Argus - Fotolia
The fifth annual ISSA International Conference will begin Oct. 22 in Orlando, where information security professionals will convene to discuss the latest cybersecurity trends and strategies. This year's theme is "Driving our Destiny," and the event will feature more than 40 keynote, panel and discussion forum sessions exploring security professionals' increasingly vital role in business success. The conference kicks off with a keynote address by Admiral Michael S. Rogers, who is commander of the U.S. Cyber Command, director of the National Security Agency and chief of Central Security Service.
In this Q&A, ISSA International Director Stefano Zanero discusses how the changing threat landscape has altered information security professionals' roles, the importance of collaboration to effective cybersecurity, and what attendees can expect at this year's ISSA International Conference.
What are some of the main themes of the 2014 ISSA International Conference, and what do you think people will take away from attending the event?
Stefano Zanero: I see many themes, all connected to the growth of our field and its maturity. One huge theme is threat intelligence: How do we get information about the evolution of the threats, and about the actions of the adversaries? Another main theme is education and awareness, crossed with the ever-growing importance of human factors in information security.
What are the primary sources of cyberthreats to companies' information systems that businesses should be aware of and prepare for?
Zanero: Targeted and state-sponsored attacks are becoming more and more prevalent, in particular against critical targets such as the energy, finance and transport sectors. I'm sure the keynote address from Admiral Rogers will address these challenges.
The last two years have been what I would call the "years of the data leaks." There are a few sessions that are related to protection of customer data that relate to the attacks on Target and, more recently, JP Morgan. That's what companies are worried about [and] that's what CEOs are worried about because those are the kind of things that not only influence the IT or security department, but they escalate quickly and involve all of a company's chain of command.
Many nation states and state-sponsored actors view cyberspace as a ruler-less land where they can do pretty much what they want. That changes the perceived level of risk. Many companies used to think that if they were not in strategic sectors such as energy, they would not be a target for state-sponsored attacks. I think this is no longer the case. There has been a huge shift in the risk perception of companies. The threat landscape is changing dramatically, and it's changing the information security profession. That's why we believe it is imperative for us in the field to connect, share our knowledge and insight, and prepare for the next challenges. The theme of the conference, 'Driving our Destiny,' speaks precisely to that.
Are there any new or particularly innovative cyberdefense tools or strategies that you expect to be big topics discussed at this year's ISSA International Conference?
Zanero: One of my persistent feelings is that we should look more closely at getting the basics done right than at acquiring the latest fancy tool. We are still failing at the basics, that's why I'm particularly interested in the sequence of talks dealing with improving authentication practices.
If you look at the disasters that we've had over the past few years, the high-profile attacks against celebrities' personal content and things like that, most of these attacks have either been enabled or [were] allowed to happen by the fact that only a single factor of authentication was used. Authentication is not something fancy that catches the headlines, but it's something that a lot of people working in the field are trying to cope with.
As effective cybersecurity becomes increasingly vital to business success, how has that changed the role of the information security professional?
Zanero: It has completely transformed it. Security professionals need to transform from institutional naysayers to being deeply engaged in the growth and acceleration of [the] enterprise. Most cybersecurity professionals are beginning to recognize they are on the front edge of defending not just [against] private actors, but also [against] state-sponsored attacks. In cyberspace, everything is connected and everything is reachable, so many cybersecurity professionals are beginning to realize they need to defend against all of those threats.
Security has become a complex function with many different facets. The security professionals need more than ever to connect, collaborate and network.
What types of training tools and techniques can be used to make sure information security professionals are prepared to adequately respond to the numerous cyberthreats facing modern companies?
Zanero: This is really the key question for our field, and in fact, a question ISSA has been devoting significant efforts to. Most of the current professionals developed their skills in an unstructured way, but now that the field is maturing, we need to do this better than ad-hoc.
Security is a multi-faceted, complex environment. It's a very difficult blend of being trained in technology, being trained in human skills and having the soft skills necessary to operate effectively inside the corporation to build connections with peers. In recognition of this difficult process, one of the highlights of this conference is the introduction of ISSA's Cybersecurity Career Lifecycle. With the Cybersecurity Career Lifecycle, we are trying to create a structured approach to the career growth of this unique profession. The development of this model has been a significant undertaking for the association, and it helps frame training, mentoring, experience on the field, and education in a coherent process.
In these video interviews from the RSA 2014 Conference in San Francisco, learn about the role collective intelligence plays in data protection and how expanding threats are forcing CISOs to rethink information security.