What to Protect When You Can't Protect Everything?Kelly Kitsch, Advisory Director of PwC
Unlimited funds don't come, unless you have a massive breach - and we'd all rather it not get to that.
Threats are complex and ever changing, we have to be able to adjust to protect our assets. Assets can be strategy related, branding, in progress patents, physical, etc.
Traditionally, people focus on perimeter security, but we need to really think about our high-impact assets.
The focus in the last few years have been focused on compliance - but compliance alone does not make you secure.
There is a new Economic Impact Analysis Methodology. First phase is to understand threat modeling, and the second (related) is what are your critical assets - physical and intellectual.
CIA: Confidentiality Integrity and Availability. Use this to assess your risk.
Once you've identified the most critical assets, and can justify why they are so important, it will ease your ability to get funding.
Security and Privacy by Design: Moving from Concept to ImplementationMadhu Gupta, Head of Member Trust and Security Products of LinkedIn
How do we do this better when we build something from scratch? You know, for the next time we start a project.
At LinkedIn, they think of their guiding principles: Members First! The three important values are clarity, consistency and control - and most importantly: trust.
Everyone at the company must understand that they are accountable for security and privacy. Look out for new features being launched, and make sure we have the right privacy controls before they launch.
How do you do this?
- Integrate security and privacy into product requirements
- Hold office hours so people can ask you questions
- Review our plans at product reviews
- Embed security chamption engineers
- Share externally
And when people do it right - make a tshirt! Motivate and share your success.
Let the Games Begin (Cyber Security)Linda Betz, Chief Information Security Officer of Travelers
Linda has to worry about strategic things AND worry about delivering. :-)
What's the game? Everyone wants to hack YOU. So, as CISO, it's important to minimize this and make it not as bad. Need to find and resolve quickly.
This is expensive - the average cost of a breach is between $3.7M and $5.5M.
What tools do your opponents use?
They could be state sponsored actors, paid to rain down malware on top of you.
It could be an insider - whether placed as an attacker or just careless.
What are they after? Personally Identifiable Information? Intellectual Property? Or perhaps simply seeing if they can do it. We also see denial of services - like a boycott, but the attacker is deciding that NOBODY can do business with you.
You have tools, too! Apply patches, security toolkits, tripwires, etc. You need to understand what's happening on your network - use analytics, etc.
Leverage the NIST Cyber Framework to help guide.
Make sure you and your team have all the training you need for various certifications.
When things go off the rails, you can bring in the FBI, regulators, cyber incident response companies and even lawyers.
Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!