ILTA INSIGHT 2018 Security Keynote Panel

session overview

Juggling Security Risks and Balancing Priorities

by Simon Crumplin, CEO, Secrutiny

Suffering a breach is no longer a question of "if," but "when" and "how big.” Whether you are the CIO, the CISO or a Business Engagement Manager, it is a constant battle to ensure a reasonable security posture while balancing costs, usability, technology, user behaviour, transformation, and agility.

Cybersecurity gurus, Brenda Ferraro - Third Party Evangelist and Senior Director of Networks at Prevalent Inc, Stuart McKenzie - Vice President, EMEA for Mandiant, a FireEye company and Matt King – CISO of BDO Services Ltd, joined Simon Crumplin, CEO of Secrutiny Ltd at INSIGHT 2018 to discuss how best to juggle security risks and balance priorities.

Firstly, how do we decipher what is important and relevant for our organisations?

In response, Stuart highlighted the importance of understanding your risks and determining where your threats come from. Brenda brought to light the importance of conducting tests, noting that some companies have in place over 580 security requirements. While according to Matthew, the foundational and basics of IT hygiene are critical.

The following question was put to the audience, ‘how many people believe they have all of the right data in a central location in the event of Doomsday and would be able to respond with confidence?’ – One individual raised their hand. So, does this mean we are prioritising protection over and above response? And detection over and above response?

Next, the panel debated whether there was a better way to approach the problem.

The importance of letting organisations know precisely where their data is and how it is being protected was evident. Brenda said, “You must make sure that if that company goes down, what other company has a backup of that information?” Matthew stands by data-driven assessments because it is evidence-based work, “To be able to undertake assessments where you can validate that your controls, are or are not effective, you can then determine whether that is something you need to focus on.” Staying on topic, Stuart stated that, “if you explain to people on evidence, that’s very good, but you have to build your own evidence from things like red teaming and pen testing.” According to Stuart, organisations need a 360-degree view. We need to understand what is the risk we’re willing to accept and what do we need to operate? If you can’t manage your systems because of the controls you have in place, then there’s something wrong. Everyone should follow the same procedure, and if it’s not enabling, is something wrong?

Finally, the panel was asked, what simple things can be done to improve security?

Building relationships with executives were critical for Matthew. He mentioned, “It wasn’t a conversation about risk, but an honest conversation about where we currently were from a security posture perspective and getting them on the right page. Saying we have an action plan and that they need to challenge us.” Brenda recommended ‘Adaptive Enablement’ - sharing information to individuals and allowing them to have healthy competitions to reduce the risks - therefore closing more gaps.