NTSC National CISO Policy Conference Recap: The Panels

NTSC National CISO Policy Conference Recap: The Panels

In our last post, we summarized the discussion highlights from our stellar keynote speakers at the inaugural NTSC National CISO Policy Conference. In this post, you’ll see how our panel discussions brought out an incredible amount of dialogue amongst CISOs about some critically important topics—and we’re sure that many of these discussions are continuing!

Panel Discussion 1: “U.S. Cyberthreat Sharing Program”

  • Jason Witty, CISO, Financial Services at US Bank
  • Dean Hall, Chief Risk Officer at Cybraics
  • Scott Algeier, Executive Director of the IT-ISAC
  • Moderator Milton Mueller, Professor at the School of Public Policy/Georgia Institute of Technology

A robust discussion addressed current forms of information sharing along with what CISOs need and want. The success of financial services ISACs since the late 1990s, including programs today such as the US Treasury analyzing and sharing DHS information, can serve as models for other industries. Panelists mentioned that the DHS has gotten much better with information sharing over the last five years. Until recently, information sharing was reactive, focused on indicators rather than actors. The Sony data breach was incredibly eye-opening, pointing out the failure of the US government to share information that may have helped prevent such a significant attack.

In today’s information sharing climate, an absence of federal clarification about information sharing leads states, industries, and ISACs to create their own silos. The NTSC has an important role to play in addressing this problem at a national level. The common complaint from many CISOs is that the government finds vulnerabilities in products, doesn’t tell us, and then can’t keep it secret. So, what’s the role of government agencies when they find vulnerabilities?

Panelists wanted context around information shared by the government. If you’re handed 1 million IP addresses, why should a CISO care? What are they? What sector? Where did they come from? There were some calls for the DHS to be permanently funded and acquire more resources. Conflicts between federal and state government also lead to a lack of information sharing leadership from the public sector. And some attendees even pointed out that joining ISACs can lead to a flood of information that needs to be optimized and filtered.

Panel Discussion 2: “Education & Cybersecurity”

  • Helen Patton, CISO at Ohio State University
  • Richard Biever, CISO at Duke University
  • Joanna Grama, Director of Cybersecurity and IT GRC Programs, EDUCAUSE
  • Moderator Peter Swire, Professor at the Schiller School of Business/Georgia Institute of Technology

This panel ended up leading a wide-ranging discussion from unique CISO security challenges at universities to how we need to develop a cybersecurity workforce. Universities do a lot of things—from retail to healthcare to financial services—and so they are under many cybersecurity regulations. In addition, students present unique security challenges that most businesses never face. Campuses are open, students can’t be “fired” (at least, without getting expelled from their degree program) for a security violation, and CISOs must prepare for a student population that will test their security policies and procedures to the limit. Technology norms familiar to business CISOs don’t apply.

For faculty and researchers, information security at universities also poses unique problems. Researchers own their data and they can often decide how and what to do with it. However, university research is tempting for serious hackers (such as nation state hackers) who want to steal valuable intellectual property. One panelist said that CISOs working with university research institutions need to treat them like a high-risk vendor, as these institutions often don’t take security seriously. Talking about data integrity is one route to convince researchers about the importance of cybersecurity. After all, they don’t want their data modified. However, many regulations unfortunately don’t focus on data integrity.

Panelists also spoke about how colleges and universities prepare the cybersecurity workforce. They felt both that universities limited the curriculum too much and that businesses needed to support efforts more to add resources (such as funding a faculty chair). There are currently not enough faculty to teach information security (with only one teacher for 20 students, on average). Plus, it’s not all about technology—many soft skills are relevant to cybersecurity such as the arts, law, and policy. One panelist said MBA programs need to include cybersecurity.

The NTSC was encouraged to take a role in helping provide ideas about the future of cybersecurity education and university curriculums. What’s the CISO career path? And what’s the career path of a typical, valuable cybersecurity employee?

Panel Discussion 3: “GDPR – DPOs, PIAs & Data Mapping”

  • Peter Swire, Professor at the Schiller School of Business/Georgia Institute of Technology
  • Klaus Brisch, Partner of DWF Germany
  • Robert Ball, Chief Legal Counsel at Ionic Security
  • Moderator Vickie Miller, CISO at FICO

Our last panel discussion of the day proved the liveliest as we discussed GDPR and its implications for CISOs. The stark reality is that if companies have any customers or employees operating in the EU, then GDPR applies starting in May 2018—including the need to hire a DPO and start following the law. Penalties such as a maximum fine of 4% of annual global revenue makes this law different from ones that may only impose small fines.

Because the US does not have an equivalent data protection standard, we are at a disadvantage compared to countries with more stringent laws. Our mentality is also different. The EU is very focused on protecting the rights of individuals and demands informed consent from them. On a more practical level, panelists and attendees discussed how CISOs will need to understand their data—what it is, where it’s stored, how it’s structured, how it’s classified, how it’s segregated, etc. to adhere to GDPR. Data portability and the right to erasure are huge issues that may trip up companies.

On the positive side, instead of 26 European countries enforcing their own privacy laws, there is only one harmonized regulatory framework with GDPR. Panelists talked about the history of GDPR and related initiatives in both the EU and US that led up to it. In addition, panelists and attendees discussed the requirements and nuances around hiring DPOs who will ensure that companies are compliant with GDPR. DPOs need to be independent (in other words, a CISO cannot be a company’s DPO) and operate physically in the EU.

Beyond GDPR, the panel talked about broader issues such as Scherms’ recent challenge of standard contract classes and the implications of what will happen if an EU high court decides to not uphold these contracts because of concerns with US privacy (such as NSA surveillance). The implications of US companies having to completely segregate EU data from US data will be costly and nightmarish—causing potential massive disruptions in global data flows.

Interested in participating in next year’s conference, joining our Board, or becoming an NTSC underwriter? Reach out to Kimberly Steele at kimberly@ntsc.org.