Oxon Hill, MD— It should be no surprise when marketing executives for security vendors say that whatever it is their company sells is the best way to bolster data security. That is, after all, their job.
That view certainly prevailed at the Gartner Security and Risk Management Summit held at Gaylord Convention Center just outside the Capitol Beltway that encircles Washington, DC.
And as you'd also expect, the topic that came up in every conversation even vaguely related to security was the recent data breach disclosed by Office of Personnel Management. On June 4, the OPM disclosed that hackers had made off with millions of personnel records of government employees and others, including contractors with security clearances. Since nobody actually knows any solid details about what happened, speculation ran rampant.
Fortunately, I was able to find some serious security researchers at the event -- people who were quietly advising some of those three-letter agencies at the capital that we expect are able to keep confidential data from being leaked or stolen. Their views were much different.
"This is why we need a new paradigm," Jasper Graham said as we talked in his hotel suite far from the crazed goings on at the Gartner event. Graham, who is senior vice president of cyber- technologies and analytics for Darktrace and formerly a National Security Agency cyber-security expert, said that the industry needs to abandon the idea that perimeter defense of the enterprise is enough.
"You might be able to keep out 90 percent," he said, referring to the number of people trying to break into an enterprise network, but he said that the remaining 10 percent are smart and motivated, so inevitably they will find a way to get into your network.
Because keeping hackers out of your network is essentially impossible, what enterprises must do is find ways to make their valuable data inaccessible or useless, or preferably, both. This is the reason that hackers were able to penetrate OPM, as well as Target, Sony and Anthem, he said. Those networks, he pointed out, were not segmented and their critical data wasn't encrypted.
Sadly there are worse problems than just limiting security to perimeter defense. Torsten George, vice president of marketing for Agiliance shook his head in dismay as he told me about a company that asserted it didn't need any sort of cyber-security protection.
"They said they had cyber-insurance, and that was enough," he said. I asked him if that company's cyber-insurance was going to cover the company's drop in valuation or the firings of the company's CIO and CSO when the board found out why any hacker was certain to be successful.