Check out Storify for more conversations about the inaugural MassTLC Security Conference!
On October 22, 2014, MassTLC welcomed more than 250 attendees to the first Security Conference; Building Security InTo an Insecure World. This full-day event, spearheaded by many leading security visionaries and experts, included an in-depth look at the current landscape of cybersecurity threats, new types of attacks on modern infrastructure, how to reduce risk, prepare for and respond to security breaches, and how to work with c-suite leadership on managing your company’s cybersecurity strategy.
Secretary Greg Bialecki, Secretary of Housing and Economic Development began the day with a look at the unique capabilities and resources that Massachusetts has as a state to lead the security industry, a theme echoed in the following keynote panel.
Deputy Program Manager Michael Howell of the Office of the Program Manager, Information Sharing Environment in Washington, D.C., Supervisory Special Agent Kevin Swindon of the Federal Bureau of Investigation and Gerald Beuchelt, Chief Security Officer of Demandware kicked off the opening keynote panel on the State of Cybersecurity and Information Sharing Organizations. It’s no longer a matter of if you will be breached, but when – information sharing is a critical component in addressing the complex standards and threat environment, and a critical component of an information security strategy.
The complexities of managing security within an organization was explored in a deeper dive in the next session, Who Owns Security, with speakers Jigar Kadakia, Chief Information Security and Privacy Officer, Partners Healthcare and Chris Wysopal, Co-Founder and CTO of Veracode, led by moderator Mark Steinhoff, Director at Deloitte & Touche, LLP. The Target breach has taught us that information assets are as valuable as physical and capital assets, and security is not just an issue for CIOs anymore – it’s everybody’s responsibility. However, ROI can make security a difficult sell to corporate leaders. Relevant metrics, the use of red/yellow/green coding systems for sensitive data protection and dashboards are useful in communicating with the Board and corporate leaders, as is the identification of your organization’s “crown jewels” and agreement on what risk is acceptable and what is not when protecting the crown.
Breakout sessions covered a look at Security in the Supply Chain (aka “Supply Chain is the New Black,” attributed to speaker in that session Edna Conway, Chief information Security Officer, Supply Chain, at Cisco) – a critical factor in nearly every organization’s security strategy and management that is often overlooked until it’s been breached. Joined by Josh Brickman, Director of Security Evaluations at Oracle and Sally Long, Executive Director of the Open Group, this panel looked at the nuances of managing your supply chain security.
Edna shared a four-step best practice for managing the massive network of Cisco supply chain partners and product IDs handled across the portfolio, which is a network of 1.2 million people that touch the product along the supply chain. Crystalize what is important – for Cisco, that best practice is Counterfeit, Taint, Misappropriation of IP and Embedding Security in times of Disruption. Deploy across all members of the supply chain, and keep a score card of third party providers to monitor their performance. It's all about process, it's relentless and it's persistent. But you need to do that: Protect, Detect, and Innovate, to ensure a secure supply chain.
For more information on the Security in the Supply Chain session and issues and other considerations, check out Iron Mountain’s blog post by John Boruvka, Vice President of Iron Mountain’s Intellectual Property Management business unit.
In the concurrent breakout session on Mobile Security, Caleb Barlow, Vice President of Mobile Security for IBM, and Brian Milas, Chief Technology Officer at Courion, provided insight into just how critical your organization’s employees and their ubiquitous mobile devices are to your overall security strategy, and issues that require significant attention in today’s BYOD/BYOA environment. Your mobile phone knows everything about you, which is why there has been a huge jump in mobile malware targeting your and your company’s information. Key security strategies to implement include 1) protect the content (including devices, applications, and transactions); 2) Prevent exportation of corporate data; 3) Use explicit design mechanisms to detect malware, and 4) Incorporate smarter transactions – use fingerprint technology, location velocity and other features to identify possible intrusions or attacks. Identity and access management are also critical in on premise and in the cloud. Permissions are the key to sensitive data -- both protection and exfiltration. Security concerns cannot be allowed to slow down innovation in mobile.
The Security Intelligence session echoed the complexity of the corporate IT environment created by a “bring your own everything” world (devices, applications, cloud, infrastructure). Attackers are increasing in sophistication in using this expanded attack surface to compromise and breach networks. The situation has increased the overall need for security intelligence amongst IT security organizations inside companies of all sizes. The role of security intelligence is evolving and changing, including gathering external threat intelligence and understanding your own networks exposures and activity that may indicate a compromise. Moderator Paul Roberts of the Security Ledger led speakers Seble Assefa, Federal Reserve Bank of Boston, Eric Cowperthwaite of Core Security, Inc., Mark Jaffe of Prelert and Rich Perkett of Rapid7 through a discussion commenting on various approaches for leveraging analytics for modern advanced threats to get better security intelligence.
Helmed by Jim Flynne of Carbonite and Max Weinstein of Sophos. Security for the Rest of Us offered a look on protecting the “4Cs” at your small business – Computers, Credentials, Content, Connections and at small business security, and the various tools of the trade used for each.
With the requirement to focus on security for all businesses, how can you sell your product within an environment and leave your customer feeling well, secure, with their choice? Andy Ellis of Akamai, and Andrew Kenney and Bryan House of Acquia shared about their strategies for Selling Security as a process – beginning with the design and testing of the products, to sales approaches to a variety of people within the organization to which you are selling, and the importance of developing a role as a thought leader in sharing information, fixes, update on security threats and analysis.
Security in the Cloud with Ron Zalkind of CloudLock, Jim O’Neill of Hubspot and Piyum Samaraweera of Sophos delved into security considerations within a cloud environment that differ from a non-cloud environment, including human dynamics, the speed at which transactions move, etc. As SaaS environments grow and infrastructure is being outsourced more frequently to larger providers who can theoretically manage security needs more successfully, threats are moving to the application level – BYOA provides the next cloud security challenge. Users love the freedom that is brought from the cloud, but now need to be a huge part of the security defenses.
In the midst of how to address today’s security challenges in the cloud, mobile and more, where is the industry headed in the future? What’s next? Speakers Greg Dracon of .406 Ventures, Kevin O’Brien of Conjur, Inc. and Sam Bisbee of Threatstack discussed the future of Innovating in Information Security. We’ve seen how getting security wrong can bring down organizations. What our panel finds is that security is now front and center in most organizations, about business enablement, and CISO/CSO decisions are drawing more attention. Big data is important, but small data can also be an integral part of maintaining an organization’s security.
The conference closed with an energetic and insightful keynote by Bruce Schneier, security industry luminary and Chief Technology Officer at Co3 Systems, on the Future of Incident Response and a look at the economic and psychological forces within the security field and incident response (IR). Bruce sees three security trends in the pipeline: 1) less control to cloud and mobile, 2) more sophisticated hacks, and 3) more government involvement. Security is combination of 1) protection, 2) detection and 3) response. We need response because protection and detection aren’t perfect. By leveraging the OODA cycle of observe, orient, decide, and act, this session covered how to optimize response efforts, and crucial strategies to maintaining IT security in the coming decade.