Looking back at RSAC 2018: C-Suite Views

Posted on

At RSAC 2018, RSA Conference blogger, Tony Kontzer, sat in on a number of sessions. Check out the posts below on C-suite views sessions to see what happened at last year’s Conference and to give you a taste of what you can expect at RSAC 2019!


The Verdict is In: Cyber Security Executives Have Hit Their Breaking Point

One truth about cyber security executives rose above all others during this year's RSA Conference: They're spread really thin.

Faced with a daily barrage of security operations challenges, a worsening talent crisis, a steady stream of reports of big security breaches and an ever-evolving regulatory landscape, just keeping up with what's going on around them is enough to keep most CISOs busy around the clock.

"Keeping your finger on the pulse is really hard," Patricia Titus, CISO and CPO of Markel Corp., said during a panel discussion on how security leaders stay on top of things at the RSA Conference.

Titus said she relies on external resources to keep informed, turning to other CISOs she trusts to get tips about how they're solving their problems, and regularly monitoring closed LinkedIn communities in which cyber security executives share perspectives and best practices.

Merlin Namuth, business information security officer for absence management consultancy Reed Group, said one of his main staffing strategies is focused on retention: He spends time with his employees.

By simply getting up from his desk and walking around, visiting with his team and getting to know what's going on their lives, Namuth is able to prevent issues from surfacing. If someone feels they don't have the tools they need to do their job, he finds out. If they're having problems at home, he can give them the flexibility to tackle those issues.

Malcolm Harkins, chief security and trust officer for threat prevention vendor Cylance, took that one step further, sharing that he's engendered a workplace mantra that fuels a sense of camaraderie. Harkins said organizations that empower employees to feel three things — that they believe, they belong, and they matter — will "never have an attrition problem."

As time-consuming as staying on top of operations and staffing challenges is, that only scratches the surface of what cyber executives face. They also must look toward the future by keeping abreast of third-party research and equipping themselves with innovative tools designed to keep the bad guys at bay.

Staying informed about those tools is a huge undertaking that's proving difficult for executives and vendors alike. Cyber security leaders simply have so little time to meet with vendors that the sales cycle has become highly compressed. Vendors may only have a few minutes to communicate their value propositions, and panelists stressed that they should use that time wisely.

For instance, Titus stressed that she's looking for technologies that will help her connect the dots by automating key processes and integrating with other security tools. As a result, she's much more interested in tools that can help her better understand her company's security profile, not simply add another layer of protection to manage.

"I am a security officer who doesn't want to be in the security business," she said. "I want to be in the intelligence business."

The panel's moderator, Mark Weatherford, SVP and chief cybersecurity strategist for data center security provider vArmour, said that if vendors want to rise above the noise and appeal to security execs, the last thing they should be doing is adding complexity.

"If you want to sell me a new product to add to my list of products, I'm not interested," Weatherford said, channeling what he hears from potential customers. "If you want to sell me a product that will replace two other products, I'll love you for a long time."

Titus and Harkins agreed that security vendors often add to their security woes, and that cyber security execs have no one to blame but themselves. Titus said that rather than holding vendors accountable and having tough conversations with them when their technologies come up short, most executives instead sit in their offices and moan, and then turn around and buy more ineffective technology.

Therein lies a systemic Catch 22: When security vendors' products are highly effective, they effectively end up cannibalizing their own business.

"How stupid are we to buy more stuff from people who sold us crap that didn't work?" asked Harkins. "The industry has no economic incentive to solve the problem."

The simplest answer to this is for cyber security execs to make sure they're holding vendors' feet to the fire.

But Titus offered another suggestion that she believes can help many execs avoid finding themselves stuck on this treadmill: Buy stock in your company so that you're fiscally invested in the outcomes of your decisions.


Take it From These Two CISOs: Battling Insider Threats Requires a Programmatic Approach

Insider threats come in all shapes and sizes, which is why a strong process—more than any assortment of cybersecurity tools—is the best antidote. Such was the message two experienced CISOs delivered during a session at the RSA Conference in San Francisco.

Consider a couple of anecdotes that James Christiansen, global CISO of Teradata, shared during the session. In one, Christiansen told of how executives at one company literally held the door open for an insider who was walking out the door with a box full of sensitive documents.

The second tale centered on an occurrence at a company Christiansen worked for, after he had given a pep talk about not letting sensitive employee data leave the company's network. A short time later, he saw evidence of an outgoing email that contained the personally identifiable information of every employee, including salaries, addresses and names of children.

When he confronted the HR executive who had sent it out, the employee said they'd "only sent it to one person." Christiansen said that the bad guys could intercept it as easily as he did, but it wasn’t until he pointed out that the CEO probably wouldn't be happy about his salary being made public that the tone of the conversation shifted.

These stories highlight what makes defending against insider threats so challenging: They're very complicated. Sometimes they're the result of an honest mistake. Other times they're the result of not recognizing a malicious action that, on the surface, appears to be benign.

The difficulty in spotting insider threats puts a premium on developing a program that accounts for all of the variations. Insider threat actors fall into many categories. Malicious actors can be disgruntled saboteurs, entitled thieves, or state- or organized crime-sponsored insiders who've been planted. Those acting without malice include employees acting inadvertently, someone sharing sensitive information as part of a merger or acquisition, or an executive who doesn't take care in distributing information. And then there are outside-in actors, who masquerade as insiders and may represent the hardest-to-detect type of the bunch.

