Event Title: Information Security in the Information Age
Date: Thursday, May 3, 2018 7:00AM-9:00Am
Location:Junior League of Houston (811 Briar Oaks Ln, Houston, TX 77027)
Panel Discussion: The Impact of Information Security on your Business
Panel (shown in image Left to Right)
Brian Wagner – Managing Director, Security Practice, Genuent(Moderator)
Martin Littmann – Chief Technology & Information Security Officer, Kelsey-Seybold Clinic
Gabriel Montague – IT Security Manager Retail, Information Security and Compliance, NRG
Pierluigi Stella – Chief Technology Officer, Network Box
Chris Lanier – Director, IT Security, Stage Stores
I made my way out of the house earlier than usual—no time to fry eggs for my wife or make oatmeal for my son, customary most mornings. It was peaceful having very little traffic at 6:30 a.m. as I took the beautiful drive across the River Oaks area of Houston. I rode in silence, window down, never over 40 mph the whole way. Instead of finishing a podcast or listening to music, I decided to think.
I was heading to a panel that was squarely in my industry as an IT consultant, hosted by the Houston Business Journal. The event had a lot of potential. So, on my drive, I thought about what I might want to get from it and the knowledgeable panelists and networking opportunities sure to be available. I decided I would speak with as many people possible in advance of the event, and take copious notes as to what the panelists said, why they said it, and how it made me feel. I also decided that I would meet with each panelist afterward and share my thoughts.
The Houston Business Journalnormally does a great job with these events, and this was no exception. It was fully staffed, well-staged, and professionally filmed. The event was hosted in the beautiful Junior League ballroom and there was ample room to take notes at each seat. The breakfast buffet was modest, but the coffee was hot (and I really wasn’t there for the food).
The event started promptly. We were greeted with a brief introduction from the Houston Business Journal Market President & Publisher Robert Charlet and a quick word from the event sponsor President & CEO Kip Wright. Within just a few minutes, the panel was underway.
Brian Wagner is the Managing Director of the Security Practice from headline sponsor Genuent. He maintained continuity through his prepared questions and jumped right in with his own commentary.
Early discussion touched on the types of data most targeted, Pierluigi Stella attempted to contrast banking to healthcare, suggesting that criminals don’t care if he had surgery, so why would they want his data? It was a great moment to notice Martin Littmann preparing his best response. I was surprised, since the value of health records on the dark web is significantly higher than other forms of personal information.
Littmann cited the fact that healthcare records can be used again and again for fraudulent activity. His example hit home when he asked the audience if they had ever filled a prescription for someone. About half the room admitted it and that they needed very little to no identification. This was a clear example of how information is used to defraud insurance companies.
Chris Lanier gave the retail perspective, saying that loyalty programs with store credit cards that have very little regulation were ripe targets for hackers to get personal information like social security and birthdates.
Gabriel Montague transitioned nicely to his own unique segment of retail, energy, informing us that, through customer credit checks, they have access to sensitive client data. He became more serious, quieting the room with the thought of nation-states hitting the grid after accessing load info and data, causing brownouts. After, he half-jokingly discussed the potential for a cyber-apocalypse while discussing what might create mass organizational agreement on how to regulate cybersecurity.
Chris Lanier then shifted the discussion to which security tools should be in place, saying, “Compliance does not equal security, [that’s] where retailers get in trouble. Being compliant is not enough.” The group agreed, when discussing security, that tools alone don’t breed protection because a company is made of humans—and a human is the greatest vector for attack.
Lanier revealed some statistics to suggest that his industry in particular, is under budgeted and understaffed, saying that overall IT spending in most organizations is 7.2% of budget while in retail it is only 1.6%. IT headcount budget in the financial sector is 10% of the overall budget—in retail it’s 2.5%. Further, 12% of IT budget in most organizations is spent on security, however in retail, the industry most often in the headlines for cybersecurity, spending is 3 to 5%! Lanier concluded that the information security workforce is untrained, underpaid, and has negative unemployment. (I couldn’t help but recognize that leaves a vacuum for consultants like us, NocserV!)
