Can Users Change The IT Climate Of Fear?

As we enter a season of IT security events in Europe, vendors are falling over themselves to explain the security situation. But this year, I see a positive sign. This year, we are hearing more users.

It’s always been the case that vendors drum up a climate of fear in order to profit form it. This takes the form of timed press releases on any new vulnerability, and endless research surveys that always reveal dangerous user habits, such as using pirated software, oversharing on social networks, rushing into untried areas such as the cloud or using faddy devices such as the iPad.

There are also plenty of demonstrations of vulnerabilities, at events like this week’s Black Hat conference in Barcelona – although many new attacks turn out to be retreads of well known ones, such as SQL injection attacks. And by coincidence, we go into a security season with a large Microsoft Patch Tuesday, so there really is no let-up in the discovery of flaws.

Here come the users

But I think I detect a slight change of tone In what is probably the UK’s biggest press and PR onslaught around IT security, Infosec which opens its doors in London in two weeks’ time.

Maybe I’m misreading the signs, but it looks as if, amongst the vendors analysts (and, of course, the great and the good), Infosec’s roster of speakers actually includes a higher proportion of real users this year.

The officials are there of course: Infosec will hear from David Smith, the Deputy Information Commissioner. Still flush with the excitement of new powers to fine organisations up to half a million pounds for losing data, he is speaking on “Stronger Enforcement, Greater Encouragement”. Other speakers include superintendent Charlie McMurdie of the UK’s central e-crime unit.

The two speakers reflect increasing political capital around IT security. IT issues have become more global and more political, with FBI cracking down on eBay scams, and international security issues such as Google’s iossues with Vietnam and China. MI5, we hear, is sacking less technical spies in favour of those with tech security abilities, and even the House of Lords has noticed IT security is an issue

But after that, the show has CISOs and IT chiefs from different companies including The Big Issue, Citibank, Lloyds, The Salvation Army, Camelot, Lufthansa and Santander.

There’s also a bunch of worthy industry organisations including (ISC)2, ISF and the Jericho Forum, all of whom have heavy user involvement, and most of whom have “professional” news such as new training, new certification and so forth.

Now, certifications are tedious, and conference speakers always have a personal agenda (boosting their career prospects as well as their company’s image), but I see this all this as signs of IT security’s emergence as more of a full-fledged profession. It’s also a nice surprise to see companies are ready to allow their security experts out to speak at events, instead of demanding they keep schtum about absolutely everything.

If I’m right, and security issues are becoming more open, then events with titles like “Black Hat”, which trade on an air of intrigue, will decline in favour of more business-focussed ones.

That’s a loss to the sensationalist in us, but a new climate of openness in security can only benefit us all. Let’s bring IT security more into the boring light of day.