On March 21, I presented in the Third Annual CSO Perspectives Seminar on Cyber Security in Washington, D.C. I typically prefer morning presentation slots and this was no exception; the seminar attendees — representing the Department of Defense, Department of Homeland Security, Department of Treasury, Office of Inspector General, Federal Reserve Board, US Air Force, US Department of Commerce, and US Department of State, to name just a few — were extremely receptive to hearing about the latest techniques for managing risk in the face of an expanding cyber threat landscape. Dealing with APTs is serious business and every single person in that room was intent on finding new and better ways to protect their sensitive data from the bad guys.
I got asked a number of interesting questions at the end of my talk. There were several inquiries about supporting the cloud, which is understandable given that there are significant government mandates in place to move to the cloud. The security leaders in the room wanted to understand how they might move to the cloud without compromising their ability to secure their environments. Also, due to the large size of many of the government initiatives, I got questions about ease-of-use at scale.
Lastly, given the impending sequester cuts, CSOs are looking for ways to save money, and consolidating resources (as they’ve done using virtualization) is a hot topic. That said they want to maintain a policy-based security approach. If they consolidate databases and files to fewer platforms, they have to ensure separation of responsibilities and data protection that can be partitioned among the different user communities using the so-called "shared" resource. I loved getting that particular question because Vormetric's data security solutions enable customers to consolidate multiple servers into a single server, using the Vormetric data firewall and a strong policy-based approach to create the separation of responsibilities at a root level as well as the separation of both database and file visibility.
In addition to sharing information about data-centric security with others, I was fortunate to be able to listen to some very interesting speeches later in the day. Bob Bigman, former CSO of the CIA, gave an excellent speech during which he highlighted the importance of focusing on the basics. One of the security basics about which he was quite outspoken is the critical need for policy-based data protection and a data encryption model. Music to my ears.
I was also delighted to hear Larry Zelvin, Director of the National Cybersecurity and Comms Integration Center (NCCIC) in the US Department of Homeland Security (DHS) highlight the importance of building a strong security intelligence platform. I agree with him wholeheartedly. Gathering security intelligence is not optional, it's essential; an appropriately deployed data-centric security model must provide ongoing security intelligence.
Bottom line is that both the formal presentations and the informal discussions I took part in deepened my conviction that the perimeter is failing and that the best way to protect what matters — your sensitive data — is through data-centric security that includes a data firewall, strong access controls, advanced encryption, key management and vaulting, and security intelligence. All I can say is that I certainly joined the right company in 2012!