With over 200 CISO / Security Leadership in attendance this past week, a great day of session / breakout forums, networking a few vendor product / services solutions…
Key-note theme began with Silver Olympic winner John K. Coyle presenting on Apply Design Thinking concept: consisting of Understand, Empathize, Ideate, and Prototype i.e. clearly understanding the problem and uniquely develop solution – brings you to focus on strength and merely working around weaknesses.
Other key takeaways:
- SaaS is the new development model – trending to reality
- SAP is the shadow IT with limited security visibility (gap in patching and flow/integration)
- Ransomware will happen (to anyone) so weigh price of recovery vs. paying ransom (and do tabletop exercise)
- Mobile End-Points increase threats particularly without multiple factor authentication / MDM strategy, so a little friction is not always bad
- Security controls should weigh in on IT Operational cost – it's a shift in duty / control
- Directed attacks cannot be stopped; so position for response/detection more than position for prevention
- Hunting or spot-audits is necessary though resource is a constraint
- Lead in 2 directions, being normal security controls as well as user experience / expectation
- We cannot be the CI"no" (user-centric security)
And, for an industry cyber security survey roll-up of over 700 CISOs (over 50% from Finance, Retail, Healthcare), see attached; summary being:
- Top Threats: IP theft, 3rd-Party risk and Reputational harm
- Top Priorities: Detect/Respond to adversarial threats, Build Security Awareness Organization, Communicate risk to stakeholders, Apply Risk Mgmt. to Security Strategy and Protect Cloud data/app/infrastructure
- 6% of overall IT spend is on Security
- 59% of CISO budgets expect to increase (modestly or significantly) on Vul mgmt., Incident Response and Awareness
No comments:
Post a Comment