DAY TWO: Gartner 2018 Security & Risk Summit Conference
Yesterday, the Gartner Security conference at National Harbor, Maryland saw a packed hall for the key note speech: Sailing the Cyber Sea, by retired Admiral James Stavridis. The Admiral was commander United States European Command and NATO Supreme Headquarters, Allied Powers Europe (2009 to 2013).
He kicked off immediately with the nautical theme – the cyber world is like an ocean, a vast space, very important to the economy. But there the analogy ends, because our cyber ‘ocean’ is expanding at breakneck speed. 20 billion connected devices today and an estimated 50 billion in some 5 years’ time.
The Admiral puts cyber threats into three big baskets. The nation state, hacktivists/terrorists and cybercriminals. And activity in all three is growing faster than we can keep up.
He touched on the increasingly bold cyber aggression of certain nation states and recommends that, like China, the USA should add a cyber-force to its military structure. Cybercrime, already characterized by the ever-increasing scale with something like one in 60 of the world's population in some way affected. And terrorism? It’s primarily funded, facilitated and exported via cyber activity.
The admiral shared a personal story of how his 16-year-old daughter’s Facebook account was hacked – and used this to illustrate how, of all the threats we face in the modern world, only cyber threats encompass absolutely everything, from the highest national strategic levels to the most minute but important details of our personal, private lives.
What are his pointers for the future? Education is crucial, starting as early as possible. Security self-evaluation is important for us all, whatever our position in society. Sharing information is key to effective deterrence. Partnerships between government and private organizations must lead the way.
Cyber insurance also must rapidly mature to mitigate the huge risks ahead. Taking up Gartner’s theme, the Admiral stresses our need for resilience to recover from inevitable attacks.
To conclude, the Admiral gave us an analogy using the cheetah - uniquely built for speed, except for its long and heavy tail, which provides the balance to turn corners and adjust direction at the highest speeds. We have to design our high-velocity cyber world the same way, to be able to adapt and change course at great speed, but never lose our balance.
Back on dry land, and the big theme of this Gartner conference is CARTA – Continuous Adaptive Risk and Trust Assessment. Woven into every presentation I’ve attended, it is the fundamental shift in mindset where the binary view of good and bad is no longer adequate for the security environment. We’ve got to deal with a duality of conflicting aims. Safety versus freedom.
Zero trust is best - but to get digital business done, we have to trust. Risk in digital business is changing all the time and building higher gates is no longer the answer. Detection and response capability is a step in the right direction but not enough. Organizations have to anticipate and preempt attacks.
They have to ‘shift left’ on the Gartner model - do risk evaluation of new business, examine vulnerabilities in partners and in procurement, provide clear governance and strategy – integrated risk management. Risk prioritization is imperative to avoid drowning in data. Only a very small percentage of vulnerabilities actually get weaponized, so more flexibility with assessment works. To quote Voltaire – the best is the enemy of the good – and the goal of the organization is not to be the best, but to be continuously good.
What else caught my attention? An interesting presentation on: Managing the insider threat. Why employee monitoring is no longer taboo. The takeaway was that intervention in the workplace is not a simple black and white issue. An employer needs to protect business interests in an appropriate way, but employees need to feel trust and confidence, and to feel valued. Even in this sphere, where security is largely a human resources issue, the CARTA approach was advocated for. Monitoring can be appropriate when an employee is displaying the kind of behavior patterns which can often precede a security breach. But the standards must be set and communicated by good governance.
The final key note of the day: A rant against solutionism. A plea for duality - was not on the topic of security as such, but still tied in perfectly to the overall message communicated so far at the conference. Duality – a set of opposing forces that work together towards a common goal.
We all want the benefits of unrestricted, free digital business and the reassurance that business is conducted safely. So, we have to implement systems and practices that enable both.
Speaking of duality, I am off to prepare my presentation: The Top Six Things a CISO Needs to Balance - tomorrow at 09:15 am, see you there! There is so much more to discuss and so little time.