Each brings unique motivations and different risks, necessitating a variety of approaches.

"It's really important to understand the personas," said Christiansen. "As you think about your threat models, you have to take each one of these into account."

For instance, in the case of the HR executive in Christiansen's anecdote, it may not have been fair to pin the breach on one person who may or may not have been clear about the implications of an action.

"It's only fair to ask employees to do the right thing if you've done a good job of telling them what the right thing is," said Gary Harbison, CISO for Monsanto.

Similarly, with outside-in actors, who attempt to disguise themselves by appearing to be an employee engaging in normal business, it's only fair to ask the business to recognize that something's amiss if it's aware of the anomaly. Which, Christiansen suggested, is not something most companies are able to detect.

"If you don't know what normal is, there's no way you can try to assess normal," he said.

Making matters worse is the burden of proof in responding to insider threats. Factors such as insufficient damage, a lack of evidence, and concerns about publicity and liability can cause a company to take no action beyond dismissing the actor, assuming that person is an employee.

All of these unknowns are why both Christiansen and Harbison strongly recommend that organizations take a formal approach and develop a comprehensive insider threat program. That means taking stock of the outcomes a company wants, building executive sponsorship, developing a strong set of policies and processes, and considering forming a cross-function steering team to ensure a holistic approach across the enterprise.

It also means taking stock of the wins this program provides so you know if what you're doing is working.

"This program is a journey," said Harbison. "It's going to take a while to build out. You want to be able to show the impact it's having."

Next Steps

Christiansen and Harbison suggested homework for any attendees who wanted to rethink how their companies programmatically handle insider threats:

-Over the next three months, review the maturity level of your current insider threat program, stay consistent on the fundamentals, and establish a plan to take you to the next level of maturity.

-After those three months, having developed a program, obtain support for the program, establish a plan with milestones, and maintain a record of your wins.


As if Cyber Security Leaders Don't Have Enough to Worry About: Here Come Strategic Cyber Actions

It turns out that as hopelessly behind the 8-ball as most organizations' cyber security teams believe they are, the reality is probably even worse than they realize.

That's because many of the security incidents that appear to be one-off events are actually part of much larger efforts known as "strategic cyber actions." These are large numbers of highly coordinated attacks designed to advance the strategic interests of governments, interest groups and other entities, and they're ubiquitous, a high-ranking security researcher and consultant told attendees at the recent RSA Conference in San Francisco.

"They're happening to you, and they're happening to you now," Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, ominously declared during a well-attended presentation. "We're talking about actions that look like cyberattacks, but aren't limited to cyberattacks. They're much broader."

For instance, Borg said that China has been using strategic cyber actions (or SCAs) to collect massive amounts of economically beneficial information that, while not having any intrinsic value, is allowing the country to essentially corner markets. One example is electric generators, most of which are made in China. Borg said that's no accident, and that China has been using SCAs to assume control of markets that have strategic value.

The really confusing part of this is that the impact is most definitely not all bad.

"By acquiring strategically important business information, they've lifted more people out of poverty than has ever happened at one time in the history of the world," Borg said of China. "I'm not defending the way they've carried these things out. I'm just looking at these things in a way so that I can see the positive side."

Borg said that SCAs typically have one of three objectives: to manage broader information flows; to intervene in business operations; or to determine market conditions. In each case, there are potentially positive and negative impacts, which is why Borg tends to stay away from the terms "white hat" or "black hat," instead preferring to believe that "most of us are gray hats." An SCA that seeks to determine who has access to certain markets could make those markets more exclusive, or it could reduce trade barriers for customers or suppliers, thereby opening things up.

Adding to the difficulty of identifying SCAs is the changing nature of warfare, politics and economics,  which have increasingly blended together and happen to be the three main backdrops behind these coordinated actions.

"Economic activity no longer necessarily looks like economic activity. Military activity is no longer confined to battlefields or anything that is considered traditional military action," said Borg. "You can't separate economic activity from military activity or political activity. They're all woven together."

Borg said the nonprofit Cyber Consequences Unit, which provides cyber security intelligence to the U.S. government and its allies, has been tracking SCAs since 2004, and that they've become a much bigger deal since 2014. And while China's example is a good one, and Russia has also been known to engage in some state-sponsored SCAs, those behind the attacks come in all shapes and sizes.

The U.S. oil industry, gun lobbyists, anti-abortionists and animal liberation movements are just a few of the special interest groups that have been behind SCAs, said Borg. The common thread among all of these is a desire to expose adversaries who are doing things deemed reprehensible.

So, given that SCAs are increasingly prevalent, difficult to identify, and often seemingly harmless, what's an organization to do to protect itself?

Like most things, Borg said, it starts with awareness. Every attack must be viewed through the lens of it possibly being part of an SCA. That means keeping an eye on reports of SCAs that might affect your organization, and staying on top of any news developments that could put a bullseye on the organization's back.

"Make yourself less of a target," Borg said.

And with that awareness, an organization will have a much better idea of what's coming at it, as well as what's coming at its business partners. It's either that or find itself in a constant state of recovery.

"If you're not aware of this picture," said Borg, "you will constantly be blindsided in ways that are no longer necessary."

And if there's one thing cyber security leaders can agree they don't need any more of, it's being blindsided.

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs