I'm still reeling off the high from the annual Security Congress put on by (ISC)² a couple weeks ago. As I calm down, I'd like to review a few highlights from a few of the speakers. Join me as we go through a few cybersecurity leader bios, they have a few good lessons.
Since this conference was co-located with ASIS International, you'll see some physical security tips here too. Okay, well most of these are physical security tips.
This can still relate to cyber!
Update: added one more!
Robert Grant, VP Global Security for Walt Disney
- Robert is a former special agent for the FBI. His example stems from the FBI after 9-11 changing its focus to preventing attacks, not solving crimes after they happened.
- Become a proactive security organization.
- Emphasize on prevention, not response.
- It’s tough to sell security in a business environment.
- Disney tries to follow a security-made-fun practice.
- They send out a monthly tip e-mail and videos, designed with the touch of a creative team.
- They offer security advice in a humorous vein. There are off limits jokes like active shooters for instance.
Michael Howard, CSO at Microsoft
- Align security with all business objectives of the company.
- Develop strategic partnerships as a department with many other departments (IT, HR, Finance, and Legal).
- “It took a lot of doing. When I first got there, my team knocked on a lot of doors. We wore out a lot of shoe leather.”
- “Focus on building a security team which has leadership skills, strategic capabilities, tactical abilities, and subject matter expertise. Not all staffers have all 4 of these skill sets, but as a whole, each skill component is well represented.”
- More and more companies are looking for security leaders and staffers to have business experience and training.
- “They want people to run security like a business.”
- In 15 to 20 years it will probably be seen as normal for companies to hire security staffers who have business backgrounds but training in security.
- What is your security identity, or brand of the security company.
- Communicate the idea that the departments know where the company is going and is aligned with its business objectives. This can be done through a brand.
- Be willing to admit mistakes and learn from experience.
- It's not easy. It's important to be realistic.
- Push beyond the difficult assessment process. Commit the time and resources needed for improvement.
- This is so true – “Usually the people who say ‘you can do more with less’ are not the ones that actually have to do the job.”
Robert Oatman of R.L. Oatman & Associates
- Get to the How of executive protection.
- Ask general questions first so you get general concerns expressed to you.
- Avoid yes and no questions.
- Allow for elaboration and digression so that information can flow where it might not otherwise do so.
- Each security component should also be broken down and analyzed.
- Threats to transportation security can include:
- potential motor vehicle accidents
- road rage incidents
- planned vehicle attacks
- getting lost
- being late to appointments
- reckless driving
- speed should be kept reasonable
- routes should always be well researched
- common traffic choke points and potential safe havens should be identified in case environment becomes unstable
- Interactions with a variety of contacts can include:
- transportation providers
- hotel security personnel
- venue management representative
- Relationships with destination staff can be important.
- Executive protection firm working well with hotel staff can create a home field advantage due to familiarity and knowledge of the facility.
- “Hotel security is a force multiplier.”
- “Go practice this stuff.”
- Conduct simulation exercises and learn. “Good decisions come from experience, and experience comes from bad decisions.”
Charles Foley of Watchful Software
- The Evolving Cybersecurity Perimeter.
- Cybercrime is a bigger margin of opportunity than illegal drugs.
- The cost of cybercrime is growing, as the average data breach now costs $3.5 million.
- The most expensive problems faced by corporations are not hackers trying to hack firewalls, but by someone who does unsafe things with data, even inadvertently.
- Market Connections and SolarWinds survey revealed higher than half of Federal IT leaders identified careless and untrained insiders as the greatest source of cyberthreats against their industry.
- Effective training is important but software controls that aid in compliance with data usage is also key.
- Essentially use data loss protection that fires based on rules or types of data.
- “If you do this right and you line up your policies, procedures, and technologies, your electronics can do the job.”