CISO Executive Summit 2016

With over 200 CISO / Security Leadership in attendance this past week, a great day of session / breakout forums, networking a few vendor product / services solutions…

 

Key-note theme began with Silver Olympic winner John K. Coyle presenting on Apply Design Thinking concept: consisting of Understand, Empathize, Ideate, and Prototype i.e. clearly understanding the problem and uniquely develop solution – brings you to focus on strength and merely working around weaknesses.

 

Other key takeaways:

- SaaS is the new development model – trending to reality

- SAP is the shadow IT with limited security visibility (gap in patching and flow/integration)

- Ransomware will happen (to anyone) so weigh price of recovery vs. paying ransom (and do tabletop exercise)

- Mobile End-Points increase threats particularly without multiple factor authentication / MDM strategy, so a little friction is not always bad

- Security controls should weigh in on IT Operational cost – it's a shift in duty / control

- Directed attacks cannot be stopped; so position for response/detection more than position for prevention

- Hunting or spot-audits is necessary though resource is a constraint

- Lead in 2 directions, being normal security controls as well as user experience / expectation 

- We cannot be the CI"no" (user-centric security)

 

 

And, for an industry cyber security survey roll-up of over 700 CISOs (over 50% from Finance, Retail, Healthcare), see attached; summary being:

- Top Threats: IP theft, 3^rd-Party risk and Reputational harm

- Top Priorities: Detect/Respond to adversarial threats, Build Security Awareness Organization, Communicate risk to stakeholders, Apply Risk Mgmt. to Security Strategy and Protect Cloud data/app/infrastructure

- 6% of overall IT spend is on Security

- 59% of CISO budgets expect to increase (modestly or significantly) on Vul mgmt., Incident Response and Awareness