Innovation, big data and the future of information security
by Mirko Zorz - Editor in Chief - Wednesday, 2 October 2013.
Dr. Herbert (Hugh) Thompson is Program Chair for RSA Conferences and a world-renowned expert on IT security. He has co-authored several books on the topic and has written more than 80 academic and industrial publications on security. He has been an adjunct professor at Columbia University in New York and is Advisory Board member for the Anti-Malware Testing Standards Organization.

In this interview he talks about innovation in the information security industry, the job landscape, privacy solutions, and more.

If we look at the information security industry as a whole, what drives innovation besides the fast-paced threat landscape?

If you went back in time, 2 or 3 years ago there were two big drivers in innovation. One was compliance, and you rarely associate compliance with innovation, but in fact it did drive innovation in fields like cryptography and tokenization. There was real economic benefit in solving those problems.

The 2nd driver was the threat landscape, it was the attacks that were coming in, and those attacks were very high profile. Both of those drivers still exist today, but there is also another one, which is interesting and fairly new to security. The idea of security actually providing value by enabling the business to use consumer technology safely like BYOD, and allowing people to use both consumer and commercial cloud services. Is there a way we can safely let people use Google Docs for example, because they are using Google Docs anyway? The rapid adoption of personal devices and rapid adoption of public cloud services is definitely driving innovation in security today.

Looking beyond the buzzword, how important is big data for the future of information security? Can small companies really take advantage of it?

I think one of the biggest things working against us in IT security since the beginning of the field is the lack of good metrics. Many times we have had to work based on precedent, in some cases based on superstition around what makes us more secure or less secure. Big data and data analytics offers the promise of making security actually measurable. It may give us a ground truth around security. So when you look at analytics in that way, analytics then you would argue is perhaps the most important element in information security today. So I think that it's going to effect not just big enterprises who will be early adopters of those metrics but it will give us very actionable insight for small and medium size companies too.

Privacy issues have been in the spotlight quite a bit lately. Should we expect an emergence of creative privacy-enhancing solutions or are we merely at the mercy of dubious privacy laws?

Privacy is definitely driving the creation of innovate solutions right now. From an RSA Conference perspective, the Innovation Sandbox competition that we run in the US for innovative start-up companies had many innovative new solutions around privacy. Some of it was corporate privacy, some of it was personal privacy.

As an example, I am a bit hesitant to mention or promote any companies, but these folks were in the top 10 of Innovation Sandbox, a company called Wickr is a very interesting company. If you heard of Snapchat, one of those chat applications where messages self-destruct after a while, so they no longer exist in the system. Wickr is sort of a corporate version of that. three years ago this was only curiosity but given the recent discussions around government inspection of data flows I think you are going to see companies turn to more creative, more non-traditional mechanisms for data privacy particularly in Europe and particularly in Germany and France.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th