14 Nov Basically…It’s About the Basics.
Security and Information Technology professionals gathered in Montenegro on Nov 7-9th for the third annual UNDP/FIRST Tech Colloquium. I was honored to be one of the presenters for the event and I was asked to share my experiences in building a Cybersecurity/Enterprise Risk Management program.
All of the presenters have similar backgrounds in security and presented topics ranging from IDS/IPS monitoring, threat intelligence and incident response. None of the presenters collaborated on their presentations and yet as I listened, a common denominator was emerging from all of our presentations; Take care of the basics first.
As I prepared for my presentation, I wanted to share a common theme I observed this past year as I attended various events where Auditors, CISO’s, IT Specialists and Risk Management professionals gathered.
The theme I observed was an ever-increasing concern about vendor management and its lack of maturity. This observation led me to present the following statement at the UNDP/FIRST event, “You can’t have a strong cybersecurity program without a strong vendor management program.” I also shared my thoughts on emerging technology like AI and blockchain, and the pressure I felt to present the next latest greatest iterations of these emerging techs at this event that would solve all of our problems. I, like the others, stressed the importance of fundamental security controls like patch management, encryption, privileged account management before chasing the next “must have” tech the marketing people would have us believe. 2017 has seen an unprecedented number of breaches that might have been avoided if the security basics had been practiced.
A phrase that was presented by one of my colleagues that resonated with all of us was the “Beer to Beer Network”. Maybe it resonated so strongly because we were all looking forward to sharing a meal and drinks later and networking. The point was we all needed to share, collaborate and whenever possible, help each other. Cybersecurity is a global challenge and not just a local issue in each of our respective organizations. We will not always know what action to take during an incident. Just look to Equifax’s actions or lack thereof for proof but if we build our contacts we’ll be better prepared to respond. This was core to the final theme; Incident Response.
Brian Nesgoda presenting at the third annual UNDP/FIRST Tech Colloquium in Montenegro.
Incident Response. Knowing what to do and who should do it.
The attendees of the event had the opportunity to participate in a two-day workshop on how to develop an incident response program. There was something for everyone to learn regardless if you had a mature existing program or you were just starting. The core tenant that was stressed was to test and exercise the plan frequently. Incorporate your newly networked contacts into the plan.
Conclusions:
Solve the challenges of today by addressing the basics first and be cautiously optimist about emerging technologies like AI and Blockchain. Our ability to respond timely to events will depend on our ability to collaborate with others. Building our sphere of resources by networking with others and exercising our response plans will help mitigate the next Black Swan event.
Actions to take now:
1. Address the Basics First: Patch Management, Encryption, Awareness Training and Vendor Management
2. Build your network and share information. The “Beer to Beer Network”.
3. Exercise your Incident Response plans