When it's June in London, that means it's time for the annual Infosecurity Europe conference.
Last week's conference featured 240 sessions, more than 400 exhibitors and an estimated 19,500 attendees (see 10 Hot Sessions: Infosecurity Europe in London).
Here are visual highlights from the annual, three-day information security event, which offered analysis of nation-state attackers and cybercrime trends as well as hints for complying with the EU's General Data Protection Regulation.
Bigger, With New Layout
Once again, the conference was held at Olympia London, an exhibition center, event space and conference center in the West Kensington district.
The centerpiece of the Olympia, which was built in 1886 - one year before the Eiffel Tower - and originally called the National Agricultural Hall, is its glass ceiling and wrought iron interior. But the space can become sweltering on hot summer days.
This year, however, the conference expanded its footprint, and the increased interior space - and reasonably cool weather - appeared to help with air flow.
Another change: The keynote stage, instead of being a too-small, tented space on the mezzanine level, was instead moved around the corner to another part of the Olympia - a third-floor lecture hall. Cue decent seats and sound, amphitheater-style seating and air conditioning. Score one for the conference organizers.
The Olympia blends a glass ceiling, wrought-iron-age details, and lots of floor space, leaving plenty of room not just for exhibitors but also food stands and networking zones.
Meanwhile, Infosecurity Europe has continued to grow.
This year's conference logged 40 more exhibitors than last year, plus about 1,500 more attendees.
Lots of Swag
Beyond sessions, technology talks and hands-on demos via the new "Geek Street," conference-goers also had the opportunity to get their badge scanned in return for swag, from light sabers to black ducks, as well as the chance at some bigger prizes.
Insights From Cybersecurity Experts
This year, from Information Security Media Group's stand, I interviewed dozens of information security luminaries. Stay tuned for all of the interviews, but just to name a handful of the folks I spoke with:
- Jaya Baloo, CISO of KPN Telecom, who delivered a keynote presentation on quantum computing;
- Troy Hunt, an Australian data breach expert, who described the worrying rise in credential stuffing attacks;
- Thom Lanford, CISO of Publicis Group, who talked about his organization's approach to GDPR compliance;
- James Lyne of Sophos, who addressed ransomware and new criminal business models;
- Rapid7's Tod Beardsley, who offered highlights from his firm's third annual "National Exposure Index" study of open and unsecured ports on the internet.
That's just a small selection of the many great conversations I had, which touched on everything from machine learning, staffing and DDoS to alert fatigue, cybercrime trends and nation-state attacks.
Analysis: Nation-State Hacker and Cybercrime Gangs Commingle
Robert Hannigan, the former director general of Britain's signals intelligence and cryptography agency, GCHQ, delivered a riveting keynote speech on Thursday, titled "Weaponizing the Web," focusing on "nation-state hacking and what it means for enterprise cybersecurity."
Hannigan retired from GCHQ at the beginning of 2017. During his tenure, GCHQ launched the U.K.'s National Cyber Security Center, which is designed to help British organizations better defend themselves against cyberattacks and respond to information security incidents (see UK Stands Up GCHQ National Cyber Security Center in London).
In his presentation, Hannigan paid special attention to the online threat posed by North Korea and Russia.
He also traced the recent evolution of cybercrime gangs and said there's been an increased blurring between cybercrime groups and nation-state attackers. "In some cases, you can see these groups sitting in the same room, and in some cases, you can see where people have been conducting state activity during the day and then doing crime activity at night."
GDPR Enforcement Looms Large
Infosecurity Europe occurred less than three weeks after the May 25 enforcement deadline for the EU's General Data Protection Regulation. GDPR requires organizations to be transparent and accountable about how they handle Europeans' personal information. Organizations that willfully and negligently flout those rules face fines of up to £17 million ($23 million) or 4 percent of annual global revenue - whichever is greater.
One big question on people's minds: Who in the U.K. will get fined first under GDPR, which is enforced by the Information Commissioner's Office?
The ICO has also been staffing up to help investigate organizations, especially because GDPR mandates that organizations inform relevant authorities when they lose control of personal data.
Speaking on a panel discussion about GDPR at the conference, the ICO's Nigel Houlden, head of technology policy, said that while the fines might be grabbing headlines, organizations should be more concerned about their ability to continue to be entrusted with personal data, because the ICO can revoke their processing power.
"Forget the £17 million fine. If we can stop you processing, that's pretty much the end of your company," he said (see GDPR: UK Privacy Regulator Open to Self-Certification).
Privacy: The "New Normal"
Other GDPR panel participants included privacy and technology experts from Thomson Reuters, Trainline and Microsoft. They talked about how they have been putting GDPR's requirements into practice, and doing so in a manner that can be both demonstrated - to regulators - as well as sustained.
"The phrase we've coined in my organization is, 'privacy is the new normal'," said Vivienne Artz, chief privacy officer of Thomson Reuters. She said GDPR had enabled her firm to take "the opportunity now to streamline what's been a very manual process" around handling customer data.
"Going forward ... it needs to be much more automated," she said.
Numerous organizations appear to have overhauled or refined their approach to data security and privacy in light of the GDPR enforcement deadline.
The Eurovision of Cybersecurity?
Infosecurity Europe isn't just a conference; it's also a social networking event for cybersecurity aficionados and practitioners.
Cue the night of June 5, when information security veteran Jack Daniel took to the "stage" at the Crown and Sceptre pub and quipped: "There's nothing wrong in America that would make me want to have a lot of friends in Europe."
Daniel, a strategist for Tenable Network Security and co-founder of the Security BSides, was one of a handful of judges for the European Cyber Security Blogger Awards. The event doubles as a social night for a motley assortment of cybersecurity industry types, ranging from blogger-practitioners and media types to researchers and media relations folk.
Judges for this year's awards also included cybersecurity consultant Brian Honan, AlienVault's Javvad Malik, journalist Dan Raywood and Yvonne Eskenzi from Eskenzi PR. While candidates were nominated and voted for by the public, the judges also got to add their own points to the proceedings.
The list of winners included ESET for best corporate security blog, Digital Shadows for the best European corporate security blog, Jenny Radcliffe for her "The Human Factor" security podcast, and Sophia M., a cybersecurity student at Bournemouth University, for "best new security blog" with her blog "Hacker Not Found."
Other winners included Graham Cluley and Carole Theriault for their Smashing Security podcast, and porg-obsessed Twitter enthusiast Kevin Beaumont (@GossiTheDog) for "best European security tweeter," among others.
Meanwhile, Australian data breach expert Troy Hunt bagged the award for best overall blog.
"I'm not sure how I found myself in a European award program, maybe it's like Australians in Eurovision?" Hunt says in a blog post.
Not a category: Best information security T-shirt. But if such an award existed, Jack Daniel would have won it, hands down, for his custom-printed, GDPR-themed shirt encapsulating his unique approach to the "right to be forgotten."
All photos by Mathew Schwartz unless otherwise indicated.