As seen in Tektonika...
"The biggest threat is that there is no biggest threat," concluded a panelist at 2018's SecureWorld conference in Charlotte, North Carolina. The declaration came after listening to five other panelists who responded to the question, "What is the greatest threat of 2018?" and hearing five widely divergent answers. It's hard to feel hopeful about security after top IT professionals in charge of cyberdefense and incident response express their doubts right in front of you.
The type and variety of threats infosec teams face are truly staggering, and security and risk professionals are feeling the pressures of uncertainty. Pessimism and doubt were unifying themes linking the day's discussions, and even the morning keynote speaker, Thornton May—whose session was one of the most optimistic of the conference—noted, "The state of security is dark." But just know this: You're not in the fight alone.
There's no single set of problems, so there's no single set of answers. To the buttoned-up, conservative risk professionals, that's a hard truth to accept. Yet, even with all the variability and uncertainty in the IT world, infosec teams are neither helpless nor hopeless. With every serious issue they confront, most realize that hope and help exist in meetings just like the one at SecureWorld. In such sessions, you have the opportunity to gather with like-minded peers, discuss strategies for mitigating the unknowns of the future, and find common themes on diverse subjects, including phishing, hacking, security plans, and cyber risk.
Throughout all these sessions, one prominent connecting idea arose: A focus on fundamentals offers the most reasonable and helpful cyberdefense for any organization. Even as cybercrime becomes more complex, cybersecurity pros can win their struggle against risk by going back to basics.
One risk brought up frequently at the conference was the IT skills gap. Cybersecurity threats arise and morph at such a fast clip that businesses find it difficult to build response teams with the skills that match. An ESG and ISSA study on cybersecurity skills found that 70 percent of businesses believe the IT skills shortage has impacted their organization.
In this environment, it's important to look to the future and nurture the next generation of cybersecurity professionals. Cindy Green-Ortiz, a panelist at the conference, discussed the success of a program working with high school students and also mentioned the importance of encouraging women to enter the field. This is a salient point: As a woman attendee at SecureWorld Charlotte, the paucity of other women was noteworthy.
Mike Kiser of SailPoint also reminded attendees not to overlook current staff, saying if you put in the time to educate and train, the skills and aptitudes of existing employees can translate into new cybersecurity roles.
Some infosec professionals spend their time learning about tech improvements but dedicate little time to sharing their own knowledge. Make sure you're always keeping in mind the role end users play in protecting the organization at large. Outside of cyberdefense teams, most users don't think much about security. It's the job of the security team to keep the issue front and center at all times. Creating and enforcing smart policies is one part of this strategy, but another critical part is training employees on what to watch for.
At SecureWorld Charlotte, a phishing session led by Gretel Egan of Wombat Security, a firm that creates simulation tools aimed at changing end-user behavior, revealed the company's latest research, which found that 54 percent of infosec professionals quantified a reduction in their phishing susceptibility based on trainings they held. Based on the data, Egan recommends relying on multiple training tools—and using them often. A one-and-done session given to new employees won't cut it.
The first question asked at the opening panel centered on the greatest threats of 2018. To close the session, the moderator asked what everyone thought they'd be talking about at 2019 or 2020 conferences. Again, the panelists' answers varied: biometric hacking, data weaponization, more nation-state attacks, etc. This tied in well with an interesting point from another session: The future isn't knowable—but trends are.
If you're anywhere near the tech field, you hear about innovation often, and your mind goes to what dangers those innovations could bring next. If there's hot new tech coming onto the scene, chances are high that's where the next security threat will arise. Be mindful of the risks accompanying innovation, and listen to thought leaders and peers to learn how you can plan for the future of both cyberdefense and incident response strategies.
When discussing security threats for an entire day, pessimism may overtake you, but the sentiment Thornton May expressed in his keynote is like a light turning on in a dark room: Infosec and risk professionals will become the heroes of the digital age. The threats you're facing are real, but if you take seriously your role as the defensive line blocking those threats, you can protect your business against the unknown risks of the future.