Last week, I attended the RSA Security Conference in San Francisco. The RSA Security Conference was first held in 1991 and has become one of the largest gatherings of cryptographers and security experts in the nation. At this conference they discuss the latest trends in security and security threats.
Tuesday morning, Arthur Coviello Executive Vice President, EMC Corporation and Executive Chairman, RSA, delivered an excellent keynote address. I wanted to share a few items that impressed me. Mr. Coviello spoke about the need to change the way we secure our networks. He emphasized that perimeter defenses such as firewalls and passwords were not the only forms of protection that were necessary and that addressing security by simply adding more controls was no longer effective, i.e. twice as many controls will not make you twice as safe. Rather, the security model of the future would also need to incorporate a risk based approach, where risk is a function of the existing vulnerabilities, the likelihood of an attack and the value of the assets being protected. Threat analysis and detection must focus on patterns and trends and the context in which those patterns are exhibited. An example of this might be seen in how and when users access the billing system, it may be normal for me to access the billing system Monday through Friday, 8:00 am – 5:00 pm, but it's not normal for me to access it after midnight on a Saturday.
I came back from the conference with a number of ideas on how those concepts apply in the inContact environment. For example, how does inContacts operational model impact or mitigate risk? Looking at inContact's applications, inContact takes the approach that it wants to minimize the data that exists within our system. One of the concerns that is often expressed to me is, ‘what customer data will inContact host’. I explain to them that inContact seldom hosts any sensitive data. Instead it has tools such as web services, and database connectors that allow our applications to consume customer data from a customer source, utilize it within a script in order to determine how to process a contact and then discard that data. That data is never stored within the inContact platform. This allows us to minimize the amount of actual customer data held on our system, and thus minimize the risk.
Getting back to RSA, certainly, ours is an age of information and social networking. It has become impossible for one person to be an expert on everything and be the source of all the good ideas. For this reason, it is important for your security personnel and system architects to seek avenues such as the RSA Security Conference to expand their view of the horizon. I would encourage companies to make sure their IT, system architects and security personnel have opportunities to network and learn from their peers within their industry. Obviously, I have focused on RSA here, but there are other conferences such as Interop, and organizations such as the Cloud Security Alliance, and a host of training entities such as the Bright Moon Security, to select from.
Investing in your IT and Security teams is an investment in the security of one of your most valuable assets… your company's information.