In mid Septeber, the 1st NIS Summer School jointly organized by the European Network and Information Security Agency (ENISA) and the Institute of Computer Science of the Foundation for Research and Technology - Hellas (FORTH-ICS) took place in Heraklion, Greece. The purpose of this gathering was to discuss multi-dimensional issues related to network and information security (NIS), the advances made in the recent past, along with emerging threats, critical compliance and legal issues. The attendees enjoyed the presentations of numerous outstanding speakers from all over the world.
ENISA representatives have a clear idea about the complexity of the problem they're dealing with. Rather than bombarding us with surveys, they simply say they don't know how big the problem is. Nobody does really, statistics differ and companies still under-report security breaches which makes it impossible to see the big picture. We can only accept the fact that we live in uncertainty but at the same time we need to get an understanding of the risks and vulnerabilities since that's the only way we can protect our networks. It's worth noting that ENISA wants the mandatory reporting of security breaches despite this not being popular with all organizations.
One of the hot topics at the event was data protection. It's essential for an organization to set a clear set of goals if it wants to achieve an acceptable level of security. What organizations need to realize when discussing the question of security return on investment (ROI) is the fact that good regulation guarantees trust. Naturally, trust brings forward more users and eventually more services. Thus, it's of the essence to work on issues related to the regulatory framework.
Some member states of the European Union are more equipped than others when it comes to developing NIS. One of the roles of ENISA is to broker the way knowledge is exchanged between countries. Fine examples of cooperation are Hungary working with Bulgaria in setting up a government Computer Emergency Response Team (CERT) and Finland supporting Slovenia in organizing awareness raising activities.
You are probably wondering how effective ENISA's work is. A survey showed that the work is influential and of high quality, but it still has to reach its full potential. With a yearly budget of 8 million Euros and so much on their plate, the agency has to choose their research carefully.
Dr. Jorgo Chatzimarkakis, a Member of the European Parliament, emphasized the importance of having politicians acquainted with matters related to computer security. It was refreshing to hear a politician with a significant amount of IT knowledge discuss crucial security issues and their impact on the European Union.
The dark ages of security
Lord Toby Harris from the House of Lords, illustrated the problem with information security today as a poor relation of security and technology. The complication derives from a variety of emotional, cultural and financial issues. He is very critical of the UK government's approach to security on several levels and he's not afraid to demonstrate the topic. He believes there's a danger of complacency in the UK. The public sector compliance with security requirements is poor and a proper disaster recovery plan is nonexistent. Sadly, the same can probably be said for most European countries.
The fact of the matter is that in order to achieve regulation, we need greater responsibility from both individuals and the private sector. The balance of responsibility has to shift and include equipment manufacturers, software producers and service providers. Also essential are adequate resources that allow the enforcement of the rules.