I'm still reeling off the high from the annual Security Congress put on by (ISC)² a couple weeks ago. As I calm down, I'd like to review a few highlights from a few of the speakers. Join me as we go through a few cybersecurity leader bios, they have a few good lessons.

Since this conference was co-located with ASIS International, you'll see some physical security tips here too. Okay, well most of these are physical security tips.

This can still relate to cyber!

Update: added one more!

Robert Grant, VP Global Security for Walt Disney

  • Robert is a former special agent for the FBI. His example stems from the FBI after 9-11 changing its focus to preventing attacks, not solving crimes after they happened.
  • Become a proactive security organization.
  • Emphasize on prevention, not response.
  • It’s tough to sell security in a business environment.
  • Disney tries to follow a security-made-fun practice.
  • They send out a monthly tip e-mail and videos, designed with the touch of a creative team.
  • They offer security advice in a humorous vein. There are off limits jokes like active shooters for instance.

Michael Howard, CSO at Microsoft

  • Align security with all business objectives of the company.
  • Develop strategic partnerships as a department with many other departments (IT, HR, Finance, and Legal).
  • “It took a lot of doing. When I first got there, my team knocked on a lot of doors. We wore out a lot of shoe leather.”
  • “Focus on building a security team which has leadership skills, strategic capabilities, tactical abilities, and subject matter expertise. Not all staffers have all 4 of these skill sets, but as a whole, each skill component is well represented.”
  • More and more companies are looking for security leaders and staffers to have business experience and training.
  • “They want people to run security like a business.”
  • In 15 to 20 years it will probably be seen as normal for companies to hire security staffers who have business backgrounds but training in security.
  • What is your security identity, or brand of the security company.
  • Communicate the idea that the departments know where the company is going and is aligned with its business objectives. This can be done through a brand.
  • Be willing to admit mistakes and learn from experience.
  • It's not easy. It's important to be realistic.
  • Push beyond the difficult assessment process. Commit the time and resources needed for improvement.
  • This is so true – “Usually the people who say ‘you can do more with less’ are not the ones that actually have to do the job.”

Robert Oatman of R.L. Oatman & Associates

  • Get to the How of executive protection.
  • Ask general questions first so you get general concerns expressed to you.
  • Avoid yes and no questions.
  • Allow for elaboration and digression so that information can flow where it might not otherwise do so.
  • Each security component should also be broken down and analyzed.
  • Threats to transportation security can include:
    • potential motor vehicle accidents
    • road rage incidents
    • planned vehicle attacks
    • getting lost
    • being late to appointments
    • reckless driving
    • speed should be kept reasonable
    • routes should always be well researched
    • common traffic choke points and potential safe havens should be identified in case environment becomes unstable
  • Interactions with a variety of contacts can include:
    • transportation providers
    • hotel security personnel
    • venue management representative
  • Relationships with destination staff can be important.
  • Executive protection firm working well with hotel staff can create a home field advantage due to familiarity and knowledge of the facility.
  • “Hotel security is a force multiplier.”
  • “Go practice this stuff.”
  • Conduct simulation exercises and learn. “Good decisions come from experience, and experience comes from bad decisions.”

Charles Foley of Watchful Software

  • The Evolving Cybersecurity Perimeter.
  • Cybercrime is a bigger margin of opportunity than illegal drugs.
  • The cost of cybercrime is growing, as the average data breach now costs $3.5 million.
  • The most expensive problems faced by corporations are not hackers trying to hack firewalls, but by someone who does unsafe things with data, even inadvertently.
  • Market Connections and SolarWinds survey revealed higher than half of Federal IT leaders identified careless and untrained insiders as the greatest source of cyberthreats against their industry.
  • Effective training is important but software controls that aid in compliance with data usage is also key.
  • Essentially use data loss protection that fires based on rules or types of data.
  • “If you do this right and you line up your policies, procedures, and technologies, your electronics can do the job.”

Pin It on Pinterest