Cyber Security Strategy
Five Takeaways from Gartner Security & Risk Summit London
I attended Gartner Security and Risk in London this past week. It was my fourth time at the London event, following countless times at the event in Washington D.C.- okay it’s really National Harbor, Maryland - and two in Sydney, Australia. As expected, there were similarities between the events:
- Discussions about CARTA, the continuous adaptive risk and threat assessment model that Gartner has been extolling for a few years
- Keynotes from notable speakers, in this case Olympic Gold medalist and World Champion sprinter, Michael Johnson
- Breakout sessions with both theoretical gravitas and practical advice
Here’s what stood out for me about what I heard in London:
This topic has been on the radar for a while - in fact a previous employer of mine felt the topic was old five years ago - yet we’re still talking about it today. Why? Because even as the promise of digital transformation is being realized every day, the expectation of its promise is growing: new ways of working, new monetization models, and yes, new threat vectors. There was a good deal of discussion about the cyber-physical intersection, a world where digital problems impact physical safety. With this intersection comes problems to be solved and visions to be realized by many a starry-eyed entrepreneur.
Bold Claims About the Cloud
A conversation about digital business - or cybersecurity - is certainly not complete without a discussion about the cloud. Public, private or hybrid. While cloud adoption has hit the main street among certain industry segments, others are laggards, citing security concerns as the reason for slow adoption. But if the claim made by Gartner VP Distinguished Analyst, Neil MacDonald is realized, the laggards will soon join the party. He stated that “cloud-native apps will be the most secure in the next three to five years.” Given all the wares shown on the Expo floor during the conference, that seems a real possibility. But he also advised that companies “shouldn’t run code in production if you don’t know its provenance.” Sounds like the locavore food movement has met security. It’s relatively easy for people to know where their food comes from - supporting local farmers’ markets and shops that publicize such details. But for code? Not so much! With the proliferation of open source libraries and sharing scripts and code on tools like GitHub, is this advice even practical? Likely not. The pressure to take products to market quickly and to focus development resources on truly differentiated capabilities will not change. Use of third party code of unknown origin will continue, so businesses must find alternate ways to protect against vulnerable code and malicious third-party scripts.
Everything Old is New Again
In a session about the threat landscape delivered by analyst Jeremy D’Hoinne, VP Analyst at Gartner attendees learned that there really is not much new happening. This should both calm a cybersecurity professional and worry them. If the threat vectors are known, we should be able to address them. Yet since the threat vectors are known, why have they not been addressed? Email continues to be the attack vector of choice - with phishing schemes and embedded malware atop the list. Ransomware is still popular as are other well-covered topics like Magecart, all made easier for the attacker due to automation and the prevalence of attack kits for purchase on the dark web. The prize they’re after: personally identifiable information. It was termed “the new treasure for cyber pirates” and “the new perimeter” during the show. Amazingly - or not - bad patching practices and the OWASP Top 10 continue to open doors for attackers. And 43 percent of exploits today happen at the browser level, so security professionals must continue to investigate innovative solutions to address this.
Transparency and Resilience
One of the most interesting discussions from the CISO and CTO of Maersk was about their near-death breach in 2017 during which 99 percent of their IT infrastructure was infected. The Maersk execs were very transparent about the approach they took to recover from this experience. They collaborated across functions and were extremely transparent with their entire ecosystem about what was happening, what they knew and what they did not. By working cross functionally, and by calling on industry partners and customers for help, they were able to respond and recover, and move forward with a fortified security stance. Today they remain a leader in shipping and logistics with improved trust because of the way they handled this situation. Best piece of advice in the talk, “You can only build a good cyber posture when you’re integrated with the business.”
This event featured an atypical but insightful presentation about mastering political discussions. The talk was lively and informative, including practical examples for how security professionals can navigate tough political situations. There was a good deal of focus on “feeling questions” such as “are you comfortable with this” rather than focusing solely on data. Good advice certainly, given the important role security professionals play in their respective companies. The speaker navigated the topic well, without stereotyping them as only focusing on zeros and ones, gently reminding those assembled of the need to build business and communications skills to help improve their cross-functional interactions. In fact the Gartner show in the U.S. had “soft skill” keynotes as well: one about hiring great people who are humble, hungry and smart, and one about diversity and inclusion - challenging attendees to move beyond closed mindedness to think broadly about how to fill open cybersecurity positions.
I’m interested in hearing from others that attended the London event - or any Gartner Security and Risk conference for that matter - about what you’ve heard and how you’re going to put your learnings to use.