Last week, I was joined by over 1,000 professionals within the Information Security industry from all over the state of Colorado including past colleagues, product and service vendors and many more. From this two-day event, there were many enticing keynote and breakout sessions that allowed me to gain new insights and reinforce industry knowledge of the current state of Information Security and the direction that it was heading.
There were multiple tracks offered around Governance, Risk and Compliance, Industry Trends and Innovation, Infrastructure Security, Leadership Perspectives and more.
Although I have attended many conference’s before within the Project Management space, this event, lasting two days, allowed me to walk away with an excited energy around the future of Information Security.
Day 1: Threats, Trends and Risk Mitigation
The first session I attended, The Enemy Within – Understanding Insider Threats, reinforced the notion that malicious actions and attacks do not just come from outside the organization. The speaker brought immediate attention to the recent wave of Ransomware attacks and how many organizations are not prepared to combat against this threat, where in the ‘inside threat’ can be employees who are not trained to properly identify what they should view and what social engineering actions to take. Identity and Access Management was an area that connected with this session topic very well, where according to the Ponemon Institute, “62% of employees surveyed mentioned they have access to data they probably should not” and “only 29% of companies enforce a strict, ‘least privilege’ policy for accessing information”. Another type of Insider Threat are those individuals explicitly who are there to do harm and steal information, whether through a brute force attack, having access to data as a System Administrator where Role Based Access is not enforced, or just as simple as printing out data and walking it out the door. From this session, I continuously think about how we as leaders embrace our team members through mentoring, training and equipping them with the right tools to combat Insider Threats. In addition to implementing Information Security Governance and Risk Management programs, awareness and communication, and other Information Security engagement initiatives, empowering the people in our organization to defend and protect all critical business data will help minimize Insider Threat activity and mitigate risks related to these actions.
Another insightful session I attended revolved around demonstrating the value and effectiveness of Information Security Management programs in your organization. As I have working with many companies around the employment of new teams around new Information Security processes and technologies, I am always asked by executives how they continue to demonstrate value and return on investment of their programs. Above and beyond establishing these programs, communicating and marketing to the organization the return on the preventative and protective actions taken is a huge step to showing this value. Establishing Critical Success Factors and employing Key Performance Indicators can provide the data behind these actions, enabling an agile and flexible program mindset, where immediate changes can be made to reflect on new results shown. Example data points include: False Positive rates and actions taken to reduce this rate; Response Times around Event Occurrence, Notification, Terminal (Close or Escalate), Detection and Remediation; and Mean Time to Detect and Remediate. From this session, accountability to all team members including third party vendors, service providers and all associated stakeholders is a requirement to reinforce the demonstration of value. In addition, setting and reviewing program goals tied to established metrics is another need to validate the effectiveness of the Information Security Program.
Day 2: Leadership's Role in Cybersecurity
From the leadership perspective, I attended a panel of Chief Information Security Officers where they provided their opinions and thoughts around the industry, priorities and direction taken within their programs. Panelists included: Dale Drew, CSO at Level 3 Communications, John Everson, CISO at Dish Network, Sara Griffith, CISO at Euronet Worldwide, Nancy Phillips, CISO at Datavail and Robb Reck, CISO at Ping Identity.
Of the many priorities faced, several common areas were emphasized by leaders:
- Combating Denial-of-Service and Ransomware attacks
- The influx of Internet of Things/connected devices to organizational networks
- How the Information Security environment is always changing by these new, innovative technologies.
During this session, the speaker panel spoke about receiving increased attention and funding from their Board of Directors around Cybersecurity and enabling increased program effectiveness. This increase in capability has allowed these leadership to build a more impactful Information Security program, not just supporting their internal team members, but also receiving increased confidence from their partner and customer base.
All attendees received some perspective around Information Security from the Governor of Colorado, John Hickenlooper. He addressed the increased need for Information Security professionals to continue to engage in combating threats and encouraged supporting local governments in their efforts around rapid response. Governor Hickenlooper also stresses the need for continuous education and awareness around Information Security to not just those in the workforce, but to students whether in college or grade school. Increasing Colorado’s Information Security footprint also means expanding on career opportunities in this industry and the Governor applauded the many companies who have established themselves around the state. Finally, he connected his insights to a meeting he had with former President Barack Obama, asking him what keeps him up at night while serving as President? His response was Cyber-attacks and how the threat will always continue to be a risk to the United States, stressing the importance of proactive action and resiliency around Cybersecurity.
There were many more sessions that I attended within a span of two days, but I felt encouraged by the amount of focus and dedication given to this industry by a variety of Information Security professionals around this region. At Lewis Fowler, we have developed and structured our Governance, Risk and Compliance practice to enable Information Security leaders to baseline and improve upon how they manage and employ their programs. We have utilized multiple assessment tools to review current state perspective of organizational leadership around security, recognizing gaps and vulnerabilities and driving a future state program to close these gaps and strengthen their security posture enterprise-wide. I look forward to attending next year’s Rocky Mountain Information Security Conference and continuing this journey with my past, current and future colleagues.