5 Insights Surface From CISO Exchange West

From physical attacks and ransomware to infosec, vendor accountability, and more



Esther Shein
03/25/2019

Heads of IT security recently convened in San Diego, Calif., for the CISO Exchange West to reflect on the strategic issues and priorities that are top of mind for cyber security professionals and CISOs alike. While the event offers a variety of different learning styles and formats — such as BrainWeave® discussions, master classes, roundtable discussions and business-to-business meetings — there certainly is no shortage of key learnings, case studies and networking opportunities.

As such, we pulled together 5 quick insights that surfaced from the main stage. And while we are gathering more event coverage over the next couple days (stay tuned for more CISO Exchange content), here is a quick snapshot of some of the themes and priorities worth highlighting:

  1. Vulnerabilities in our software will enter the physical world.

“People used to refer to information security as the Rodney Dangerfield of IT — we got no respect. We’re now in a situation where those vulnerabilities we’ve seen in our software are going to be in our physical world,” said John Kirkwood, VP, Information Technology, Chief Information Security Officer at Albertsons-Safeway.

For example, ransomware on autonomous cars, or when you go to the doctor and see a note that says unless you give a hacker money, your pacemaker will stop working. “I think the world will have newfound respect for InfoSec people now. Because we know how things work.”

  1. Security needs to be an integral piece of the business process.

When bringing tools in you can’t just focus on what’s in your physical environment, but look at entire toolsets. If anyone thinks you have a meaningful perimeter you need to wake up … you can’t just look at what you have internally, but what your providers and partners have according to Kirkwood.

  1. Cyber security professionals need executive sponsorship.

At his previous company, Vaughn L. Hazen developed a program to ward off network attacks. “You’d think someone would get excited about that,’’ he recalls, but IT didn’t get any pats on the back. The reason, says Hazen, now director of IT security and CISO at Arizona-based mining company Freeport-McMoRan, is officials didn’t have executive sponsorship.

This is always critical for anything your IT and security organizations run, says Hazen, speaking on the topic, ‘Thwarting the Threats-Insights into Hardening Humans and Machines.’ “If you don’t have that, it doesn’t matter what you do. The way to get that is to communicate.”

  1. Enterprises must have security technologies and processes that work together.

How much pressure should you put on the vendors you work with to have products that integrate with your ecosystem? If you still want us as a customer in two or three years, fix it, says Chris Wolski, CISO of furniture maker Herman Miller. He says he’s been successful at using that approach to facilitate quite a few changes. But sometimes it’s a good idea to go with a young, proven product, Wolski adds. It behooves smaller vendors to work with you because if you’ve got an issue, chances are someone else might have it, too.

Orchestration is not just about the technological capabilities and automation but having processes in place so that systems work together. “For me the key is having a SIEM. Bringing [everything] together and allowing my help desk to have a quicker response,” Wolski says, speaking on “Effective Orchestration of Security to Minimize Breach Impact.” While lots of companies have orchestration software, Wolski says he doesn’t and has to make do with what he’s got. “But I can’t do it without SIEM.”

  1. Privacy champions can help to build security awareness.

Two years ago legal was focused on privacy. Now there’s more involvement by operations. Build privacy champions across the organization who can report back and act as your mouthpiece and share what needs to happen and build awareness, says Kevin Kiley, VP of OneTrust at #CISOExchange.

See Related: “CISOs Gather To Collaborate On Security Strategies