Now that we are a few months out of RSA Conference 2018 and the summer months are upon us, we want to revisit the report that Wade Baker of Cyentia Institute and a member of the RSA Conference Advisory Board was able to compile earlier this year that examines more than 15,000 speaking submissions over the last decade at RSA Conference.
Many of you have likely seen the report, or perhaps glanced at the blog examining the data. Now we want to take a look at what does this all mean? IoT, ransomware, DevOps, blockchain….what’s next? How can we learn from this and what are some best practices moving forwards as an industry practitioner, to bring knowledge back to your company or just to brush up on general best practice tips?
For that, we engaged with Emma Smith, Group Technology Security Director at Vodafone Group, Plc during RSAC Unplugged London in June to get her thoughts on what keeps her up at night in the ever-changing landscape of the cybersecurity industry.
Q: What are your basic security hygiene recommendations?
A: Security hygiene is not something everyone gets excited about, as most people would rather spend time and budget working on new technology projects rather than on patching. There is also a stigma if you’re working on things like patching, you’re not cutting edge when in fact it’s a critical piece of any security strategy.
I don’t think we can underestimate the importance of consistent security hygiene. We also know that getting consistent implementation of the basics is important so there’s no weak link – but it is really hard to do this well! Supply chain has the same problem, if suppliers aren’t keeping their security hygiene tight and clean, it’s an added problem for the enterprise customers.
- We need to think about making security seamless for end users so that is doesn’t inhibit a great digital experience for them – but behind the scenes it’s protecting them and their information. Passwords are a good example of this, and there some good research from UK and US about how to implement passwords to help users – longer is stronger, change less frequently, provide a secure vault and so on.
- There’s a big effort on reducing risk across organizations where the focus is on vulnerability management. Having a smaller group of a cross-functional people that focuses on this for a six-month period helps to drive initial rapid risk reduction and build a sustainable process. We found by creating focused diverse teams on projects with a single focus, they can provide some excellent insights. It keeps people motivated so they can complete a project and feel satisfied in their job.
- Many people talk about problems with legacy IT and often security teams can feel they have little influence over this. We found tracking and reporting data about the age of hardware and software, along with patch status drives clear focus and ownership. Getting a universal target or appetite set by an executive committee can also really help.
- Security tools can be tempting to buy and hard to use. We have found that a relentless focus on making our tools work for us very satisfying – so we get value from our investment. Focusing on strengthening the rules, covering the right assets and putting the operational processes in place.
Q: What are some of best practices when approaching executives or board in a company regarding cybersecurity strategy?
- Have a clear and concise strategy
- Construct a repeatable approach to go to the board on a regular basis
- Explain simply what cyber risk really means
- Have an open and honest conversation about where you are; don’t hide anything from them as transparency is key
- Describe new incidents and threats that are on the horizon and why the company needs to be protected; keep them ahead of threats before the media
- Try to garner as much support and buy in within the organization as possible; back it up with what’s happening all over the world to companies and organizations
- Deliver and track against a clear plan so they can see how you are reducing security risk
Q: What should we be thinking about beyond machine learning and artificial intelligence?
A: There’s so much new exciting technology. We are working on things such as areas such as quantum computing, blockchain, 5G, IoT (from both the consumer and enterprise side), cloud, network virtualization & cloud, automation, the ethics of AI/ML and how to secure a connected home.
Will some of these topics (and more) be at the center of it all for RSA Conference 2019? We are accepting RSAC 2019 Call for Speakers proposals in the Hackers & Threats tracks and Sandbox sessions until September 1. Learn more and begin the submission process.
Get the very latest from RSA Conference delivered straight to your inbox. Sign up now.