On August 31 we were joined by 200 security executives for Comprehensive Security - a 3600 view of your security program at Microsoft NERD in Cambridge.
Dave Mahon, Vice President and Chief Security Officer of CenturyLink, kicked off the afternoon sharing his expertise in building global security programs. This was followed by a simulated cyber-data breach where expertise from security, legal, and law enforcement provided attendees with best practices on handling a breach at each step of escalation. The remainder of the day was spent taking deeper dives into many of the facets included in both the keynote and simulation.
Dave’s keynote included:
- How to work with your board, where decisions such as regulations, risk assessment, liability, and cyber insurance all lay. He talked about the importance of communication, keeping it simple and in incremental steps -- what it takes to bring the risk down by x% and what that means to bottom line.
- Understanding that adversaries are very smart and very motivated and that there are five primary source of threats: State funded (espionage), cyber criminals (typically well-funded), terrorists (zealots), hacktivists (protestors), and insider threats (employees).
- Identifying the direct and indirect costs to a breach - loss of market share, cost of insurance, cost of rebuilding your system, government fines, etc.
- Litigation proof your security program, have a solid IR plan, and practice executing it.
Simulated Breach Take-Aways
- Better than 60% of the time, law enforcement will notify a company it has been breached rather than the company discovering on its own.
- Be prepared. Have an IR plan and practice it.
- An organization that has been breached is the victim of a crime, but they must demonstrate they handled the situation correctly. Be iron-clad in your actions and communications, both internally and externally.
- If you are dealing with the FBI or other law enforcement agencies, make sure you have: timeline, logs, and a key point person to communicate among law enforcement agency and company executives, legal team, and IT.
Following these sessions, we had several breakouts where speakers took audience into several of the steps in more detail including:
- Managing your 3rd parties;
- Building your incident response programs;
- Developing strong application security programs;
- Understanding and utilizing user behavior statistic reporting; and
- Taking your security program to the next level through security operation and analytics reporting.