Well I am back from my trip to Infosec 2008. This year the show seemed bigger, louder and slicker than in previous years. There were a lot more stands than before with many of them obviously breaking into their marketing budget in a big way. But walking around I figured that many of them would not be at next year’s show. Many of the smaller stands were taken up by new companies trying to break into the information security industry. But I could not help but think that their product did not really address any real need for there customers, they did not really understand what the customers’ needed or that they were competing against well established players in the market.
What also surprised me was the number of penetration testing companies that were present. It seemed that “penetration testing” was the main theme for the show. This was of course backed up by claims that these tests would help you achieve compliance, keep you secure and cure world hunger while also curing cancer. Talking to a number of the vendors in this area I could not help but think “why would I choose you over the next guy?” Each one claimed to be the best in the field, that their methodology was the best as were the tools they used, yet not one of them had that wow factor. While penetration testing has its place in helping you identify weaknesses in your defences it is simply a snapshot in time and something that you should not rely solely upon. I will post my thoughts on penetration testing at another time, but suffice it to say I do not believe penetration tests are the “silver bullet”.
Talking to some of the people who attended the show I also could not help but think that a lot of people were hoping to find a solution to a problem they did not yet fully understand or even realise they had. This year more than most you could see that the marketing people had given the stands a makeover and all the messages used the key words of compliance, data loss and security but without any real substance behind them to support their claims.
Those of us well practised in the field can easily cut through the marketing blurb and get to the meat of the subject. For example I was told by one vendor that their firewall auditing tool alone would make my ISMS compliant with the ISO 27001 Information Security standard.
Having talked to a number of other attendees at the various talks and coffee breaks it became apparent that many at the show were not dedicated IT security professionals but IT managers or someone who has security as part of their responsibilities along with many others. These people don’t have the time nor the knowledge to understand what their problems are or what solutions they need and may simply buy the first silver bullet that they come across.
My concerns are that these companies will then think they have a secure network in place because they bought an all singing and all dancing solution from the nice salesperson in a suit when in reality they will continue to have security problems. This is bad news for you and I as the more insecure systems on the Internet the greater likelihood for more infected hosts there will be to attack our systems. It also means that business people will become more and more frustrated when the solutions they have paid good money for have to be augmented with more solutions or even replaced.
What we need is a more directed approach by vendors whereby they take the Ronseal, “Does exactly what is says on the tin”, approach to their products and simply claim that there product does what it is supposed to do. Nothing more and nothing less.
We also need to provide better information and education to those outside of the information security field so they can at least understand the basic fundamentals of what they need to put in place to secure their environments. We can do this by submitting articles to more mainstream focused IT press and blogs, by volounteering to present at mainstream IT conferences and by simply talking to work colleagues.
The more knowledge and information we share the better informed everyone will be when making sure their network is secure and in turn making the Internet that bit safer for us all.