“Building Defensive Security Programmes”: CISOs gather to discuss New Year challenges

Carbon Black recently held a senior level round table discussion orchestrated to discuss and debate the security challenges facing organisations and how best to build defensive security programmes in 2018. The event was held at The Stafford Hotel in central London on Thursday 7 December and attended by more than 20 Chief Information Security Officers (CISOs) from numerous enterprise organisations. The conversation ranged from the Internet of Things (IoT) to blockchain and on to the EU’s General Data Protection Regulation (GDPR) and the need to educate everyone from primary school right up to CEO level about the consequences of poor personal security.

Leading the discussion was Rick McElroy, security strategist from Carbon Black, with support from Rob Preedy, major account manager with the endpoint security platform specialist. McElroy began the discussion with his Top Three security predictions for 2018. First, he talked about an increase in nation state cyber attacks and how Russia will engage in more ‘cyber electioneering’. Malign nation state actors now have the ‘playbook’ and they know what to do in order to affect elections in the West.

McElroy went on to state that if you have a system connected to the Internet, then you’re part of ‘cyber warfare’ to some degree. Attackers will not go straight to an organisation. Rather, they’ll use ‘nested hacking’ of specific people to access the data. There will also be a lot of social engineering designed to spread disinformation in order for hackers to destabilise target countries.

Second, ransomware will continue to be a major problem as it becomes more targeted by looking for certain file types and focusing on specific companies such as those in the legal and healthcare sectors rather than the ‘spray and pray’ attacks we see now. In fact, ransomware developers are refining this malware to make it more effective.

McElroy’s final prediction focuses on the rise of ‘offensive’ Artificial Intelligence (AI). AI will be increasingly used by cyber criminals to carry out attacks on infrastructure. “2018 will be the year in which we see attacks using machine learning to outwit security systems,” observed McElroy. “Some people working on AI may be tempted to cross over to ‘The Dark Side’ and use their knowledge for illicit gains.”

Importance of data

The discussion group talked about how data breach notification will become more prolific and, with the GDPR coming into force in May, the security of data is going to be a big concern. The discussion moved towards insider threats and understanding what staff are really doing with data versus what they should be doing. McElroy added: “We should look at the data we’re processing and ask the question: ‘Is it safe?’”

The group also discussed how the IoT will be the cause of big disruptions in the year ahead, with McElroy commenting: “Today, staff are trying to cope with securing thousands of devices. Now, with the IoT, they will have to secure tens or perhaps hundreds of thousands of devices, or even millions of them. Most will have to do so with no extra resources at their disposal. This is going to be a continuing challenge.”

The group agreed that the changing world of work will have an immense impact on security. CISOs will not only have to look after IT security, but also operational and physical security and the knock on impact this all has with regards to managing staff expectations.

One participant stated: “In the past, an employer would give a device to an employee who would then use it for work purposes only. Now, devices are commodities that we employ for all sorts of communication. As a result, we have a variety of connections and the lines between work and personal have become extremely blurred.” 

Impact of the GDPR

Rick McElroy of Carbon Black

Rick McElroy of Carbon Black

The conversation delved deeper into the GDPR, with one participant commenting that there’s no silver bullet that will make an organisation compliant. “You cannot solve the GDPR issue by merely buying a solution. As an industry, we need to reach a point whereby we actually provide the relevant information to help organisations become secure.”

McElroy agreed, and said that there are a lot of vendors jumping on the GDPR bandwagon and chanting the mantra “Buy us and we will do everything” which is creating a great deal of confusion. “As an industry, we need to start working together because it’s not only the increasing domestic regulation with which we have to contend. The number of regulators across countries whom we must satisfy has risen exponentially.”

Securing the supply chain

This brought the conversation around to talking about third party risk and trust in the supply chain. One participant talked about using cloud providers and asked how far down your data chain is achievable in audit terms and how can you sign off on that risk? Another participant talked about adding 600 new people to the organisation and that, with this sort of explosive growth, how do they assure all that data back to customers?

