Soft Information Security Conference

posted Sep 12, 2015, 7:01 AM by Niels Jensen   [ updated Sep 12, 2015, 7:13 AM ]
On Thursday September 10th Safepark attended SISCON's Information Security Conference, which they marketed as the largest "soft" information safety conference in Denmark with more than 100 participants. "Soft" in this connection does not necessarily mean easy. Soft has do with the all the issue you have to deal with in information safety, which has nothing to do with buying software or hardware, such as convincing the board that information safety is important and something they need to be involved in or understanding EU's new data protection regulation likely to be a really in 2018. The conference venue was Bella Center on Amager, which is now also know as the Comwell Conference Center Copenhagen.
SISCON is a small IT company located in Allerød a bit North of Copenhagen. They have single product CONTROL MANAGER, which is an information security management system. This ISMS is developed with an eye to ISO 27001, but also other relevant advisories about information security. It will hell you keep track of your IT assets - hardware and software - and all the task necessary to keep your compliance up to date with respect to both internal and external reporting. SISCON has 10 employees: 6 taking care of marketing and consultation from Allerød, and 4 taking care of development in Ukraine.

The opening keynote was titled "Information security on the board agenda", and was given by Peter Nordgaard, who is CFO at Berlingske and also a board member there. He started by stating, that the board is foremost concerned with business development and there customers. The he adressed the questions: What is our responsibility? Towards whom are we responsible? and What are our tasks? The answer to the second question was: customers, employees and suppliers.He strongly recommended washing the video "Pirate Bay AFK" on YouTube. AFK stands for "Away From Keyboard". The Pirate Bay was at the start of the century the worlds largest file sharing site. Informations security involve data collection, data handling and data archiving. The question the board has to adress are: What data are we collecting? Why are we collecting these data? How are we handling these data? How are we archiving the data and for how long? The rules of the business must be define, and that is definitely a board responsibility.

Michael Hopp, who is a lawyer with the Plesner Group, started by stating the purpose of the personal data regulation within EU was to replicate the success of the competition regulation. That is why they propose very high fines for violations, e.g. 5% of company revenue. A good place to start he told us would be ISO 29100. Key words would be privacy by design and privacy by default. According to the current drafts - there are three - larger corporations have to create the position of data protection officer. Mr. Hopp, mentioned that LEGO recently hired one of his employees for that position. So companies are already preparing from the arrival of the new regulation. Certain companies are excempt if they don't handle personal data and have less than 250 employees - again according to the draft regulation. At the end of Michael Hoop's presentation a representative from Bane Danmark asked why EU are so focused on cash help for lawyers, and not benefits to society.

From the customer presentations at this and one other meeting Safepark have attended about Control Manager it is rather difficult to get an understanding of the structure of Control Manager. One benefit appear to documentation in connection with internal and external audits and reporting to directors. This conference had short customer presentations from EUC Nord, an educational institution in North Jutland, Willis, an insurance broker. EUC Nord noted, that Control Manager was not God's gift to the people. There is a steep learning curve with Control Manager.
Torben Jørgensen, who is VP of Information Security at Vestas, gave us some thoughts about perception. How do my boss perceive me? How would you perceive me if I showed up in shorts and t-shirt? How can I change that perception? Align with management. During the past years Vestas had to make some har decisions, like treating a heart stoppage before a broken leg. 

One issue that came up during the final presentation from SISCON was the talk about IT and the business. This is an issue, which we at Safepark have great difficulty with. IT is as much a part of the business as accounting or marketing. But why do IT people always talk about IT and the business?