Endpoint

10/30/2017
08:13 AM
50%
50%

Its Time to Change the Cybersecurity Conversation

The IT security industry needs more balance between disclosure of threats and discussion of defense practices - and greater sharing of ideas

For more than 11 years now, Dark Reading has annually reported major increases in cybersecurity spending, hiring, and technical innovation. Yet, almost every year, we have also reported more data breaches, of greater proportions, than the year before. And so the pattern goes on: defenders invest more budget and staff, yet they continue to lose data at an alarming rate.

It’s time to ask some hard questions. Are cybercriminals really ahead of the defenders? Or are there fundamental flaws in the strategies we’re using for defense?

These are among the core questions we’ll be exploring next month at Dark Reading’s INsecurity Conference, which will take place Nov. 29-30 at the Gaylord National Harbor near Washington, D.C. The conference -- which features 32 sessions led primarily by CISOs and former CISOs of major organizations, as well as roundtable discussions and an exhibit floor – is designed to help IT and security professionals rethink the way they approach everyday security tasks, and get them talking about new strategies.

At INsecurity, we’re hoping to break some of the "circular thinking" that keeps our defenses behind. For example, most of today’s IT security conversations – and most security conferences – focus on the emerging threats and vulnerabilities that have been newly-discovered by researchers. This information is valuable in its immediacy, but it tends to skew the defenders’ focus toward the newest threats, rather than the most relevant or impactful. And in many cases, the "new disclosure" conversation is focused only on the threat itself, rather than the best defense against it.

At INsecurity, we’ll be putting aside the "latest threat" conversations for a couple of days and focusing on the strategies and practices that IT and security teams use for defense. If defenders are going to get better, they need to talk about what’s working and what isn’t. INsecurity’s speakers are security veterans who have been fighting the online battle for years and can share their experiences. The content is focused not on what attackers might do, but what they actually do every day – and how you can shift your everyday practices to stop them.

Similarly, most of today’s IT security conversations – and most IT security conferences – tend to happen through one-way presentations or in silos of interested professions. In the enterprise, security teams sometimes spend more of their day talking among themselves than to those with whom they’re exchanging data. Security strategies also tend to be internal, rather than across supply chains or shared infrastructure. Likewise, security conferences tend to focus most of their content on one-way PowerPoint talks by researchers or experts, rather than two-way discussions among colleagues.

At INsecurity, we want to open up the flow of conversation. Yes, some of our sessions will be traditional single-speaker talks, but the other half will be group discussions moderated by experts and protected by Chatham House Rules, in which attendees agree not to share the identities of the participants outside the room. There will also be numerous small roundtables of eight or ten security peers, enabling participants to dig into their specific challenges with colleagues – in a setting that’s intimate and protected. Our goal is to get IT and security people to have real conversations about real problems, rather than just listening to presentations in a dark room.

Even INsecurity’s exhibit floor will offer a different type of conversation. In addition to showing some of the new and latest technologies, the INsecurity Business Hall will feature a theater in which technology providers are encouraged to discuss industry issues and foster discussion, as well as selling their wares. The goal is to get the defenders talking with the tool providers, in hopes that the conversation will help both sides to do better at what they do.

If you’ve been in the cybersecurity industry for any length of time, you’ve probably been to conferences where you stepped out of the sessions in order to have meetings with business partners or discuss a specific issue with colleagues. But what if those conversations were part of the conference – and what if you could have them with some of the top experts and security leaders in the country? That’s the concept behind INsecurity, and our lineup of speakers should make those conversations truly useful, offering ideas for defense that you never had before.

We hope you’ll think about registering for the INsecurity conference. We think it’s time to rethink the security conversation – and find better ways to improve data defense.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cdansbee
50%
50%
cdansbee,
User Rank: Apprentice
11/2/2017 | 11:43:28 AM
How do small businesses factor in?
I would be surprised if many small business owners factor into the statistics of spending where cyber security is concerned. Because these small business owners tend to be up to their eyeballs running their business, I doubt they take the time to respond to many surveys. They certainly don't have CISO, CIO, CTO, and all the other buzzword bingo titled employees in their offices.

I also doubt that small business owners are spending more money on cybersecurity and innovation when compared to larger companies. 

Given that small businesses make up a significant proportion of US-based businesses, I suspect they are breached on a regular basis and mined for useful data without business owners even knowing it is happening.

I agree completely that it is time to change the cybersecurity conversation and would challenge you to find ways to involve small business owners in the conversation.

 
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.