Cybersecurity: No Cease Fire, Who Will Win? – Insights from North America ISRM 2014

ISACA-Logo

Alan TangIn the cybersecurity industry, you will never feel bored due to the enormous amount of buzz words and headlines—the good, the bad and the ugly. High profile data breaches have been exposed to the public one after another. Nations escalated cybersecurity to their highest priority. New regulations and standards were developed to catch up to the trend.

ISACA’s 2014 North America Information Security and Risk Management (ISRM) conference, which will be transformed into CSX 2015 next year, provided a great platform for cybersecurity professionals to share and learn in this big context. I appreciated the opportunity to attend the conference, and especially it was my privilege to interview several conference speakers.
Here are some thoughts as I look back at ISRM 2014.

The fear of cybersecurity
It was not a surprise to me that quite a few speakers started their presentations by illustrating the current threat landscape. Enough evidence justified why everyone should consider cybersecurity a serious concern.

During his “2014 Top Security & Privacy Bloopers” presentation, Todd Fitzgerald skillfully summarized and analyzed data breaches from Target to Sochi Olympics and from EBay to JP Morgan. The number of companies notified by the US Federal Bureau of Investigation (FBI) in 2013 of breaches alarmed and reminded us that there is no place to hide in cyberspace. Regardless of the industry, the size and the type of your organization, it seems that cyberattacks can happen at any time. It brings further complexity to the table when your organization is leveraging new technology forces such as cloud, software defined networking (SDN), big data or the Internet of Things (IoT). Another critical aspect, proposed by Tim Mather, is to be aware of application programming interface ( API) , which will most likely be the next hacker target.

Joseph Ingemi’s presentation provided us a new angle: to consider cybersecurity from geographic and political views. Although Ingemi took the stance mainly from Western countries’ points of view, he proposed a valuable approach to evaluate the intention and similarities of the cyberattackers. I was also impressed by his deep analysis on the correlation of cybersecurity with recent economic and political events and efforts such as Trans-Pacific Partnership ( TPP ) and Group of Twenty ( G20).

We must accept that at some level, a cyberattack is unavoidable. We are at war, said Curtis K. S. Levinson; the cybercriminals are targeting financial gains but the cyberterrorists are targeting generating fear. The big question is: There is no cease fire in cyberspace, so who will win the battle? I think the following three themes discussed throughout the conference can help us fight against the adversaries.

New developments in regulations and standards
Based on recent developments, privacy has become the highest priority for nations across the world. According to Fitzgerald, EU parliament approved the amended EU Data Protection Legislative Framework Proposal (the “Draft Regulation”), which was intended to replace Directive 95/46/EC. The right to erase data, increased penalties, DPA approval of transfer to non-EU countries and data portability were the four major areas EU wants to improve. Canada’s Anti-Spam Legislation (CASL) became effective on 1 July 2014. Deloitte called CASL one of the toughest laws of its kind in the world. Australia’s privacy amendment with 13 privacy principles came into force. South Korea amended its Personal Information Protection Act. Brazil, Mexico and South Africa had also initiated privacy and security regulation efforts.

In terms of standards and best practices, ISO/IEC 27001:2013 and PCI DSS 3.0 became effective in January 2014. The new ISO standard focuses more on leadership and has greater emphasis on setting objectives, monitoring, performance and metrics. ISACA and National Institute of Standards and Technology (NIST) both initiated a cybersecurity program. NIST released a cybersecurity framework in February 2014 based on Executive Order 13636. ISACA launched the Cybersecurity Nexus (CSX), which offers thought leadership, certification, training and networking for all levels of the cybersecurity profession, explained ISACA International President Robert E Stroud, CGEIT, CRISC.

Practical security strategies
During his “Cybersecurity: Engaging with the Board” presentation, Adel Melek illustrated an actionable approach to transform an organization’s cyberdefense to be more secure, vigilant and resilient. The 10 key considerations for board and senior management proposed by Melek, especially the 10 questions the board should ask to evaluate the overall security maturity level, were truly insightful.

One interesting topic around privacy is how to balance employees’ privacy versus organizations’ security protection. It makes the global debate worse if the organization is an international company with employees throughout the world with various definitions of privacy. According to presenter David Melnick, cyberthreats and liability drive investment in employee control. Despite increasing risks and strong policies, organizations fail to regulate employee personal web use. At the same time, regulatory environment trends increase employee privacy rights. Melnick proposed the approach of separating personal web use and professional web use to strengthen security and reduce risk by providing employee privacy.

Dr. Lance Hayden demonstrated how the Goal, Question, Metric (GQM) framework, which I think is one of the most practical approaches so far, works well for strategic metrics.

Educated and experienced security professionals
According to Cisco, there still is a significant need for skilled professionals who can protect and defend enterprises worldwide. Obviously, experienced security professionals are key to the success of fighting against cyberadversaries. The panel from Cybersecurity Credentials Collaborative (C3), including CompTIA, GIAC, ISACA, (ISC) 2, and ISSA, discussed what organizations need from cybersecurity professionals and how to develop candidates to effectively fulfill these roles.

lso, Robin “Montana” Williams introduced the US National Initiative for Cybersecurity Education (NICE), which aims to raise national cybersecurity awareness, broaden the pool of cyberworkers through strong education programs and seeks to build a globally competitive cybersecurity workforce.

We are in era of cybersecurity, and security is everyone’s responsibility. The only way to win the battle is to inspire the whole society to work together and get things done effectively.

Alan Tang, CISA, CGEIT, CBCI, CIPP/IT, CISSP, ISO20K, ISO27K, PCIDSS, PMP, TOGAF
Director of Research – Security & Risk
Info-Tech Research Group

[ISACA]

Leave a Reply