This wasn’t the first year the IT security industry was embarrassed. Last year, HBGary Federal, a California-based security solutions provider, was breached and that event consumed a considerable amount of talk at the show. That’s not to forget the recent big name breaches at organizations such as Google, the U.S. Department of State and Nasdaq in recent years.
Whitfield Diffie, one of the pioneers of public-key cryptography would disagree. When speaking during the Cryptographers’ Panel keynote at the RSA Conference about the breach at the U.S. Dept. of State in which U.S. Army soldier Bradley Manning allegedly passed classified data to the whistleblower site WikiLeaks, Diffie noted that many of the security controls worked, and for the breach to occur it required a trusted insider to conduct it.
Stefan Savage, professor at the department of computer science and engineering, University of California, San Diego, observed that many of the perceived failures of IT security may be because the industry, largely, views security as a technical problem.
“There is a massive human component to security. While there are lots of technical things behind spam and botnets, there are people behind all of that, and then there are people who make mistakes that many times let them [spammers and botnets] through,” said Savage.
Michael McConnell, former director of the National Security Agency, the U.S. government’s cryptologic intelligence wing, said during the Cloud Security Alliance Summit that the industry may need increased regulation. He said the IT security industry is at an awkward stage similar to when the government wanted to force auto manufacturers to build seat-belts. Not everyone wanted the regulation. “We are at a similar time in safety and privacy concerns, and we have to address these issues. Industry is going to have to accept some level of regulations,” he said.
(From CSO U.S.)