The group discussed the need to undertake deep research on suppliers. One participant talked about using a security scorecard to generate a security rating for supplier organisations. Others around the table agreed, although one individual added: “I had a case in France where the organisation’s server was in a wine cellar with a plywood door, and under a big water pipe and drain. I recommended we take on that supplier on the grounds that I didn’t believe anything would go wrong. Not a normal circumstance. We did ask them to make improvements, but culturally I felt the organisation was right for us.”

This raised the question: ‘Do you build security improvement in as part of the contract?’ Most agreed that oversight around continuous security improvements was expected in supplier contracts in tandem with shared common assessment frameworks. Risk must always be assessed with suppliers. In particular, if a supplier incurs a breach, or even folds, what’s the risk associated with this? It was agreed that, for suppliers, a strong cyber security policy represents a real competitive advantage.

The importance of culture and finding the right fit was felt to be equally important. One participant observed: “I would make light of the box-ticking exercise and focus on whether the culture is right. Do I want to do business with them?” That said, he did agree that the box-ticking allowed you to gain a view of the organisation and ‘cherry pick’ those that you then want to meet. “It’s a ‘Starter for Ten’, but as soon as I walk through the door of an organisation this informs my opinion and whether I want to work with that particular outfit.”

Creating a threat hunting culture

The conversation then turned to threat hunting and how teams go out and actively look for threats. The group talked about how you install a threat hunting culture within an organisation. One participant stated: “Despite all of the expensive kit that organisations buy, in most instances that I’ve dealt with someone saw something weird. That’s why a security culture is so important.”

The group talked about the importance of a reward culture. When there’s a list of activities that staff have to undertake, they might not embrace some of the security practices because it’s not their primary job and they’re not incentivised to do so. Therefore, do you create a culture whereby you reward them for identifying a threat?

One participant in the discussion talked about the fact that they’ve introduced forfeit cards. “If someone leaves their laptop unlocked then they have to make the IT team a cup of tea. It’s all about educating the organisation, from the CEO through to the receptionist.”

McElroy agreed and added: “Organisations that I’ve been in with a longstanding CEO are tough to change. Age plays a part, and where you grew up also plays a part. Where I’m from, everyone is more aware of the risks associated with technology and will change their behaviour. However, for the longstanding C-Suite individuals who don’t immediately grasp technology, you have to spend time educating them until they do.”

Role of blockchain

The conversation moved to the role and future of blockchain. One participant talked about money laundering and how blockchain is being used to enable this, adding: “You can buy cryptocurrency. This isn’t classified as legal tender so it doesn’t fall under any regulation.”

The conversation focused on how blockchain could be applied in the healthcare sector for medical records as well as for the management of birth certificates, passports and other systems. Participants described how digital records could be lumped together into ‘blocks’ and then bound together ‘cryptographically’ and chronologically into a chain and how this might be advantageous. Questions around how you give authority in terms of who sees what were raised, and whether this meant that bad actors could end up with a whole identity link via blockchain.

Will the GDPR create loopholes for bad actors?

The discussion then reverted back to the European Union’s GDPR and requests for erasure, with one participant suggesting: “If I can request for my data to be deleted, are we going to end up with incomplete data sets? Will this become problematic? A bad actor might make a formal request to delete data and we could then lose out from a threat intelligence perspective.”

The group agreed that the GDPR could create vulnerabilities, but this might not necessarily be the case because, under the GDPR, there are a number of different reasons for lawful processing that can be applied in order for organisations to retain data.

Enforcing more robust compliance

The conclusion around the table was that the GDPR will enforce more robust compliance, but it could also create new vulnerabilities. As organisations start to prepare for its introduction so too will the hackers. They will not wait until May. Rather, they’ll be creating new exploits right now.

McElroy concluded by advising: “You need to be asking ‘Where are my blind spots? What don’t we know and how do we drive visibility into these areas? What’s my control inventory and how am I dynamically tracking this? What data do I have and how are we managing this data? There are programs you can use to scan and understand how you’re using data. Finally, are we creating a barrier to entry for start-ups? How do we help the smaller organisations? Crucially, how do we educate the masses to take their personal security more seriously?”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts