I’ve been talking to all sorts of folks about speaking for the upcoming virtual conference – and we’ll have a heck of a roster, to be sure. But the thing is, there is a weird pattern emerging.
When it comes to talking with people that are deep in the security space, and we’re talking about possible topics, they’re genuinely surprised and interested in why I’d be interested in them speaking. As in, they don’t think we (collectively) are as involved in security or protecting systems in general and would want to see security-related topics.
I’ve seen this now from more than a few people. It’s not malicious, it’s not even “talking down” to data people, it’s that the consensus seems to be that we’re most interested in encryption of data sitting on disks.
This is pretty hard to swallow because I’ve always felt like the entire picture was the thing. I perhaps don’t know all (!) of the security things that can be done to your systems, good and bad. I get that. I think it’s fascinating the technology behind hacks, behind what people use to gain access and the like. I recently attended a session on the Dark Web (said with a low, booming voice of course) and the Deep Web (same) and the thing that struck me is the whole “shields-up” aspect to even connecting to the routers to get you there. Then, the assertion that if you connect, you’re almost certainly compromised. I’ve seen this over and over as people try to explain this dark side of the ‘net.
Back to the reputation issue, I think that we’re in a dangerous spot here with respect to having the information we collectively need to protect the information in our systems. Sure, we can figure out how to enable TDE. We can figure out how to use SSL to connect. All of that is fine. But truly, to do things right, we need to be in the loop on the overall security picture. We can add to it, we can take from it. It’s pretty clear that we can be a better team than separate teams trying to figure out the larger security picture.
In talking with security professionals, many look at us (me) and just kind of nod when it comes to data security. That’s the good news. They’re in as much of a fog about things that can be done as many of us are at the network, server or infrastructure level. Without getting all “ra-ra” on this whole thing, there is real opportunity to bring the overall objectives into better focus and to offer expertise on both sides of this equation. If we can bring our focal points out a bit, and continue to expand them and get involved on the bigger basis, I think it could make a big difference.
In our offices, we have signs, sounds cliche’, but “Mind the Gap” is a big deal. That same issue is here with securing systems and information – and with the number of IoT devices and functionality coming online and being created literally daily, it’s going to be a do or die type of situation to address this reputation and knowledge gap and to fix things and create a much more cohesive approach to security.