Fully day of rich content, journalism and networking of cybersecurity trends, strategy, privacy and operations that cross public/government sectors and culture. Some highlights and unedited notepad takeaways:
- Security should be embedded in company DNA, where security is first on all design and throughout entire lifecycle (build, transference and expiration of products/services); and deliberate in transparency.
- Threats move laterally including popular ransomware and botnets; and while backups and good hygiene are essentials, factoring in credentials, threat matrix including personal use of PC inevitable, transition points particularly in cloud transformation presents most risks. Controls can be relinquished but control assurances and assessment is necessary.
- The role of the CISO continues to be mandatory particularly advisory capacity (advocate for security and intelligent based risk advocate) in addition to operational effectiveness. Reporting to Executive ensures success and demonstrates commitment / investment in the function which can support but separate from the CIO traditional responsibilities.
- Resolve to a breach occurring regardless of preventative controls but effective response / remediation can/is more important - along with crisis management, design communication (externally/PR) and adequate updates stakeholders/leadership.
- Social interference / manipulation, human errors and machine vulnerabilities add to risks and surface vectors so data set diversity, database poison detection.
- It's forgiven that degree of inconvenience is expected with security particular in remote and traveling situations so key tips: proper risk policy, adequate guidance for business travelers, exercise good hygiene, risk adverse mentality is good and thorough investigation of incidents should not be ignored.
- Always be sure to relate use-cases, understand the high risk factors i.e. who's the competitor, what asset is at risk; proper user profiling should vary, patching effectiveness.
- Roadmapping communication to stakeholders, legal, briefing and debriefing is valuable and continuous metrics and auditing is a must
- Basic travel practices is essential to understand target value, devices security (encryption, unattended, locking passwords), internet/wi-fi safety and link/attachment awareness and trusting instincts.
- Ransomware and botnet will be prevalent in IoT so automated consequence management and planning should be played out in addition to toolset building e.g. endpoint security and NAC (network access control) to web security.
- Third party assurance and due diligence is a must and many lessons can be learned from tiering to proper usage of questionnaires (or similar/external services that leverage audits) but then ensure follow up, establish lifecycle vendor management, perhaps onsite visits and even holding back rewards or penalizing partners for non-compliance.
- Whether foreign nation of different sector, the principles are people, process and technology – which should be based respectively on, knowing data on devices to steal, getting to systems of high value, and understanding disruption and threats. Mitigating or preventative controls including DLP (Data Loss Prevention), network segmentation and continuous redundancy / backup.
- Planning for cloud transformation is key, pre-configuration landing zones should be created and transition/collaborate of controls to monitoring.
- Geopolitical attacks require understanding security risks, collaborating with government as well as private sectors, and quantifying reputation risks, mitigating strategy and impact.
- Area of key disruptive nations include: China for technological advances as advertised, North Korea for crypto-currency and financial institution threats, Iran for regional pursue of dominance, and Russia for using non-government entity to focus on influences and trying to shake up confidence.
- While improving 60% of boards have no cybersecurity experience based on survey but translation of technical concepts to business or boards are paramount – in establishing confidence, advocating for security and sustained level of investment.
- Taking advantages of networking peers for alignment in strategy, position, and elevating understanding of security dynamics.
- Some trends have been seen in BoD hiring external penetration testing to report directly results.
- Limits of cyber insurance can revolve around circumstances of the incident and declaration of such event or the challenges is when it's declared which is proposal to the coverage language – which should/can be negotiated.
- Big data sharing and balancing comes with collection and so does privacy and deliberate security practices to ensure protection.
- Advancement in technology also provide opportunity / requirement to deliver HIPAA records to patients more quickly to be compliance but more importantly critical uses of their own personal data / diagnosis. HIPAA, OCR and BAA all spell out requirements and instructions to protect medical and health information.
- A number of stats: 90% of breaches start from human error; 3.5 million more jobs than cyber experts to be filled by 2021; 74% of breaches involved access to a privileged account; 70% of organizations feel more concerned about breach than they did last year; 24% of asset managers believe that 80% of their assets have the latest patches and updates; 30% believe they've never been breach; 1/5 breaches have a cost in excess of $50 million; 61% of enterprises report that they can't prevent breaches without the us of AI; 2/3 of executives report cost of detection and response is lower with AI.
- Artificial intelligence requires contextual analysis and brings together: behavior, model performance, static analysis to build stories, and roll back capabilities.
Thanks Wall Street Journal for an great conference!