Littmann began by discussing the culture of information security. He suggested that security has to be a philosophy embedded across an organization and that, where IT has Silos that compete for budget dollars, it should start with application development with security in mind. It’s a combination of people, processes, and tools (and tools are the least most important).
As the discussion went into how many manhours in cybersecurity is reactionary vs proactive it quickly turned into a discussion about outsourcing some security functions to vendors. Naturally this discussion was lead by the one vendor on the panel Pierluigi Stella of Network Box. “Delegating part of your security to a reliable vendor – call it TCO or ROI? [cost] will scare CFO, it will be a cost that will give you a return. Effectively the justification becomes if you don’t get attacked, you are out of the papers — your neighbor [competitor] who was in the paper got gobbled up. So the [return] isn’t as strong with these solutions. “ Said Stella. He continued, “Your livelihood is on the line but at the same time you can only invest so much cleverly stating if you are trying to protect a $20k house you don’t buy a $100k gate” And lastly Stella assured them it is still their risk, “Even if you have a third party — customer still blames you when there is an incident involving their data.”
One of the more interesting discussions was around measuring a security program’s success. Littmann suggested that the level of trust and support is paramount, and that metrics should represent both tangibles and intangibles, or everything we block to keep clients out of the headlines and maintain good reputations. Metrics can also be monetized regarding the cost of downed systems. The practical education of the workforce regarding cybersecurity and real results from phishing tests are also clear demonstrations of success (or failure).
The discussion shifted to communication with the board of directors. It was suggested to hire a board proxy company who can assign simple cybersecurity grades like A, B, or C. It was clear that this was an area that struck a chord with Lanier. According to him, boards don’t care about tech metrics, and the panel all nodded in agreement. He suggested that the security industry needs to tell better stories about security, like defense and depth layering technology. Even if we can’t provide numbers, what’s the story behind the security and who can develop it? He went on to say that every tool has an executive-level report on it, but while they remain metrics-based, execs won’t get it.
Littmann explained that, when communicating to the board as the leader of company information security, he has to be vulnerable and willing to expose the gaps existing within and around security programs. Then he explains how he will fill those gaps to accomplish those means.
Another panelist suggested that the way to communicate security investments is to position them as another form of insurance. All businesses buy risk insurance, and outlay that as protection, including future revenue protection.
The last major point discussed was the fact that human error is the cause of most security issues. So, is the end user the enemy? Stella made a great analogy that resonated with the panel, and the Houston crowd especially, that security needs to be in culture, like safety is in oil and gas. He referred to times when he had visited refineries in his career and safety posters and signs are everywhere at the facilities.
Litmmann offered that the end user is usually just someone trying to do their job. Security must be a priority—as security professionals we need to reinforce the fact that everyone has a role in maintaining good cybersecurity. The panel seemed to agree that it was about communication, telling the stories about data breaches and explaining the need for tools like multifactor authentication and phishing email exercises.
Gabriel Montague emphasized that developing personal relationships with his end users can really make the difference. Most training is boring, and professionals should try to engage end users, for example, by playing cartoons people can relate to instead of providing tedious reading material.
Lanier joked that if a user fails a phishing test, he fires them on the spot. In reality, he has in-house security training and development modules. Interestingly, Chris commented on the frontline employees at the Stage Stores retail locations. They can be some of the most important defenders against cybercrime, however, high turnover, low motivation, and lack of adequate time in training mean they are often ineffective. So, Chris set up micro-training, or learning for 3 to 5 minutes every quarter, emphasizing fun, interesting, and engaging videos.
If the goal of the event was to further the discussion and provoke new ideas about information security, it was a success. At the event’s closing, I spent a few minutes with colleagues talking about the content and then found the opportunity to speak further with the panelists. I had a great discussion with Chris Lanier about a service I had been contemplating that would help security leaders illustrate risks to the boardroom through effective storytelling and marketing. He liked the idea and we agreed to stay in touch. I left the event with a renewed purpose, as one of the good guys in the fight against cybercrime. I definitely recommend these panels by the Houston Business Journal, they were top notch!
Source: New feed