Security Forum 2010 is upon us, and the stage has been set. After my welcome remarks this morning, Forrester’s own VP & Principal Analyst Khalid Kark kicked us off with a fantastic keynote: “Maturing The Security Organization.” Next up, Malcolm Harkins, CISO of Intel, spoke about the misperception of risk as “The Most Significant Vulnerability We Face." After Malcolm, Forrester was happy to welcome a quartet of IBM security experts and customers for a panel discussion on “Smart Security." Daniel Barriuso, CISO of Credit Suisse, finished up our morning keynotes with a presentation outlining the essential steps to build a “Holistic IT Security Management organization”.

Even though each of these presentations addressed different security challenges, in the end they delivered many common recommendations. For example, the need for strong governance and oversight and the ability to objectively identify and assess future risks. There were a few other key points that I want to highlight:

  • It is imperative to spend enough time assessing where you are before you can establish where you need to be. Many CISOs today think they have a firm grasp on where their security organization stands, but in reality, not many of them spend nearly enough time measuring and understanding where they stand now. Once you do this, only then can you put together a long-term road map for where you want to take your security organization. To help make this point, Daniel Barriuso quoted Confucius: “If I had 8 hours to chop down a tree, I‘d spend 6 hours sharpening the axe.”
  • The biggest vulnerability we face today is risk. Any particular risk at any given time is perceived through many different pairs of eyes. Often times this risk is exaggerated or underestimated, which causes people to either overreact or under react to a given situation. Don’t take a victim’s approach to managing risk. Take the time to educate yourself and others about different perspectives that define risk, and act accordingly.
  • The threat landscape is changing, and we need to react differently. In the past, hackers were motivated by fame and usually acted alone. Today, cyber criminals are professional and organized. It’s no longer a lone hacker; it’s organized crime — and in some cases, it’s even a state-sponsored agents. Their motivation is money. Their attacks are sophisticated, targeted and hard to detect. Security professionals need to learn to take a proactive approach in combating this new threat landscape and need to have a plan in place for the unexpected.

These are just three short points from four hours of incredible content and delivery of just DAY 1 of Security Forum 2010.

Tomorrow, we have another packed morning of keynotes from Forrester’s Andy Jaquith and Chenxi Wang and industry speakers Herbert Thompson (Chief Security Strategist, People Security), Dan Geer (Chief Scientist Emeritus, Verdasys), Archie Reed (Chief Technologist, HP Cloud Security), Eran Feigenbaum (Director of Security, Google Apps) and Chris Darby (CEO In-Q-Tel). Plus we have another 6 track sessions tomorrow.

Follow us on Twitter: Forr_SR or search for Security Forum 2010 hashtag: #SF10