Data breaches and serious cyber security incidents for businesses are becoming ever-more common and persistent across an expanding attack surface. With wide-ranging legislative changes such as the European General Data ProtectionRegulation (GDPR) being ushered in, it’s never been more important for organizations to take cyber security seriously.
It is in this climate that CyberProof attended the IT Security Analyst and CISO Forum in London, meeting with like minded security professionals to discuss the issues that will come to define our industry in the months and years to come.
Among the most interesting elements of the two-day cyber security event was a CISO panel discussion, featuring top CISOs from a broad range of industries including money transfer services, technology manufacturing and pharmaceutical production. The panel presentation, titled “What is good security anyway? CISOs top tips on what makes a company secure”,offered an interesting array of insights from industry leaders at the top of the security infrastructure of globally recognized brands.
A single theme which ran through the debates was the ability to properly educate and inform board members and senior staff about cyber security threats. “Educating your seniors that [in terms of security] failure could be an option is vital. A company can be in a bad situation in terms of security, but if it responds appropriately in terms of leadership, planning and PR, it’s entirely possible to pull back from a serious incident. A bad security person during an incident I can deal with; a bad PR person I cannot” one CISO suggested, adding that security teams should “celebrate near misses - even the ones that were pure luck, as opposed to skill. This level of honesty will help your seniors to appreciate the work you’re doing, and to open a dialogue”.
The CISOs also waxed lyrical on ways to foster an appropriate culture, with warnings to ‘expect a breach’ dominating. “If you expect a breach, you can plan for it, which allows you to then manage expectations”, one of the CISO panel participants suggested. “If you can get the culture of a company right, you can teach your security teams that it is okay to screw up – people screw up all the time; You’ll get more points for telling someone you’ve screwed up than for hiding something”.
The panel participants also allowed themselves a (very small!) moan, suggesting the metrics used to measure security were in many instances a waste of time. “Security metrics are difficult, as it’s harder to provide a negative than a positive”, one said, with another adding that “the total number of incidents metric, I hate. It can be adjusted by taking people out of the SOC, with a negative impact on security. Concentrate instead of measuring things you can control, and speaking in their language. The board are unlikely to be wowed by your technical prowess!”
As security becomes more and more crucial to everyday business function, these conversations become all the more vital as does the need for CEOs and CISOs to understand the full picture of their security investment.
All in all, the panel provided invaluable information for attendees on the inner workings of security teams at the highest level; how to convey complex ideas and information appropriately, and how to respond when things go wrong.
For an in-depth look at how the CyberProof processes, correlates, analyzes and matches the vast flow of data to detect Indications of Compromise (IoCs), match them to threat vectors and trigger customized Incident Response (IR) playbooks, download our Whitepaper, Using AI and Automation to Protect your Critical Assets.