Views From The Cyber Sandbox
Day One Highlights Of The 13th CISO Exchange
CISO Exchange is an invite-only conference for enterprise security leaders. The 13th CISO Exchange kicked off this week in Tampa. The event combines talks from practitioners, discussions of innovative approaches to enterprise security, 1:1 business meetings with solution providers and networking opportunities with peers.
A theme of Human vs. Machine: The Competitive Advantage Is Balance shaped the topics presented to CISOs based on the following market observations:
- The scale and sophistication of attacks continues to increase
- Cyber-attackers have access to emerging technology, such as cloud services and machine learning
- Automation enables business to scale security faster and more efficiently than adding more analysts
While it is impossible to recreate the peer sharing taking place at CISO Exchange and the fundamental message of “you’re not alone on this cyber journey”, here are some of the highlights from the first day presentations and talks.
Views From The Cyber Sandbox
Cyber-attacks are organized and perhaps more capable of coordinating and sharing information than the defending organizations. As observed by enterprise security teams and their sandboxing efforts, the nature of malware, for example, is evolving.
Attackers residing in one region of the world are utilizing tools and techniques originating from another part of the world. Attacks are then made upon entirely separate geographies where patterns and signatures no longer match – like highly customized malware. Attackers are similarly taking the learnings from attacks on one industry, adapting and applying them to adjacent industries.
Organizations continue to shift their efforts from protecting devices and lifecycle management to protecting data. Security leaders at CISO Exchange recommended orchestrating policies and getting closer to the consumer data, including PII and PHI.
Security cannot take a status quo approach to critical infrastructure security. They must assume that the network has been compromised. For this reason, the zero trust model is advantageous to be implemented where possible in the organization’s processes.
By taking a security position that is more strategic, cyber security creates value for the organization. In a way, the security operation is rescuing the organization from looking too much into assets and redirecting efforts into making the organization and its users a greater strength.
Encouraging Enterprise Mindset Shifts About The Cyber Mission And Talent
The first step towards forming and retaining a valuable security team is to build beneficial relationships. The relationships serve to identify stakeholders in the organization where you can share lessons learned to create greater confidence in risk-based decisions.
See Related: Attitudes About Security Need To Change
This visibility is essential for the CISO to build a security value chain across the organization. Best practices for overcoming fear, uncertainty and doubt (FUD) about security include:
- Leadership initiatives communicated through transparency and honesty; not scare tactics
- Utilize assessments to relate security requirements aligned with business goals
The demand for talent will continue to grow. Organizations need to get creative to source desirable qualities from internal candidates expressing an aptitude for investigating and conversations.
Cyber security cannot become a revolving door for investing in training that leaves for a better environment or benefits. Therefore, retaining talent is important. The transformation in mindset includes supplying employees with options like work from home, which requires solid work from home IT and security processes.
Current security leaders are encouraged to promote cyber careers through mentoring and training opportunities outside of work. The security leadership’s role in this process is to increase collaboration and generate awareness for future generations of cyber workers.
Having the open conversations of “let me help you- where do you want to go?” will have greater impact beyond additional certifications. The goal is to foster true career development within your cyber workforce.
Going Passwordless To Improve User Experience
A lot of time has been lost and a lot of tears shed working with enterprise users to create good cyber habits. But as an industry, the needle has hardly moved when it comes to authentication passwords. Word spread that an enterprise had gone passwordless, so CISO Exchange invited Stanford University CISO Michael Duff to share the school’s journey with the security leaders in attendance.
The university has more than 100,000 users on an annual basis. Students are typically on campus over 4 years and the decision was made to establish device-specific user certificates that remain valid for 5 years. For CISO Duff, the realization of creating a better user experience (UX) occurred when a user commented, “Not having to log in to VPN multiple times a day is life changing.” In fact, users are struggling with their UX in non-Stanford services that require remembering credentials.