Why have I been radio silent this week? It’s certainly not because I have a lack of things to say. Even my own team mates are surprised when I tell the recent stories of being out talked. Couple of things are going on that you might be interested in.
For one, I am doing a project for the next three weeks for the North Texas Chevy Dealers. In exchange for writing about and videoing my experiences, I have been given a 2011 Chevy Silverado Extended Cab, Texas Edition truck to drive. Follow my adventures over here to see me kick the tires!
Outside of driving trucks and blogging about that, I spent the week in London for RSA Europe. The show is much smaller than the American counterpart, but the attendance was still strong, and the EMEA security community was well represented. My meetings with several companies had very similar threads to them, not unlike what we see in the US, but with more proactive conviction to getting things right. Could it be the £500K fines that the UK CISO is getting ready to start handing out? Or the myriad of Italian compliance regulations? The challenges that come with doing business across a continent full of sovereign nations smaller than many US states?
Probably all of the above.
Here are the highlights from my meetings:
PCI Compliance is a major struggle as companies in Europe are just beginning to crest the first compliance wave, or will do so in the next year. The EU Community Meeting is next week in Barcelona, and if you did not go to Prague or Brussels for the first and second EU meetings, you should definitely go to this one. If you went to either of the previous two, you probably won’t miss much by skipping out. I sent my feedback to the Council on what the next Community meetings should look like, so maybe we will see more valuable content for veterans in the future. Regardless, PCI was a big discussion all around. For those visiting this site from the EU, welcome! Anton Chuvakin & I wrote a book last year on PCI Compliance, and it is selling very well in your patch (Thank you!). If you have not picked it up, check it out at www.pcicompliancebook.info.
Virtualization security is surfacing as a critical need in the coming year. The cost savings and flexibility associated with virtualization and cloud computing are too compelling to be ignored, and every organization seems to be struggling with a way to cut costs without cutting security.
DLP and Data Classification are considered key ways to demonstrate that companies are securing regulated data properly. It’s a tool to validate what companies say they do, and using it in that manner is helpful to auditors as well as security managers. But companies should beware, buying a tool and flipping it on is not the way to go. These tools are complex, and you need to make sure that your company is set up to handle what comes out of it without overly burdening your understaffed security group.
Governance, Risk, and Compliance (GRC) seems to be making a return to the forefront. Not because companies have ignored it for the last three years, but because the amount of regulation is increasing at a rate that is outpacing the capabilities of many companies.
One area that was represented in the sessions, but not mentioned as a big concern in my meetings (right now anyway) was mobile and application security. We’re seeing a tremendous uptick in activity in the US around this. When I asked one group if they were concerned about it, they said yes, but that was driving them to deploy more Virtual Desktop Infrastructure (VDI) to try and contain both the data and attack vectors.
I want to say thanks for the great hospitality! The next conferences I have are the HouSecCon in Houston, and BSidesDFW. Bring your appetite to BSidesDFW, I’m bringing BBQ. I hope to see you there!
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC
- Life after G-Suite/Postini