Enterprise security is Trainer’s biggest practice, so the RSA Conference in San Francisco is an important show for many of our clients. It’s also the site of one of Trainer’s biggest events of the year. At Lulu’s Café last week, just around the corner from Moscone Center, we invited leading CSOs, members of the press and security practitioners to discuss the hottest topics in cybersecurity today at an event we call Security Never Sleeps.
Now in its fifth year, Security Never Sleeps was moderated by Deb Radcliff, executive editor of SANS Research Institute. The panel included Brent Bigelow, security architect of Cardinal Health; Michael Kern, principal information security officer of US Bank Consumer Banking Division; and Renee Guttman, vice president of information risk management of Accuvant (recognized by many as the former CISO of Coca-Cola, vice president of information security and privacy at Time Warner and information security architect of Capital One). Press panelists included Financial Times‘ security reporter Hannah Kuchler and Dark Reading‘s editor-in-chief Kelly Jackson Higgins.
Following this year’s RSA Conference theme, “Change: Challenge Today’s Security Thinking,” we discussed topics including the changing role of the CISO and shifting dynamics for security professionals inside enterprises, as well as cloud, mobile and IoT security; threat intelligence; and data-driven and behavior-based analytics.
The first topic we raised isn’t new to security professionals; it is commonly discussed at events like this. The panelists were asked What Keeps You Up at Night? The best response, because it sums up the issue so succinctly, was from Brent: “We think we’re doing a good job, but until we get breached, we don’t know.” This perspective is shared by many CISOs. They hold the responsibility of keeping the company’s data safe, including intellectual property, customer data, employee data and private employee communications, and that is increasingly becoming more challenging. Today there’s a magnifying glass on insider threats (ever since Snowden), data breaches (since Target), healthcare data (Premera Blue Cross). And today we live connected lives; everything is digital from homes and cars to the industrial IoT.
Next the panelists were asked What Are the Biggest Security Concerns of 2015? Cloud and mobile have been top concerns in past years, and what we learned this year is that along with IoT, cloud and mobile security continue to rank high on the list. Brent named lack of visibility as a driver for why these things remain challenging for security professionals in today’s borderless enterprise. With regards to BYOD, Michael said that despite the challenges, “We’re not going to stop people from using personal devices. They enable us.” Other panelists noted that both BYOD and Shadow IT, despite their challenges, often provide organizations with more productive employees – and there are no line items for devices and monthly fees, which makes the CFO happy. Brent also noted that finding quality security practitioners is another top concern, as companies are “taking from a shallow well,” often times from each other, referring to the dwindling base of security professionals.
Digging further into IoT and wearables, Michael stated that “smart devices are open gateways” for cybercriminals. However, Hannah made the point that despite evidence of hacks, there has been no report of real damage yet. Renee noted “As a security professional, I don’t want to make (security) decisions by myself. I want to talk to HR and others. It takes a village.”
Speaking of villages, we next dove into another hot topic at this year’s RSA Conference – threat intelligence. Some vendors are providing custom feeds and intelligence from honeypots, some are feed aggregators, and others are providing platforms that risk-rank the highest priorities then automate updates with security tools such as SIEMs and firewalls. During a breakfast hosted by IDC at the W Hotel, IDC analyst Christina Richmond revealed the latter is now being called middleware. Kelly called out incident response and actionable intelligence as what security professionals care about most with regards to threat intelligence.
During the past year, at RSA Conference and also at Security Never Sleeps, one debate that has generated many different views is about public- and private-sector sharing of threat intelligence. This debate has been gaining even more momentum since President Barack Obama’s comments during the State of the Union Address in January and his visit to Stanford in February for the Cybersecurity Summit. Michael called out that this debate has already been in existence for a long time. Kelly also noted that different industries are at different stages. Renee was excited about healthcare-related threat sharing. Hannah expressed her desire to hear more about international threat sharing, which to my recollection was only discussed briefly in January, when President Obama and British Prime Minister David Cameron announced U.S.-United Kingdom cybersecurity cooperation. This discussion ended with Brent posing the question, “How much sharing is enough, and will it hurt us in the end?”
Another hot topic at this year’s RSA Conference has been Big Data-driven analytics for security and behavioral threat detection. Michael joked about the term Big Data and noted that he is coining the term “quasi-data.” He added that “everyone has a data problem,” pointing out that enterprises should be trying to identify the problem before trying to find answers with Big Data. Brent added, “We’re overwhelmed with data because we can’t consume it. We’re not mature enough to handle it. We’re drinking from the firehose. We can’t handle it operationally.” He added that to be effective, it will “take some investment from the organization operationally.”
The final thoughts came from Kelly and Renee. Kelly stressed the importance of families and communities, and said “we are in this together.” And Renee offered “kids are easily the victims of tomorrow.”
If you’re interested in becoming a Trainer Communications client or being added to the guest list for future events, or if you have any questions, please feel free to reach out: firstname.lastname@example.org.