BALTIMORE, MD (July 9, 2014) — John Pescatore, the SANS Institute's Director of Emerging Security Trends, spoke in Baltimore today. He reminded the audience that threats aren't standing still — they react to defenses. Nor are business demands on technology static — they're expanding rapidly — and enterprises are under pressure to prevent more attacks, detect them faster, and resolve their consequences sooner.
Pescatore outlined the big trends the industry is seeing. First, it's becoming impossible for IT to control the technology used within any enterprise. We're rapidly moving toward CYOIT, "choose your own IT," he said, an even bigger shift than the more familiar BYOD ("bring your own device"). Further eroding IT's control of hardware and software are increasing virtualization, cloud use, and software-as-a-service. The Internet of Things is indeed coming, and with it a vastly increased attack surface. Industry and government agencies are increasingly beset with the security worries a globalized supply chain presents. And, finally, he warned that threats are becoming increasingly more targeted and evasive.
The goals of security ought to be, Pescatore argued, keeping the bad guys out, letting the good guys in, and keeping the wheels on the enterprise. The Twenty Critical Security Controls for Effective Cyber Defense are a good way for any organization to organize itself to accomplish these goals, embodying as the Controls do industry's and government's consensus best practices. They provide actionable guidance across the range of missions enterprises serve, and against the range of risks they face. He's moderately optimistic that enterprises can cope with security provided they understand it this way, and provided that we adequately address authentication and encryption challenges.
Compliance alone, Pescatore believes, is never enough: "I'd rather flunk my compliance test but protect my clients' data any day of the year." Security is a business decision, balancing costs and benefits. Security itself is also a business, and the value it delivers lies in turning data into action.
John Pescatore has been working in information security for more than four decades. His career bridges government and industry. An NSA-certified cryptologic engineer, he received his education in electrical engineering from the University of Connecticut.