Endpoint
10/30/2017
08:13 AM
50%
50%

Its Time to Change the Cybersecurity Conversation

The IT security industry needs more balance between disclosure of threats and discussion of defense practices - and greater sharing of ideas

For more than 11 years now, Dark Reading has annually reported major increases in cybersecurity spending, hiring, and technical innovation. Yet, almost every year, we have also reported more data breaches, of greater proportions, than the year before. And so the pattern goes on: defenders invest more budget and staff, yet they continue to lose data at an alarming rate.

It’s time to ask some hard questions. Are cybercriminals really ahead of the defenders? Or are there fundamental flaws in the strategies we’re using for defense?

These are among the core questions we’ll be exploring next month at Dark Reading’s INsecurity Conference, which will take place Nov. 29-30 at the Gaylord National Harbor near Washington, D.C. The conference -- which features 32 sessions led primarily by CISOs and former CISOs of major organizations, as well as roundtable discussions and an exhibit floor – is designed to help IT and security professionals rethink the way they approach everyday security tasks, and get them talking about new strategies.

At INsecurity, we’re hoping to break some of the "circular thinking" that keeps our defenses behind. For example, most of today’s IT security conversations – and most security conferences – focus on the emerging threats and vulnerabilities that have been newly-discovered by researchers. This information is valuable in its immediacy, but it tends to skew the defenders’ focus toward the newest threats, rather than the most relevant or impactful. And in many cases, the "new disclosure" conversation is focused only on the threat itself, rather than the best defense against it.

At INsecurity, we’ll be putting aside the "latest threat" conversations for a couple of days and focusing on the strategies and practices that IT and security teams use for defense. If defenders are going to get better, they need to talk about what’s working and what isn’t. INsecurity’s speakers are security veterans who have been fighting the online battle for years and can share their experiences. The content is focused not on what attackers might do, but what they actually do every day – and how you can shift your everyday practices to stop them.

Similarly, most of today’s IT security conversations – and most IT security conferences – tend to happen through one-way presentations or in silos of interested professions. In the enterprise, security teams sometimes spend more of their day talking among themselves than to those with whom they’re exchanging data. Security strategies also tend to be internal, rather than across supply chains or shared infrastructure. Likewise, security conferences tend to focus most of their content on one-way PowerPoint talks by researchers or experts, rather than two-way discussions among colleagues.

At INsecurity, we want to open up the flow of conversation. Yes, some of our sessions will be traditional single-speaker talks, but the other half will be group discussions moderated by experts and protected by Chatham House Rules, in which attendees agree not to share the identities of the participants outside the room. There will also be numerous small roundtables of eight or ten security peers, enabling participants to dig into their specific challenges with colleagues – in a setting that’s intimate and protected. Our goal is to get IT and security people to have real conversations about real problems, rather than just listening to presentations in a dark room.

Even INsecurity’s exhibit floor will offer a different type of conversation. In addition to showing some of the new and latest technologies, the INsecurity Business Hall will feature a theater in which technology providers are encouraged to discuss industry issues and foster discussion, as well as selling their wares. The goal is to get the defenders talking with the tool providers, in hopes that the conversation will help both sides to do better at what they do.

If you’ve been in the cybersecurity industry for any length of time, you’ve probably been to conferences where you stepped out of the sessions in order to have meetings with business partners or discuss a specific issue with colleagues. But what if those conversations were part of the conference – and what if you could have them with some of the top experts and security leaders in the country? That’s the concept behind INsecurity, and our lineup of speakers should make those conversations truly useful, offering ideas for defense that you never had before.

We hope you’ll think about registering for the INsecurity conference. We think it’s time to rethink the security conversation – and find better ways to improve data defense.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cdansbee
50%
50%
cdansbee,
User Rank: Apprentice
11/2/2017 | 11:43:28 AM
How do small businesses factor in?
I would be surprised if many small business owners factor into the statistics of spending where cyber security is concerned. Because these small business owners tend to be up to their eyeballs running their business, I doubt they take the time to respond to many surveys. They certainly don't have CISO, CIO, CTO, and all the other buzzword bingo titled employees in their offices.

I also doubt that small business owners are spending more money on cybersecurity and innovation when compared to larger companies. 

Given that small businesses make up a significant proportion of US-based businesses, I suspect they are breached on a regular basis and mined for useful data without business owners even knowing it is happening.

I agree completely that it is time to change the cybersecurity conversation and would challenge you to find ways to involve small business owners in the conversation.

 
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.