isn't going to take you anywhere more than a starting point, you need to think about the sort of threats that you're likely to get as an organization that you need to be doing. And I know that many organizations out there do have to comply in some respects with PCI DSS or HIPAA or with 27,001 and so on. So I've been looking at those as examples of saying what they were created for and how quickly they came out of date.