The first two keynotes were from RSA and were both very interesting with a LOT of valid points;
Keynote 1 – Art Coviello, Executive Chairman RSA. Titled ‘Intelligence-driven security: The new model’
The vast majority of security spend is still for edge security and edge focussed monitoring, which is failing in this open world where attacks and breaches are to be expected.
Currently many people think that the security risks are overhyped, but is this true? Organisation don’t like to reveal that they have been breached so how many breaches go unreported? Verizon survey has also revealed the majority of breaches go undetected for a long time, if they are ever caught. So how many organisations have been breached without even knowing it? This was referred to as ‘the PR gap’ with the tip of the iceberg being what is known, but the unknown massive underwater part of the iceberg is the reality.
We must gain a better understanding of the situation. How mature and sophisticated is your organisations security?
Proposed four levels of cyber security’
- Control – these likely have already been hacked and just don’t know it!
- Compliance – likely heavily regulated, but focus on compliance and tick boxes rather than stong governance leading to compliance. Often caused by management and budgetary pressures
- IT risk – good understanding of IT risk, only slightly behind 4, but more tactical and IT focused than strategically aligned with the business.
- Business risk – This is where you should aspire to be, security fully aligned and working with the business, leveraging technology and processes in line with business strategy.
How do we get there? – Understand the issues;
– Budget – pressures, how to best use it, how to justify it and highlight benefits and business cases
– Security Talent – ensue your team is as good as it can be, are they passionate, engaged, and have an understanding of your industry. The right team will drive security benefits and change, not just sit back, tick boxes or point further up the chain for reasons they are not acting.
– PR Gap – explained above
– Privacy Regulations – understand the regulatory environment your business is operating in.
Keynote 2 – Tom Heiser – President RSA – Intelligence Driven security.
– Reconsider – our risks. Move to a risk based approach to security. Understand regulatory challenges to this approach
– Rethink – Detection strategies and deploy continuous monitoring.
– Harden Authentication and tighten access controls
– Educate.. Educate.. Educate.. – Users, staff, regulators, media, auditors. Obviously your business will focus on your staff and users, but the security industry also needs to get better at the wider piece. Consider cyber security education around risks and phishing etc. This point resonated with me as I come from an environment where we had various security awareness strategies from awareness weeks to educational phishing emails, and I have proposed this approach to my current employer.
Inevitability of compromise – Does not equate to accepting loss – New tactics and tools. Moore’s law can apply to criminals as much as processors – criminals have more and more tools, last years military grade attack is this years scripted attack tool in the wild. Example that Stuxnet derived attacks have been found in the wild and used against banking customers.
Improved monitoring and understanding will reduce ‘dwell time’ – how long the criminals can reside on your network. If we assume breaches will occur (and they will), then minimising this dwell time is key to minimising risk.
This does require new tools. Consider how we re-distribute budget spend. Reduce spend on lower value services and premium priced tools such as AV and perimeter security. Re-allocate spent to more advanced security solutions.
How to we access security knowledge? How do we share information? How do we ensure we protect privacy while we do this? Currently nation states and criminals have much much better intelligence and information sharing processes than legitimate governments and organisations.
We need standardised ways to share information, ideally at machine speed – ‘standardised share act’. This must be understood and driven from board level down, we as a security industry need to ensure we educate the board in business terms around policy and business risk. How much does your board currently know about your organisations security stance and the risks you currently face?
We also need to be mindful of managing compliance and risk. Just focusing on compliance does not necessarily reduce risk. Remember the criminals can read the same compliance requirements you are meeting, so they know exactly what you are doing if you do not have a risk management / security program in addition to just meeting regulatory and compliance requirements. This can be a challenge given the volume of compliance projects and budgetary constraints in many organisations, but needs to be considered.
We need a more proactive stance that focusses on intelligence, understanding, and education from user to board level.
Keynote ended with some comments on new RSA products and tools.
I really liked both of these talks, and think we really need to consider the points raised.