5 Takeaways From The Cyber Security Exchange

Dan Gunderman

IQPC’s Cyber Security Exchange, held from Dec. 4-6 in Fernandina Beach, Fla., brought together some of the most impressive minds in cyber security.

Attendees included CISOs, who deploy various defense mechanisms to safeguard their networks, and vendors, who outlined cutting-edge new products which help secure email, mobile apps, and enhance both incident response time and additional critical security components.

The conference not only brought together astute security professionals, but also helped establish best practices for enterprise security – as anecdotal evidence accumulated and roundtable discussions spurred a number of defense strategies.

Whether it was in an hour-long masterclass or a “quick fire” session, there were certainly common themes throughout the event. What follows are five takeaways from the three-day conference:

Cyber Threat ‘Velocity’

In a space where threats morph, evolve and encroach upon various parts of the defense “perimeter,” there does seem to be at least one given fact that’s staying put – and it’s a consensus that cyber security practitioners are quick to point out. That is: the sheer frequency and ferocity of cyber threats.

The year proved to be both challenging and enlightening to enterprise security professionals, as threats knocked on almost every enterprise door; and yet an inundation of media coverage prompted more cyber security discussions in boardrooms and amongst the C-suite.

Presenters at the Cyber Security Exchange at the Omni Amelia Island Plantation Resort acknowledged the speed and trajectory of threats. Many of them pointed to other presentations about certain shapes and sizes of current threats. To be clear, there was no debate as to whether cyber incidents create a conundrum for a business unit. They do.

From phishing campaigns, to various strains of malware – including the much-maligned ransomware – and privileged access or human error, these hazards can all disable critical functions, equating to shaky profits. Before an enterprise’s security “posture” is adjusted in any way, the face of emerging threats must be acknowledged.

The Hiring Dilemma

Another common theme surfacing during the IQPC conference was the glaring – and utterly worrisome – skills gap/talent crisis taking hold in the industry. While specific sessions were dedicated to both the hiring and training processes, almost every cyber security budget holder/practitioner acknowledged the challenges that come with understaffing.

This snowball effect is no doubt harmful to the enterprise as it draws into question both productivity and vulnerability, pulls active IT pros into wider or more time-consuming roles and has the potential to leave behind sizable gaps in a network.

The systemic issue both deals with manpower and the career path. It is matter of both training and culture, and even the grooming process. That is, IT security as a whole has much work to do in training its students at a younger age, fostering more hands-on growth at the university level and retaining top talent.

Despite the wishful thinking, job vacancies in cyber security appear to be rising – and will continue to do so into the 2020s.

Risk As Strategy

Acceptance, communication and preparation appear to be “risk” challenges for the practicing cyber security professional. That is, acceptance of it and its potentially debilitating threat to the enterprise, communication of it within the IT department and in the boardroom, and factoring it into business continuity plans.

On a technical level, CISOs and their teams must be prepared for a wealth of incidents – in order to do so, some legwork must be applied: research, awareness, and acknowledgment of said risk.

Furthermore, the security-minded professionals must be able to communicate the threats to not only their team, but also the boardroom, so companies can aptly prepare or determine which legs of the enterprise are particularly vulnerable.

Some of this can be mitigated with thorough business continuity management (BCM) and even additional measures like cyber insurance. Yet, the practitioner cannot be lax in his or her duties, for risk is a perennial component to any modern business.

Mobile Security Woes

As more businesses go mobile – undertaking sweeping initiatives to put devices in the hands of employees – more and more risk factors and attack vectors emerge.

Just like the PC before it, mobile devices are susceptible to attack – whether it’s in the app store, on the code level, on mobile browsers, in embedded apps, in phishing attempts to the inbox, etc. Mobile security is a new front that practitioners have to both monitor and traverse.

Full comprehension, it seems, comes in acknowledging the potential for attack (including those centered on IoT devices), visibility and accounting for all the endpoints on a network. Nonetheless, mobile security will continue to be tough to pinpoint as technology improves and mobile devices grow in number.

Phishing Trips

Most IT security budget holders and vendors appear to agree that a startling number of attacks begin at the email and messaging stage. That is, phishing campaigns delivered to email addresses – which hackers hope will slip between the cracks – or hosted on a website in a format that appears to be authentic.

Many breaches at the enterprise level still begin with an employee clicking into a harmful phishing email – which might contain strains of malware, or steep ransomware demands. CISOs and other security professionals are cognizant of this, and appear to have focused on email security and anti-phishing efforts in recent years. Yet, the attacks persist.

A way to mitigate the threat, it seems, is to both have strong email filters and quarantine tools, and have staffers take part in various IT training sessions throughout the course of the year.

For more from the Cyber Security Exchange, see our Day 1 Roundup and a thorough recap of Day 2.