Last week I was invited to the IT-Security Analyst & CISO Forum Event in London, with a few vendors and a few CISOs. The form of the event is unique, and thanks to Eskenzi PR it is an excellent opportunity to gather the expectations from CISOs and the answers to these by vendors. Here are a few impressions and take-aways:

- "Most of the vendor's products are crap, they are fundamentally flawed in the sense that they do not increase security a pence", as one of the CISOs said (Chatham House rules applied). More specifically, asking for more details, most of the tool and product vendors are still relying on the wrong assumption that CISOs want to "extend the border of the enterprise" or "secure the perimeter". But this is good for nothing, for businesses to be productive, information has to flow, and must be protected there - and not retained "within" the enterprise.

- Consequently, DLP (Data Leakage Prevention) is a market which does not really exist. Those that are buying DLP do this for compliance purposes, just like buying Anti-Virus products (although they do not even discover 40% of the more recent attacks...). So the chance of using actual DLP products to really detect resp. prevent information leakage is pretty low.

- Secure software development is still to a large extent not understood, neither by vendors nor by the CISOs. They mostly think that they are done with the subject when they employ white box testing and use an application level firewall. Oh man - so much work ahead to communicate what this is really about.

- Top-notch on their priority list (very interesting): the "bring in your own device" policy. How to enable business infrastructure and applications to securely support personal devices (from notebooks to smart phones) as endpoint. Very interesting direction, finally we got the "all in the internet" type of assumption for company information access through a more financial motivation...  Still, many questions around legal responsibilities and technical capabilities are to be solved.

Now to the vendors (just a few interesting notes):

- FaceTime (the name needs to change, after Apples announcement that their VideoConferencing on the iPhone is called that way) basically does compliance-driven monitoring and management of the usage of social media for enterprises. Seems low profile. But driven by customer innovation they have built a strong capability of detailed authorizations for internet apps, so they do in fact "GRC Access Control" for internet apps... Interesting development.

- S21Security from Spain, currently perceived as a SIEM vendor in the financial vertical, is actually able to detect fraud on the basis of log information of core banking systems, with first experiences in the SCADA world. So they actually do interesting GRC analytics...

- BeCrypt has a nice application to simply, but securely extend the enterprise using bootable USB sticks. Defence-grade!

- M86Security, one of the largest vendors of realtime threat detection for web, with a footprint of 24000 (!) customers, seem to be a pretty useful  solution - what if they would offer this "as a service" for consumers, that route their web traffic through one of their servers? Would be pretty cool...

All in all: the market slowly changes from pure compliance products towards real protection solutions. This is definitively a sign that the customers get more educated about the real threats. But on the other side (see the note on secure software above), still a long way to go...