CISO’s Responsibility 2021 – Takeaways from the Security Insight Summit

2019 Security Insight Summit takeaways: Leaders from US DoD, Mitel, and MUFG Bank share thoughts on cybersecurity, hacking, espionage, and more.

Security today is less about fortifying the network perimeter and more about ensuring that only trusted users and devices access an organization’s data. The question is, where do you start and what’s your responsibility as CISO? That was a big topic discussed at the Security Insight Summit in Amelia Island, Florida.

National Cybersecurity

We kicked off our summit with a Keynote Address by Ed Brindley, Senior Executive at the US Department of Defense. Brindley spoke about the cyber digital world, highlighting key threats and concerns pertaining to the US DoD cyber security strategy.

“Cybersecurity is a really important part in the world we live in today. It has the ability to enable our world or threaten our world and our way of life,” said Brindley.

“We need to do a much better job of understanding the threats in the space and ultimately managing risks to business, operations and way of life.” He confirmed that today’s digital era is wholly reliant on cyber space for economic prosperity, digital commerce, social interactions and national security.

“Our competitors conduct cyber space operations to steal our technology, disrupt our government, and hurt our credit infrastructure.”

Brindley said while our intelligence operations is modernizing, we still need solutions that are secure, scalable and reliable. “And we need advanced enterprise grade solutions that address our growing complex data set to achieve efficiencies.”

Brindley also commented that adversaries are stealing intellectual property or information on personnel – attempting to undermine elections and our democratic process all below the level of war. “We are facing strategic competition from adversaries especially from Russia, China, North Korea and Iran.”

He said Russia is trying to disrupt our nation including their cyber election interference. He warned that many adversaries are seeking to capture emerging technologies that will thrive future economic growth.”

“If you are a company they are targeting your provider, if you’re a provider they are targeting you!”

Brindley advised the audience that we need to watch out for these cyber attacks. “We need to secure our software supply chain.” Brindley advised introducing varying levels of machine learning, automation, and AI can provide substantial value to an organization. “Suppliers around the world play a huge role in technology products, enabling AI and data for predictive analysis.”

The Full Keynote

Video poster

Watch the full keynote now, by Ed Brindley, Senior Executive at the US Department of Defense.

Is the Security Industry Solving our Problems?

Attendees at the summit also discussed how many products are hitting the market. Many claim to increase efficiency and decrease false positives. However, some of these products represent only incremental change to the status quo despite being labeled as “disruption”. But this “disruption” can come from startups whose exit strategy often, is to be acquired by one of the existing big players in the industry.

Allan Alford, veteran CISO, formally at Mitel spoke on this topic and today’s CISO responsibility and challenges. He believes Venture Capitalists back these companies, perceiving their value not in terms of whether they solve a problem, but whether they can look attractive to future buyers. Alford said the industry’s business model is broken.

Alford said the truth is you only must be good enough to make established players just nervous enough to want to buy you. “It’s about being just enough of a differentiator to be bothered with from an investment perspective.”

So what do we do about this? Alford says: Do not get suckered in.
• High Yield projects you can lead without a cutting-edge security tech stack
• We can succeed in our mission if we get back to the basics.

“Where does the CISO thrive? At the intersection of risk and business – that’s what matters,” Alford said.

He said risk-based security is still the main driver. “If you know your organization, and you know its core mission, and you measure your organizations risks with that mission in mind.” Alford also advised to spend wisely and manage your most critical risks. “Don’t believe the hype, remember what’s important.” And when it comes to vendors – its important to look at their resumes and drill them on what they say they specialize in. “Make sure they are competent!” Alford said, emphasizing the importance of knowing the cybersecurity questions to ask.

CISO’s responsibility in Strengthening Organization’s Vendor Management

Nasser Fattah of MUFG Bank also spoke about vendors in a digital transformation world. He says the rate of digital transformation is fast, and cybersecurity due diligence needs to keep up.
Fattah touched on the benefits of outsourcing:

• Cuts costing
• Enables focus on core business functions
• Solves capability issues
• Enhances service quality
• Critical to the business needs

He says when if comes to vendor management always shift left! From looking at planning to due diligence, to contracting, ongoing monitoring, then to termination. When is comes to planning, Fattah says it’s important to get involved early with business and IT execs on vendor requirements and selection. “Spend ample time on RFPs – appropriate terms and conditions,” Fattah said. “Work with external SME partners to learn more about technology/ vendor.”

Ethical Hacking

What is ethical hacking and what different types of hackers are out there? Dan Anderson from Lifescan also known as ‘z0lt0n’ explained the following during a workshop and cyber security group discussion he lead:

Black Hat Hacker – trying to steal something or ruin something.
Grey Hat Hacker – mostly good hackers but stray over the line a little bit.
White Hat Hacker – an ethical computer hacker. Think: See what you can break.
A Certified Ethical Hacker – is a knowledgeable computer security expert.

New & Emerging Threats in Cyber Security

There’s been so many new and emerging threats including the latest on crypto lockers, polymorphic malware, and sophisticated nation state attacks. Troy Wilkinson, Chief Information Security Officer at International Cruise & Excursions Inc. explained current trends.

“Phishing attacks are increasing,” Wilkinson said.

He said cybersecurity spending is on track to reach $124 billion in 2019. “In the past 2 years, 90% of critical infrastructure providers say their IT/OT environments have come under attack.” Wilkinson pointed out that 59% of organizations still have unfilled cybersecurity positions.

Another top threat mentioned: Ransomware. “It’s continuing to evolve.” He said now, cyber criminals are focusing on larger targets like hospitals, cities, education and they are reinvesting funds into stronger code.

How do we protect ourselves? Wilkinson said it has to be a multi-layered approach. Here are some tips he shared:
• Complete asset management program
• Monitor for lateral movement
• Description technology
• Invest in your people.

Recovering from the Equifax Breach

The September of 2017 Equifax announced that it had breached the data of about 143 million consumers in the United States. Michael Owens—Interim VP / Business Information Security Officer at Equifaxspoke about it at his workshop. Owens said he came in after the breach, and spoke about how they took a lessons learned approach.

“We looked across multiple dimensions and geographies to identify considerations within these categories: Leadership Organization, Execution and Operations, International Insights, Stakeholder management and communication, risk management, security, and IT” Owens said.

“It starts with changing a culture in the organization.”

Owens said they have since hired hundreds of security people. Making security important and embedding it into organization. They are also making progress by looking at detection & response, hardening the perimeter, looking at data governance & risk, and managing vulnerability.

GDS Group hosts experts to help experts. We strive to provide an atmosphere for our attendees that enables them to confidently lead their companies through major transformation projects. For information on upcoming events, view our Technology Summits and Executive Events. To remain current on our activities, visit GDS Group on LinkedIn Facebook | Twitter.