Information Risk Management in the Digital Age
This discussion will focus on what is needed to address information security and risk management today: how to design, deploy, and operate fully embedded security to protect our corporations and the information/people within them in an environment of digital transformation. Every aspect of organizations is being touched by this transformation and the exposure through consumer devices, software and expectations entering the enterprise in the last ten years. As more industrial and consumer devices are connected through the Internet of Things, more products have chips in them, machine-learning and AI enter the corporation, and these trends combine with the already strong mobility, cloud and social trends, there seem to be ever more points of vulnerability and more data at risk. The challenges are heightened by increased threat actor capabilities evidenced in denial of service attacks from activists to ransomware incidents to “advanced persistent threats” involving government sponsorship, Going forward it is not a question of if something could happen, but rather how we react when breaches or compromises occur — as much or more a question of detection and remediation as prevention. At this roundtable, we will address questions such as:
- What are your company’s chief information security/risk concerns today and how have they changed in the last year? The last three years?
- What does the cyber threat landscape look like today for you? How different is it than three years ago? What are the trends you see in types of threats, causality and goals? How/do they fit together? What specific threats are you wrestling with?
- As your business is transforming, what business decisions has your company made that are impacting your information security posture or creating new challenges?
- How are you addressing the changing landscape organizationally? How is your information security organization structured now? How has it changed, grown, and shifted within the firm? Who does it coordinate with in the business that it did not used to? Do you have a SOC and a CSIRT and how are they integrated?
- What does your governance look like? Who does your information security organization report to? Has that changed? What is the level of board scrutiny you get? Who are the other key stakeholders and how do you interact with them?
- How do you build up the organizational capability and resources that you need in what is generally a lean environment? What are the frameworks and best practices you have encountered? Have you been able to change your corporation’s security culture? How?
- How is the talent you need in your security organization changing? Is the breadth of roles needed in security today affecting your ability to get the right people and work collaboratively? Do you do modeling and analysis? Cyber forensics? Have a threat intelligence capability and/or partner with other organizations/consortia to get that?
- What specific technologies do you consider critical to your security efforts? Can machine learning and AI be a source of help?
- How do you address the deluge of data? Do you classify critical data? To what extent and why?
- Could robust government/industry collaboration provide the intelligence network needed? Are the individual CERTs serving a useful role?