I’m optimistic on the current trends in security. The concepts of “intelligence” and “big data” have to potential to shift focus to counter the current threat landscape of intentional attacks to steal or destroy valuable information. Additional focus on the detection of attacks within perimeter of your network will really help with reducing risks.
But I believe we need to be careful on how we approach “intelligence” as a practical component of information security programs. Intrusion detection and event management are aspects of intelligence that the industry has been using for many years but not many organizations use them effectively. Most orgs stand up a solution to check the box in a policy or regulation and never really integrate it into their operations.
My favorite new term is “actionable.” My first question when I hear about a new solution in information security is going to be “is the output actionable?” In this context I define actionable as some task performed that demonstrably reduces risk in the environment. Actionable Intelligence goes beyond the pretty dashboards to informing changes in the organization whether they are technical or procedural.
Compiling information is great. Analysis is great too. But if you can’t get those volumes down to a reasonable set of recommended actions, then it’s only so much navel gazing. I want to improve security, not just measure it. I already know how bad security is. I want to make it better.