Here are some valuable takeaways from MassTLC's The Business Impact of Security.
With three sessions and an introduction from Dr. Wen Masters, Vice President of Cyber Technologies at MITRE, MassTLC's The Business Impact of Security was a veritable security information juggernaut. Perhaps the most important lesson of the day though was not about the technical execution of cybersecurity, but about integrating it into the eighth layer of security–humans–and harnessing their power within the industry.
On that note, here are some critical insights gleaned from the three sessions–"Accelerating innovation with security," "Cross-functional collaboration to secure the enterprise," and "How to adapt to the evolving nature of security teams"–that we believe any company can benefit from learning.
Session 1: Accelerating innovation with security
Session 1 "Accelerating innovation with security" was packed with use cases on how product teams have integrated security into their development or procurement process through technology and collaboration. Led by Gary Barnabo, the Director of Cyber and Privacy at Cross Country Consulting, the session provided great insights from panelists Deb Briggs, CISO of NETSCOUT, Michael Joseph, Co-Founder and CEO of Technium, and Nimit Sawhney, Co-Founder and CEO of Voatz. Below are some key insights.
1. Security cannot be an island unto itself
Masters opened the event with a powerful statement. "It used to be that companies thought of security as 'extra stuff,' but it is now integral."
We live in a world where security needs to touch every part of business.
However, though security should be in everything, many feel it doesn't or shouldn't do that. Some even feel that it blocks progress. In fact, later on in the event, Briggs went as far as to say, "A lot of people would consider security and innovation to be oxymorons."
2. Innovation needs brakes
While some professionals feel that security stunts innovation, it's quite the opposite. Briggs followed her first comment up with a highly accessible example.
She said, "Innovation is necessary to continue to exist. The question is how to do so securely." She then went on to explain that if someone was given a Lamborghini, their natural instinct would be to drive it as fast as it would go, but then said if she removed the brakes, the driver would most likely choose to go a lot slower and wouldn't progress very quickly at all.
The logic was as follows... brakes don't exist to stop the car, they exist to get you somewhere as fast as you want to go, but safely. Security is the brakes and innovation cannot fully function without them.
3. Stop saying"NO"
Historically, any negativity toward information technology (IT), security, and cybersecurity has been the result of people feeling that professionals in those industries always say "no." Briggs explained that "security can't be the department of 'no.' They have to figure out how to say 'yes.'"
Sawhney echoed that and added on to Brigg's point. "Science and technology are always changing what's possible. It's hard to do, but instead of saying, 'That's impossible,' let's find out how to do it. That's why humans exist."
4. Security is a team sport
The development of security policies and protocols can't be completed by just security professionals. Briggs explained that sure, she could order all the doors in a building to be locked, but what would happen if a fire drill occurred? No one wants to burn alive because of a limited understanding of a potential situation. Security is just the same.
Sawney, who has a small team at the moment followed this with the great point that no matter how large your team becomes, "every individual is responsible for security–HR, sales, it doesn't matter."
We couldn't agree more.
5. Start early
Michael Joseph, Co-Founder and CEO of Technium stated that most of the clients his company helps start working on security too late in the game or they implement systems that they don't maintain correctly.
He said, "It's better to start with a framework from the beginning. It needs to be built into everything."
Session 2: Cross-functional collaboration to secure the enterprise
Next on the agenda was "Cross-functional collaboration to secure the enterprise" led by moderator, Leslie Nielsen, CISO at Klaviyo with panelists Kelly Haydu, Vice President of Information Security and Technology at CarGurus, Partho Ghatak, Managing Director and CISO at Grant Thornton, and Margie Zuk, Senior Principal Cybersecurity Engineer at MITRE. This session was focused on how business leaders are sharing information and expertise among departments in order to identify and prevent cyberattacks.
1. Fail safely
The first lesson of this session was to "go from never fail to fail safely." Nielson began with a tale about two airplanes, known at one time as "widow makers" due to the many deaths they caused, used to have square windows. The square windows were later replaced by round ones when they found that square windows produced stress and break planes.
It wasn't that the round windows didn't get stressed, but they were engineered to take it and not down the plane.
2. Protect your crown jewels
Ghatak stated "We don't own risk. We choose to protect what matters most to businesses. Protect your crown jewels. Build layers of control so that even when a hacker gains access, they will have a harder time accessing those things."
3. Prepare in advance & think about your sector
Zuk, who specializes in healthcare is a huge proponent of cross-functional preparedness.
She said, "Threat modeling should be implemented. If you understand the system of the system, you can understand the challenges better."
Zuk also mentioned that legacy technology is frequently present (especially in healthcare) and needs to be planned for as it has unique vulnerabilities.
Haydu helped anchor her point. "Think about the application by sector above and beyond the regular security training you provide."
Haydu said, "Everyone should know how to respond [to a breach] because it's been practiced." And as we all know, practice makes perfect!
5. Set your eyes on future solutions
According to Ghatak, "Within five years, multi-factor authentication may be obsolete. We need to move toward device authentication." He also mentioned that this is a critical need as AI continues to advance because "the deepfake phishing attacks are getting better."
Session 3: How to adapt to the evolving nature of security teams
In this final session the panel discussed policies related to remote and hybrid work, how to reduce the barrier to entry into security roles, and finding new, people-centered ways to recruit and retain talent. The panel was moderated by Devo's CISO, Kayla Williams and included Stephen Boyer, Founder and CTO of BitSight Technologies, Inc., Mike Rock, CISO of Sensata, and in the absence of Janet Levesque, CISO of athenahealth, the previous panel's moderator, Nielsen.
1. Listen carefully to assess risk accurately
Rock puts emphasis on assessing risk accurately using interviews. He said, "I spend a lot of time interviewing and listening to business leaders to gauge the risk tolerance of a company as well as the opportunities and topics of interest that we can talk about in the future. But you can't truly assess risk when people are on the defensive, so it's important to judge their performance over time."
He continued, "After that, you can take the information you ingest and compare it with what IT feels the risk tolerance actually is."
2. Build a future pipeline
It's quite apparent that there's a talent shortage in security. That's why it's essential to build a future pipeline of both traditional and alternative talent. Several panelists and moderators are already actively doing this including Williams who is actually leading the charge to promote alternative pathways into security careers.
Boyer is also changing tactics. He said, "We removed the degree requirement to open up the talent pool. Talent shortages in this industry mean you have to build up individuals who want to learn."
He continued, "We also engaged with groups that build pipelines for careers and defined career paths based on skills that were needed to achieve them."
Career paths and opportunities are valuable to Nielsen as well. He said, "Don't make dead-end careers. Create internal internships. Leverage the remote workforce. Look for lifelong learners and tell people they are important."
Of course, there's also the option to work toward your own future workforce using education, which is what Rock did. He said, "We started a cyber education program in a high school. It took money, but the students are learning college material, and earning certifications instead of pushing hard toward testing. That program is producing Cyber Analyst 1 and 2's right out of high school."
3. Combat industry burnout
Technology and security is a high-pressure space. In tandem with talent acquisition, talent retention must be considered. Boyer said that BitSight counters burnout by having leaders show that it's okay to take vacation by taking their own. They also built in "my days," which are mental health disconnection opportunities that are company-wide.
The other panelists and moderators are also passionate about their team taking time.
Most of these security takeaways are actually about people and how they interact with data. The most important thing we learned from this event was how interconnected humans are with technology and what wonderful results they can provide, together.
When it comes to your marketing efforts are you looking for support in your cybersecurity strategy? Imarc is happy to help! Let's set up a time to talk.