This week, cybersecurity’s leading CISOs, academics, and thought leaders came together for our Transformational CISO Virtual Assembly to discuss digital transformation and security’s evolving threat landscape. In case you were unable to join us, check out our event highlights below!
Opening Keynote Address
Day one kicked off with an opening keynote on CISO best practices. Some of the key points discussed were:
- When things go awry: Admitting something bad happened takes professional courage. Thoroughly describe why it happened, and work on cultivating a relationship of trust with your board members.
- To pay or not to pay? The answer to that question depends on the impact the attack has on the business, its reputation, and the risk of data loss. It’s crucial that you deeply understand how ransomware works.
- How can you 100% protect yourself? In short, you can’t. You can mitigate risks by hardening your systems and knowing your endpoints, but 100% protection just isn’t realistic.
- Relationships and trust go a long way: Building relationships with your industry peers is a crucial aspect of leadership, and it can preclude a “bad day” in cyber. Connections give you the valuable knowledge of better understanding your industry’s evolving threat landscape (hint hint…our next Transformational CISO Virtual Assembly is the perfect opportunity to build these relationships!)
- Cyber’s future relies on growing the candidate pool: It all starts with the younger generation, and investing in STEM education for K-12 is crucial. But what can we do today? Security leaders should become more flexible with their job requirements, and perhaps tap into non-traditional sources for recruitment.
On Zero trust Implementation: For some, Zero trust can mean starting AT zero. Mike Novak, CISO and VP of IT Security at HardRock Seminole, noted “It’s a marathon to get there.” But where can we start? Novak shared that a great way to jumpstart implementation is with your identity access management. It’s important to audit who has access to what, understand who is coming and going, and to thoroughly segment your network. Having “too many cooks in the kitchen” can often be the demise of a security framework, and it’s important to not become overwhelmed with the “shiny, new technology” that is constantly being released. A key security measure is to implement the use of MFA (multi-factor authentication) and SSO (single sign-on), as Zero trust does not work well with shared accounts. When it comes to passwords, Novak recommends that as tedious as it may sound, they should be changed every 60 days.
Mike closed out his session with these points:
- Invest in cyber posture instead of potentially paying out a ransom one day.
- Gather peer and executive support as it will always serve you well in the long run
If you are interested in implementing a Zero-trust framework into your business, Mike references Forrester’s guide as a good resource to rely on when starting this journey.
Improving Board Communication: Troy Wilkinson, Global Director of Cybersecurity Operations at Interpublic Group shares, “To accomplish security, we need to get our financial stakeholders on our team, and in order to do that, we must learn how to communicate with them effectively.” Wilkinson understands that being able to translate technical information for your board is one of the most challenging, yet crucial, aspects of the CISO role.
He shared these tips on building a strong relationship with your board:
- Create a two-way dialogue with board members, and foster an environment of trust.
- Ensure that your message reaches members with technical AND non-technical backgrounds.
- Always illustrate how you are reducing risk in a monetary sense.
The Difference Between Compliance & Readiness: Alvin Plater, CISO at the Department of Navy described compliance as “meeting various controls to protect the confidentiality, integrity, and availability of your data”. Whereas readiness is the “ability to securely deliver business information to the right hands at the right time”. Plater weighed in that cybersecurity leaders must invest in Zero-trust principles, and make cybersecurity a priority within their organizations. At the core, cybersecurity is a commitment to readiness for reducing the likelihood and severity of an attack, which consists of two critical elements: cyber intelligence and cybersecurity strategic alignment.
CISO Keynote Panel
“2021’s New Normal: Adapting in the Face of Evolving Workforce Conditions”
Eric Johnson, Dean at Vanderbilt University Owen Graduate School of Management led our Day 2 panel discussion on how CISOs are adapting to the new workforce in 2021. Panelists included Sujeet Bambawale from 7-Eleven, Stephen Davis from Revlon, Gary Eppinger from CSX, and Elizabeth Ogunti from JBT Corporation. The group shared their experiences and insights on hiring processes, response plans, third-party security, and awareness education.
Some key takeaways:
- Rank your vendors by risk factors and implement testing and validation techniques
- Start treating the risk of your vendors the same as the risk in your own organization
- Instead of having response plans focused solely on IT, develop plans that go wider into internal business.
- Visibility is key, understand where your data is and the impact it has on your business.
- Educate your organization’s customers on your security measures. Give them a platform to ask questions about what you’re doing to keep their data safe, and manage expectations for both security and privacy.
- Covid-19 has inspired collective intelligence, which means you should share with the community what behaviors you’re flagging. Holding back this information is not going to help you or anyone else – cybersecurity leaders are all fighting a common enemy.
- Hiring from the industry is inorganic, whereas supporting development for in-house talent is organic. We should assess for actual interest and follow the talent instead of staying within confined perimeters.
Check out what is new with our Solution Providers
AT&T Cybersecurity | BeyondTrust | Fortinet | Qualys
Until Next Time…
Don’t miss out on the next Transformational CISO Assembly. Go here to request an invite for the November 9-10 Assembly!