Now that the dust has settled after our inaugural NTSC National CISO Policy Conference, I think it’s a good time to reflect upon some of the substantial, important discussions that CISOs and other senior technology stakeholders shared with our distinguished keynote speakers. Think of these conversations like a snapshot—and reflective of the kinds of discussion and high-level networking that take place all year long.
This post focuses on our keynote speakers. Make sure you also read our post that covers all the panel discussions.
General McLaughlin gave attendees invaluable insights about trends in national cybersecurity and created a better understanding of possible public-private sector strategies that would help protect our nation from cyberattacks. He reminded us that US Cyber Command is only eight years old. Critiquing it is rather like critiquing the Air Force before World War II. A lot of growth awaits this young military organization, although it’s progressed a lot over the past few years.
Currently, US Cyber Command’s top priorities are operational (protecting the Department of Defense’s information networks), offensive, and defensive (protecting non-military critical infrastructure). General McLaughlin did not mince words—the fear of an attack on our critical infrastructure is something that keeps him up at night and correlates with the fears of many cybersecurity experts.
Having spent a lot of time with policy authorities, General McLaughlin offered a few great insights pertinent to the NTSC:
General McLaughlin encouraged CISOs to become more involved with US Cyber Command as it continues to mature.
Rami Rahim affirmed that data is now our most valuable resource—but that value also opens us up to cybercrime. 80% of black hat hackers are affiliated with organized crime, and cybercrime will become a $2.1 trillion business by 2019. Security has evolved with the development of technology from static LANs to our modern cloud. In the old days, firewalls may have been enough. Over the next few years, we will rely more heavily on AI, big data, and automation for our security.
Rahim pointed out that while the mainstream media stokes fears about AI exhibiting human intelligence, the more practical areas of AI right now are narrow AI and machine learning. These AI applications could lead to machines that, for example, understand the nuances of a ransomware attack better than current software.
Big data can help predict the future, build wisdom, and yield competitive advantage by improving the security of new networks built around the world. And automation can also help secure networks, especially because so many breaches are the results of manual, human error—known vulnerabilities, lack of patching, and poor cyber hygiene. Automation can also segment security vulnerabilities around IoT (such as lighting or HVAC systems) and the cloud—while also making sure data gets disposed of when it is no longer needed.
Such security applications of AI, big data, and automation can also help with more serious issues such as protecting critical infrastructure.
Adam Isles tackled three key questions in his talk. What makes implementing security programs so hard? How do we make security a boardroom competency? And how can we help collaboration between CISOs and the US government? Issues include gaps in inherent risk understanding, operational burdens, and lack of stakeholder alignment around cybersecurity. Isles argued that we also need to think of security as part of a company’s revenue equation (and not just as a cost center).
After pointing out that 2/3rds of board directors have limited to no cyber knowledge, Isles talked about how many companies are desensitized to cyber risks. To bridge the gap between the boardroom and cybersecurity, it helps to know that boards care about risk management, value creation, and metrics. If CISOs can speak that language, board members may have a better chance of understanding the importance.
A successful CISO and US government agenda would include elements such as more informed threat intelligence requirements identification, vulnerability disclosure, clarification around indications and warnings from the US government, and response-oriented lessons learned from law enforcement cases. Attendees started some interesting discussions with Isles around when a data breach is an act of war, how private industry seems to be unfairly paying the defensive costs of cyberspace, and how we might legislate the Dark Web.
Many of these keynote talks interwove nicely with our panel discussions, which you can read about in our follow-up post.