SecurityDisconnect

Are they hiding to save their jobs?

Is this a cultural problem?

http://vmwareemeablo... check this

Will this change with the upcoming GDPR in that organisations will have to declare data breaches?

It's certainly an issue, however new EU laws announced now compel companies to report cyberattacks where data has been breached...so hopefully it will improve http://www.zdnet.com...

GDPR will certainly increase dilligence around security. Even for UK, if/when we leave the EU - here's why: http://bit.ly/290ryS...

It compels the companies but to Joe's point will the "whistleblowers"/IT teams be punished for reporting it? I hope not as I hope it brings a change in culture to being more proactive around security and data....hope springs

Culturally, EMEA folks are disinclined to be open about errors and failures – perhaps because of management attitudes?

@roarers Having just completed work for an international bank recently, personnel being open about security and breaches can bring legal proceedings against them due to bankers oaths being signed

@GreggRobertson5 Which leads us to the point where the only solution is legislation :-/

Brilliant discussion! Thank you to everyone who has joined

Yes! Security should be part of the design from the start, rather than bolted on afterwards!

Too many times security and compliance is only an after thought once the solutions are built which can cause severe delays and even projects being shelved

absolutely! security needs to be part of the foundations within the IT infrastructure and not an afterthought

You got mine, explode your infosec department, have a champion in every line of business or department.

Building security into the core platform everywhere also allows for much faster go to market, as fewer things have to be altered when moving from dev to testing to production!

YES!! Part of every step we take and in every implementation we do

https://www.youtube....

To be honest, data centre and desktop virtualisation gives you a great opportunity to "Rip It Up and Start Again"

@rik_ferguson Also with the CDCI of cloud, security baselines of products can be torn down and spun up within minutes.

Now that many companies are using Desktop Virtualization, does that increase the need for segmentation in the Datacenter. End Users are now located sooooooo close to the crown jewels in the datacenter.

SDDC also gives you opportunities to do things in new ways you didn't think of before...

Does your business "fit" with security? Are you still a roadblock? Or perceived as one?

there is definitely still the perception of being a roadblock. 16% of employees in the UK would risk breaching their organisation’s security to carry out their job more effectively...

We are not seeing enough alignment between business leaders and IT decision makers over security planning and priorities

So here's my thing, I think that we are fundamentally doing security wrong and I'll explain why. I believe our goals should be to see the InfoSec department all but disappear, that's the ideal state 1/x

We always complain that security is "bolted-on" to products, processes and systems, that it is not designed in from the ground up or fully integrated. Yet we continue to bolt security on from a business function perspective 2/x

The ideal state is for a distributed and integrated security function, with campions in each line of business or department. They understand the business drivers for that department and the security concerns. 3/x

And then there is the lack of education and guidance coming from the business leaders and IT out the wider organisation. What can be done to tackle the 'human error' element?

and they are better able to make sure systems and processes of business are conceptualised securely from the off.

It's too long for Twitter I guess, but that's the gist 5/5

@FranDropik Of course there is trading and there is policy, trading to ensure the policy is understood and adhered to. What is often missing though is an ability to *enforce* policy.

So, security should be something that people don't have to think about and is inherent in the system?

Secure by design is the nirvana I guess (not the Kurt Nirvana), we need to recognise we'll probably not get there, but we need to keep trying. We need also to recognise that vulnerabilities exist simply in "the way we do things", not just in tech.

good security needs to be invisible, at the end of the day

Our study found that organisations are under threat of serious cyber attacks – 37% of EMEA ITDMs think one will happen in the next 90 days

Any comments on the speed of reporting and disclosure?

It's no wonder people fear attacks - high-profile breaches are in the news every day #securitydisconnect

We found similar data in the UK - 24% of businesses expected an attack, yet only 5% of corporate leaders deemed security a priority. Massive disconnect.

@roarers You can expect that to ramp up over the next couple of years as GDPR kicks in.

Yes, the fear is certainly there. However, many business leaders still underestimate just how big of a target they are.

Interesting reporting from NCA on cyber arms race today and the UK is not keeping up http://www.bbc.co.uk...

@CherryGiles don't forget that is a department fighting for budget and attention (deservedly) in an increasingly cash-strapped administration.

@rik_ferguson Do you think organisation outside of the EU but that will be impacted by the Regulation are prepared? or even aware?

In large part no, wee just completed a survey on that, there is also a lot of post referendum confusion. Fact is, it will still apply in most cases.

They will definitely be impacted as the GDPR regulation aims at any organisation storing data about EU Citizens. So, many companies outside of of the EU will also be impacted by this.

storing data or selling services to EU nations

Matt, do you think companies outside of the EU are aware of the GDPR and taking appropriate action?

I think all of this points to the need to bring security back to the top of the boardroom agenda – and that’s what we want to discuss today

I dont.....asking around they think it is an EU problem. When explained that if they hold data on me they are impacted I get funny looks, data is global!

Yep. My experience tallies with this too, very little US awareness.