The world of information risk management and security can be viewed as a well played and never ending game of chess.  In chess, both players carefully define their strategy, try to out position and stay ahead of each other’s moves, and constantly analyze the capabilities and weaknesses of their opponents in order to find a way to exploit them.  The same is true in Information Security and Risk Management, except instead of one opponent, the defending organization has to account for an entire ecosystem of adversaries with different degrees of competencies, interests, capabilities, and motivations.  The one constant that still holds true and has been reinforced through recent highly publicized incidents, disclosures, and breaches such as Wikileaks, RSA, and Epsilon, is that the adversaries have recognized the value of information and are now willing to focus their time, attention, and resources on exploiting the Information Infrastructure of target organizations where they believe they can derive the most long term value instead of short term gain.

I have often said and continue to believe that a business process and data focused approach to information risk management and security is the key to winning the chess match. Focusing on securing technologies and meeting compliance requirements as our primary defense has failed to result in meaningful protection, and the bar to entry for advisories to carry out successful sophisticated attacks has fallen dramatically in the last five years.  New technologies and capabilities such as mobility, cloud, and collaboration continue to dominate organizations and introduce new threats and risks that must be properly identified, assessed, and mitigated based on risk tolerances and profiles developed by business leaders with the assistance of risk management and security professionals.  If we focus on the business process and data, and apply appropriate controls based on risk tolerances and profiles, we are more likely to embrace these technologies and capabilities faster while still meeting our information risk management and security goals.

The best chance we have as the defender in our chess match to stay ahead of our opponents is to develop a multi-faceted, proactive, and well-rounded approach to information risk management and security which focuses first on people, process, and procedure and second on technology.  My goal for the Information Security and Risk Management track at Interop has always been, and continues to be, to empower the audience with the knowledge, tools, capabilities and insights from industry pioneers and thought leaders who are actively engaged in the chess match and can provide practical information and pragmatic approaches which can be used by organizations of any size or budget to help them stay one step ahead of their opponents.  This year at Interop Las Vegas 2011 we have raised the bar for our speakers and challenged them to provide more of this type of practical and pragmatic knowledge and insights in their sessions, and I am excited to say they have all met the challenge.

We are going to tackle the tough issues such as how to identify, quantify, and appreciate adversaries and their capabilities. We’ll also cover threat intelligence, advanced persistence threats, and social engineering. Next generation vulnerability management will explore current and evolving threats and vulnerabilities and how to identify, monitor, and categorize them based on their potential business impact and likelihood of occurrence.  We will also explore the risk management and security considerations that must be made for new technologies that are being actively embraced and adopted by organizations such as smart devices and cloud computing.  Finally we will discuss the business of information risk management and security and how to effectively govern, operate, and mature programs and capabilities in such a way that they will be embraced as a key benefit to organizations instead of being viewed as a challenging and expensive cost center that prevents the organization from being successful.

Looking forward to seeing many of you at Interop in just a few weeks.

John Pironti
President
IP Architects LLC

Tags: Conference, Interop, interop las vegas, security