Security experts speak their brains at InfoSecurity Summit Hong Kong

One of the best things about being in Hong Kong at this time of year is, for the first time in about seven years, I’m missing the annual slog-fest that is the three day Infosecurity Europe show in London. While the speaker line-up in the keynote theatre is always of good quality (at least on the first two days), the constant cajoling from desperate PR professionals trying to set up last minute briefings with their clients is power-sappingly depressing at best.

However, I haven’t managed to shun IT security completely over here, thanks to the 4th MIG InfoSecurity Summit at Wan Chai’s Hong Kong Convention and Exhibition Centre (HKCEC). Eschewing the vendor pitches, as always, I snuck into the panel debates to find some refreshingly honest discussions from the assembled IT experts.

The first was all nominally about disruptive tech, but some of the most interesting comments came about plain old threats. SH Lim, head of infosecurity at Hong Kong Jockey Club hit the nail on the head when he said the future entailed “a lot of us losing our hair”. Humour turned to exasperation soon after when discussing the problems of dealing with zero day threats and tardy patches.

“How fast can any organisation patch versus how fast can the malware writers write malware,” he added. “How do we test our apps within five days? Do we do a self-DOS by causing an app to fail by not testing a patch properly?”

SC Leung, senior consultant at the  HKCERT, went further, blaming cloud computing.

“Cloud computing is great technology but the criminals are using it more efficiently for web hosting and they can subscribe to cloud services to get bandwidth on demand,” he said.

“They can hack computers thanks to the computing power of Amazon and it’s very hard to trace them. We need to solve this problem with the cloud service providers.”

Fair enough. But blaming cloud computing for security threats is like blaming ammunition manufacturers for war. The causes need addressing more holistically to make a difference.

The second panel debate focussed much more on the changing role of the CISO. Nothing ground-breakingly new there but again some good advice for budding security chiefs, namely, brush up on your business skills and learn about risk management rather than get bogged down in tactical, technology-focussed issues.

There was also a word of warning that CISOs everywhere need to heed – beware the regulator.