Rethinking Cyber/Information Security
Roundtable on Digital Strategies • Reston, VA • Hosted by Bechtel June 10, 2014
This discussion focused on what is needed to address information security today: how to design, deploy, and operate fully embedded security to protect our corporations and the information / people within them. This challenge is heightened in an environment with increased threats ranging from denial of service attacks from activists to “advanced persistent threats” involving government sponsorship, as well as increased exposure through consumer devices, software and expectations entering the enterprise. As more industrial and consumer devices are connected through the Internet of Things, more products have chips in them, and these trends combine with the already strong mobility, cloud and social trends, there seem to be more points of vulnerability and more data at risk. Going forward it is not a question of if something could happen, but rather how we react when breaches or compromises occur — as much or more a question of detection and remediation as prevention. We also addressed the issues of detecting and protecting against the motivated insider. At this roundtable, we sought to address questions such as:
- What are your company’s chief information security/risk concerns today and how have they changed in the last year? The last three years?
- What does the cyber threat landscape look like today? How different is it than three years ago? What are the trends you see in types of threats, causality and goals? How/do they fit together? What specific threats are you wrestling with? Do you have a vulnerability-focused approach or a threat-focused approach?
- What business decisions have your company made that are impacting your information security posture or creating new challenges?
- How are you addressing the changing landscape organizationally? How is your information security organization structured now? How has it changed, grown, and shifted within the firm? Who does it coordinate with in the business that it did not used to? Do you have a SOC and a CSIRT and how are they integrated?
- What does your governance look like? Who does your information security organization report to? Has that changed? What is the level of board scrutiny you get? Who are the other key stakeholders and how do you interact with them?
- How do you build up the organizational capability and resources that you need in what is generally a lean environment? What are the frameworks and best practices you have encountered? Have you been able to change your corporation’s security culture? How?
- How is the talent you need in your organizations changing? Is the breadth of roles needed in security today affecting your ability to get the right people and work collaboratively? Do you do modeling and analysis? Cyber forensics? Have a threat intelligence capability and/or partner with other organizations/consortia to get that?
- What are the metrics you use to track information security/risk performance?
- What specific technologies do you consider critical to your security efforts?
- How do you address data? Do you classify critical data? To what extent and why?
- How do you address travel and mobile vulnerabilities?
- Could robust government/industry collaboration provide the intelligence network needed? Are the individual CERTs serving a useful role?