Last week I attended the Cyber Security Summit in downtown Minneapolis. It’s a big event hosting lots of corporate and public security experts. I started to take full notes and realized that much of the detail was probably too much for most of the BoB readers (and me)!. So I decided to report back on highlights and broad swaths instead.
I am pleased to share a presentation from one of the keynotes: Marcus Alldrick, Information Risk and Protection at Lloyd’s of London – Cyber Risk Prioritization and Preparedness. It gives a nice overview of the sort of threats that are big right now, the costs and trends. One trend I think it worth noting is the increased focus on threats to small businesses. Security is only as good as the weakest link – and because of this I think it’s everyone’s job to keep as secure as possible. One speaker noted that even in the corporate realm, his business started with getting employees to understand and focus on security at home. It had the twofold goal of making the point real and making sure computers and devices remotely connecting to the network were clean.
Other hot topics were – paying more attention to security and the balance between security and privacy. Andrew Borne used a nice quote from General Patton -“Take calculated risk. That is quite different from being rash.” Congressman Erik Paulsen said the Government needs to pay more attention. The House recently addressed cyber security issues with voluntary assistance. He noted that they’re trying to find ways to be helpful – with a balance of privacy and security. Clearly though more needs to be done.
Because there was a heavy focus on private sector a lot of folks talked about the importance of not over-regulating. BUT there was one speaker who straight out said security was better in industries that were tightly regulated.
Several people mentioned that Obama’s security executive order has been most interesting thing coming out of government lately. But the question is what info is classified? In other words how much does a business need to disclose about an attack. (The answer was pretty scary if you’re a citizen concerned about your own security.)
Dr. Massoud Amin talked about the economic growth opportunities in security as an industry. There are several entwined industries surrounding security: National Security, Environmental Security and Economic Security. Energy Security is a common denominator among the three. The good news/bad news about the role of energy is that the Energy Crises has taught us a lot about the interdependency. Also Government owns very little of the cyber infrastructure. That opens the door to economic opportunity but makes standardization and prioritization more difficult.
There was a lot of discussion about how to get the CEO involved and interested in cyber security. I mention it because I suspect the same tactics would work for community leaders, policymakers and local governments who need to get involved but are probably naturally better at a breadth of knowledge rather than the depth required to really consider security options. One speaker (who is in IT) noted that IT folks have made security too complex to get the CEOs involved. We need to bring it back down to the basics to help people to get how important it is. IT needs to education the leaders and stakeholder of the serious threats. Folks also noted that we need to get PR folks involved with security, which I hoped meant getting the word out as necessary on security breaches (not keeping the door closed!).