The fourth annual ISSA International Conference, scheduled for October 9-10 at the Nashville Convention Center in Tenn., is designed to help security professionals navigate the complicated cyberthreat landscape. The theme of this year's event is "Harmony in Cybersecurity: Motivate, Innovate, Integrate," and will feature the latest organization-wide cyberprotection strategies, new approaches to online security and best practices for integrating these safeguards into the business. The conference features more than 40 keynote, panel, breakout and discussion forum sessions, exploring challenges and opportunities in cybersecuritysuch as mobile device protection, risk management efforts and threat response strategies.
The reality is, the whole enterprise needs to be involved in implementing the cybersecurity strategy.
Stefano Zanero, Ph.D.,
ISSA International Conference Chair
In this Q&A with ISSA International Director Stefano Zanero, Ph.D., and Eric Cowperthwaite, chief information security officer of Providence Health & Services, the two conference chairs discuss what attendees can expect from the 2013 ISSA International Conference, new trends in cybersecurity strategy and how companies can protect against cyberthreats.
As cybersecurity continues to be a major concern for businesses, what do you think attendees will take away from the 2013 ISSA International Conference?
Stefano Zanero: The theme of this year, inspired by our host city of Nashville, "The Music City," is that cybersecurity requires a concerted harmony of motivation, innovation and integration. Our members and guests will enjoy networking and motivation activities, will learn about the latest approaches to cybersecurity, and will listen to renowned business leaders sharing their experiences. We have tried to create a program from which the attendees can build a better path to success in cybersecurity, both for their organizations and their personal careers.
Eric Cowperthwaite: I think they are going to get a lot of great information about how to take security capabilities and methodologies that already exist and integrate them in their businesses the very next day. Instead of talking about things we need to do in the future, we are going to be talking about some things that are already there that can make your security program better.
What are some of the latest cyberdefense trends and strategies that will be covered at the conference?
Cowperthwaite: We're definitely going to hear a lot about how to secure consumer technology and the realities of mobility in the workplace. I think we're going to see an emerging trend around applying advanced analytics and big data-type technology to security. The hot technologies are really things like mobile device management and mobile application management -- we'll definitely see a lot of discussion on that at the conference.
Zanero: The keynotes of Baroness Neville-Jones and Prof. Eugene Spafford will be enlightening on the future trends and strategies in cybersecurity. I think one interesting presentation will be given by Robert Bigman, the former CISO of the CIA, entitled "Winning the Cyber War on a Budget" and dedicated to low- or zero-cost approaches to enhance security in most organizations. Doing more with less is so crucial in today's economy.
What are the primary sources of cyberthreats that the modern organization has to worry about and prepare for?
Zanero: The threat landscape is very complex and varies constantly, so it is difficult to give a comprehensive answer. Generally speaking, there is a rising worldwide awareness of threats posed by motivated, state-sponsored attackers that target both government and businesses. This has obviously changed the threat model of most organizations quite a lot.
Cowperthwaite: The reality today is the vast majority of employees have some way to be mobile, whether it's on laptops the company provides, or their smartphone, or logging in via VPN and computing from anywhere. That's a huge area of concern. Consumerization is a driving issue: You've got the adoption of Macs, laptops or tablets, or whatever the case may be. It creates happier employees, more productivity -- businesses are going down this road full steam ahead. We're trying to figure out how to deal with it; we're trying to figure out where our data is, what applications are accessing it, whether it's appropriately secured.
How can companies measure the effectiveness of cybersecurity efforts? Is it just a matter of, "We haven't been breached, so everything is OK," or are there actual metrics that can be used?
Zanero: Even if the proof, as they say, is in the pudding, and 'we haven't been breached' looks like a good measure of the effectiveness of a cybersecurity program, this is obviously not the case, for two good reasons.
The first is that even if a breach happens, this says nothing about how effective the controls were in thwarting other attacks before that. The second is that, often, 'we haven't been breached' translates to, 'we don't know we have been breached.'
One of the metrics is the traditional operational metric of output over resources input, which in cybersecurity translates to risk reduction per unit cost. This is an effectiveness metric which should be maximized, of course, but it doesn't actually tell how secure we are. Another approach is to use a proxy measure, where instead of measuring security or risk reduction directly, we map back to control frameworks such as ISO 27002 and measure the efficiency of those controls as a proxy to risk reduction.
More on cybersecurity strategy
Former White House CIO: Information sharing vital to maintain cybersecurity
Cowperthwaite: The 'we haven't been breached, so everything is OK' approach is a really bad one, because the guys that are trying to steal data or take down your network connection have proven time after time that they can pretty much break into any company they want, given a little bit of time and patience.
I think there are some pretty basic things you can look at so your peers and colleagues can understand -- like what percentage of our employees has been trained about spear phishing types of attacks? Have we meaningfully reduced the number of vulnerabilities on our computing systems over a given period of time? There are things like that we can do right now that are meaningful to tell ourselves and the rest of our business if we are doing good or bad when it comes to security.
What specific employees and departments need to be involved in planning and implementing cybersecurity strategy?
Zanero: The reality is, the whole enterprise needs to be involved in implementing the cybersecurity strategy. While planning should be led by the CISO, the top management -- starting from the CEO -- must commit and champion the initiative, and the whole organization must fall in line and execute. This is the subject of several sessions throughout the conference, such as "Inconceivable! Rebooting the Enterprise Security Program for Defensibility" by renowned speaker Rafal Los.
Cowperthwaite: Security is a really generic term for 'how do we protect our organization?' There are a lot of people that are stakeholders in that. Ultimately, if you are planning that strategy you should be reaching out to a really broad, multi-disciplinary group within your organization. You shouldn't just be talking to security and IT people.
For more information or to register for the ISSA International Conference, please visit http://www.issa.org/?page=issaconf_home.