CheckRecipient attended CloudSec 2016 at the Park Plaza hotel in London. An insightful event, there were numerous lectures, panel discussions and breakout sessions that wholly supported some of the key threats that our company is focused on.
One of the more insightful panels at CloudSec 2016 was a segment on key questions every CEO should be asking about cybersecurity. The speakers on the panel were Darren Argyle (Global CISO of Markit), Troels Oerting (Global CISO of Barclays), Michael Wignall (National Technology Officer at Microsoft), and Rik Ferguson (VP Security Research of Trend Micro.
There were a few particularly interesting and relevant questions asked including (with paraphrased answers):
Do you think executives at organisations are aware and what they need to do?
Darren Argyle: CEOs now understand and are now asking the questions. They are more informed than you expect. They want to drill down to next detail, which mission critical assets and parts of the business are most at risk. We as CISOs need to communicate better to them
When you talk to the board what is the pressing topic when it comes to cyber threat?
Darren Argyle: Our very first discussions were that security was a cost of doing business, but I now position it internally as an investment in the brand. The board then starts viewing this very differently. The board is also looking for some formal education. This is both what I say and what third parties say, so its key to leverage the big 4 to combine that message and get it across. Boards are always interested in benchmarking. They want to know how much are we doing compared to our competition. They don’t want to spend too little but also do not want to spend much more so that balance is important.
Does the board understand you always think cybersecurity when you start a new service?
Troels Oerting: Any road to a successful digital future leads to security and a needs to offer security, privacy and to build customer trust. The process used to be build first and pen-test subsequently. Now we build and pen-test concurrently, and then red team the processes. It’s a different biz model. We are interested in what is hitting me now, but what WILL hit me later. It’s the real threat, otherwise I am preparing for the past and while I do that, criminals are preparing for future
What are you doing to help customers with security in the cloud?
Michael Wignall: It’s about core table stake. You Need to ensure 2 things.
1) building to ensure security and
2) doing it for our customers.
Compliance and trust all go hand in hand. We will independently audit everything and then share this with customers. This gives them some comfort and security. We provide more evidence than everyone else so they understand everything in the context of their business. Explaining this is harder.
With GDPR do you think more customers will use cloud services?
Rik Ferguson: There is a great temptation to outsource, because people don’t realise you cannot outsource accountability. The move will carry on, but as process changes people need to realise that the big problem is that security has been an afterthought, and in a business context it is still a bolt-on. How do I build security awareness in all the silos? Security must stop be a bolt-on and become embedded in the business. Then regulatory compliance will be more straightforward as security and biz will understand each other.
What trends are we seeing and is IoT the best threat?
Michael Wignall: Artificial intelligence, outside of IoT, is a big trend. You need to use cloud level security for threats that exist in the cloud world. Investment around Machine learning and AI will give you access, starting at cloud.
Darren Argyle: What keeps me awake is the education piece because it’s a continuous process. Boards and executives change. Dynamically allocating education is important so that you keep the risk aware customer. Knowing where our crown jewels are is what keeps me awake. Constant M&A creates a fluid movement of assets. Machine Learning has great opportunities to understand the context of data to get understanding of sensitivity and where it is shifting in your environment.