The 2016 ISSA International Conference concluded last week in Dallas. This year’s two-day conference, themed, “Survival Strategies in a Cyber World,” featured two keynotes, a variety of breakout sessions, and compelling panel discussions from a wide range of thought leaders in the cyber security space.
Delta Risk’s VP of Solutions, Chris Evans, and Stephanie Ewing-Ottmers, Senior Associate, presented on the topic of, “Improving Incident Response Plans with Advanced Exercises.” Along with highlighting the benefits they’ve observed from conducting cyber exercises with commercial and government clients, their session also discussed best practices for creating an organic exercise program through capacity building.
In addition to delivering their own presentation, Stephanie and Chris also attended multiple sessions. Here are their collective impressions.
People More Important than Technology in Cyber Security Strategies
Just as was the case with CyberMaryland 2016, the importance of people in cyber security defense strategies took center stage at ISSA 2016. History has shown that technology alone can’t stop attackers.
Several presentations identified people as a crucial solution for cyber security resiliency, but people-centric solutions are few and far in between. Our own talk at the conference showed that when applied as drills (such as training key skills or processes), cyber exercises can help address this issue.
And speaking of people, don’t neglect planning ahead for what you’ll do when you face a crisis. Conducting exercises can help multiple teams across your organization agree on a common language and taxonomy so you’re better prepared for a live incident. For example, you may or may not want to use a term such as “breach,” as it’s a legal term with specific ramifications.
Stephanie Ewing-Ottmers speaking about “Improving Incident Response Plans with Advanced Exercises.”
CISOs Must Focus on Hiring and Retaining Talented Cyber Security Professionals
You can’t have a successful security program if you can’t attract and retain good people. However, given the current shortage of security experts, keeping good people in this fluid cyber security job market isn’t easy. Several security program management presentations and a few risk management talks identified hiring and retaining top-tier talent as one of the biggest challenges CISOs need to overcome. These business leaders can’t shoot from the hip when it comes to solving this issue. They need to devise a game plan to retain their key staff, and a plan for how to address skills shortages and personnel gaps through strategic use of third-party vendors and managed security service providers.
Many presenters pointed to open communication as the best way to retain core talent. Maintaining an ongoing dialogue about goals and objectives, promotion opportunities, salary, and overall organizational direction can go a long way in keeping employees engaged and motivated. Transparency is also important to address the common vacuum in the security and IT industry that leads to security professionals seeking their own answers.
Cloud Compliance and Security Can’t be Separated from Overall Cloud Management
Quite a few presentations led off with the notion that “the cloud is here” or “the cloud is now,” but that line of thinking is outdated. The cloud has been here for years. However, security and compliance in cloud environments have been largely taken for granted as a responsibility that cloud vendors take care of as another box on their checklist.
Now that we’ve had the chance to peel back the layers of the onion, things like responsibility matrices make it clear that cloud vendors draw the line at security and compliance. You can no longer assume that you can outsource your infrastructure management needs to the cloud and be saved from hackers, criminals, and overall cyber security due diligence. All the same, critical security constructs like access control, encryption, least privilege, and auditing that we enforce in the physical world also apply in the cloud world.
ISSA 2016 presented a unique opportunity for cyber security professionals to share their perspectives for achieving effective cyber security practices and educational opportunities. It’s essential for cyber security professionals, influencers, and leaders to collaborate on methods for further growth in the cyber industry, and we enjoyed contributing to the conference as a presenter and participant.