Haroon Meer

Fresh approaches are urgently needed in the IT security space

The IT Security industry needs a “healthy injection of honesty and reflection” to address its own failings.

This is the view of Haroon Meer, information security author, speaker and founder of Thinkst, who will speak on the issue at the upcoming ITWeb Security Summit in Sandton in May.

Meer says the information security (infosec) industry needs to change. “We are in pretty bad shape considering that some of us have actually been trying and investing in security for the better part of a decade.

“I think admitting we are broken and need fresh approaches is a critical first step,” says Meer.

“We desperately need to inject honesty (and some knowledge) into the vendor space because as an industry, infosec is still largely driven by vendor supply.”

Meer says problems arise because vendors simply sell the products they have, even if they don’t address problems that customers actually have.

In addition, he says: “Many consultants sell consulting without ever necessarily having been in the trenches, so they often dole out crazily impractical advice.” He adds that growing numbers of ‘green’ consultants are entering the field to meet expanding demand. “The danger is that even the consultant you have hired might not fully understand how big the problem is.

“Security departments are running around trying to keep business happy and users in line and all the time nobody is admitting that for the most part, everyone is relying on prayer as a defence mechanism, hoping that the attack doesn’t come on our watch.”

Meer says the biggest computer security threat facing South African businesses may be the attempt by many to over simplify the problem. “This leads to solutions that are potentially neat and simple (while being unuseful and unhelpful),” he says.

Meer’s talk at the Security Summit, entitled “Information Security: The things we don’t say”, aims to highlight aspects of information the industry tends to gloss over, he says. “We gloss over them because we don’t know that they matter, or because we know that they matter, but don’t yet know how to solve them.”

He feels the industry tends to ignore the important issues and focus instead on hyped issues which may not be as crucial.

“There are periodic hot topics that bubble to the surface because they are trendy and there are topics that bubble up because of ‘management by in-flight magazine’ but these are often not what really matters on the ground,” he says.

By way of illustration, Meer says: “If you go around to most large organisations today, and ask them what’s top of mind for next year, I’m sure a large number of them will say cloud and mobile. Pushed further, many will tell you that mobile devices can be lost with sensitive customer data on it. Now ask the same organisations how many of them are running file-system encryption on their employees’ laptops? Ask how many have visibility of their own data centers (let alone ones run in the cloud).” Not many, he feels.

“The industry seems to fl it from technology of the day to attacks of the day and some problems that have plagued us for over 15 years are still around.

“I think in some ways the problem is much bigger than most enterprises think. This is not just me being alarmist,” he says.

The annual ITWeb Security Summit will take place from 15 - 17 May 2012 at the Sandton Convention Centre. For more information and to book your seat, go to securitysummit.co.za">www.securitysummit.co.za