Connecting Silicon Valley, Wall Street, and the Beltway
LifeJourney CEO Rick Geritz opened the conference by introducing SINET founder & CEO Robert Rodriguez. Rodriguez called New York City exactly the right place for the summit. He noted increased cooperation internationally among allies, particularly among the Five Eyes, Germany, and Japan. Looking toward SINET's expansion to Australia later this year, Rodriguez briefly discussed the opportunity cybersecurity affords the Australian venture capital community. Globally, venture capitalists remain active, mergers and acquisition are healthy (despite their current reversion to the mean), and the IPO market is also looking up. With these remarks on investment, he turned the proceedings over to the first speaker.
SINET Thinks Forward with Robert Silvers: DHS is building the world's clearinghouse for cyber threat indicators. Do you want to join?
Robert Silvers, Assistant Secretary for Cyber Policy, US Department of Homeland Security, spoke about the Department's Automated Indicator Sharing.
He argued that collection and sharing of attack indicators are vital. As hackers recycle their attacks, the same set of indicators reappears. If common, recurring attack indicators are shared among potential victims, it should be possible to shortstop the majority of incidents before they become serious problems.
But the way we've shared indicators, Silvers noted, has been "suboptimal." Threat indicators are not collected in one place, they're often sold in expensive packages, and above all, sharing is slow. A central clearinghouse would represent a significant improvement, as would fast, automated, machine-to-machine sharing. And of course any such clearinghouse would have to respect not only privacy, but also intellectual property.
The Department of Homeland Security, Silvers said, is building this system. It's called Automated Indicator Sharing (AIS), and it's up and operating. It's also free to join, and participation has exceeded expectations. Major companies and international partners and allies have joined AIS, and Silver thinks the system is well on its way to becoming a standard in threat information sharing. He also noted that the Department of Homeland Security has succeeded in securing significant liability protection for its AIS-using partners.
Silver concluded by recognizing that AIS "is no silver bullet." It flags reused attacks, for one thing, not novel or highly tailored attacks. But it "shrinks the battlefield" in important ways. He compared AIS to an international cyber 911, in which citizens report emergencies. That kind of citizens' mindset would be important to migrate to cyberspace. He invited the attendees to consider participating in AIS.
You can't stop what you can't see: mitigating third-party vendor risk.
Valerie Abend (Managing Director, Head of the U.S. Cybersecurity Practice at Promontory) moderated the panel, which included Mike Antico (CISO, BNP Paribas), Marianne Bailey (Deputy CIO for Cybersecurity, US Department of Defense), Edna Conway (CSO, Global Value Chain, Cisco), and Patrick Gorman (Strategy and Product Development, CyberGRX).
Gorman began by saying that he thinks people systematically underestimate the number of third parties that touch them. Customers as well as vendors are in this third-party ecosystem: consider, for example, the recent issues surrounding the SWIFT financial transfer system. The problems had their roots on the customer side, not in SWIFT itself.
Abend noted the importance of strategic planning and asked the panel to comment on lifecycle issues. Conway answered that, where we began thinking of third-party risks in terms of the supply chain, "we now think in terms of the value chain. A risk-based approach will better equip you to deal with the value chain's challenges. It's difficult, for example, to impose security on channel partners: contracts are necessary, but not sufficient. Conway noted that she's found it possible to cooperate in for security in the value chain even with competitors.
Ongoing monitoring is vital, Abend noted, ant added that planning is futile without such monitoring, and without appropriate escalation measures in place. Bailey offered that in her view the Defense Industrial Base's planning does a pretty good job of monitoring and escalation. The companies in the Defense Industrial Base have succeeded, she thinks, in partnering effectively with one another.
Conway mentioned that you should view security holistically, and not regard cyber as a standalone domain. "Devices are the entree to cyber risk," and this should be considered in the context of an enterprise's architecture.
Putting in a good word for "trust but verify," Antico observed that you can neither monitor all the third-parties that expose you to risk nor hand over governance. Instead, risk management requires prioritizing what's important. He suggested that the ease of replacing a third-party might serve as a good initial index of any third-party's criticality. SWIFT would probably amount to that kind of effectively irreplaceable vendor for the financial sector.
As discussion turned to communication with boards of directors (or, in the case of Government agencies, their functional equivalent) the panelists thought providing a regular scorecard displaying business units' security state to the board had considerable value. These might take the form of risk ratings. A competitive spirit among units can help realize reduction of risk. Conway advised presenting something tangible, but not necessarily technical, and Bailey agreed that you needed to use language appropriate to the audience's background and understanding. Gorman summed up by saying that the board won't learn security's language, and so security must speak business language.
The last topic the panel took up was the growing complexity of regulation. Antico saw a positive contribution: regulation has helped secure and maintain the board's attention. But regulations vary, he added, and regulators often don't talk to one another. Integration would help, but he noted that it would be difficult to achieve. Gorman agreed that regulators evolve their own standards, and these standards aren't coordinated. Thus we tend to map standards at the expense of actually managing risk. Expressing general approval of public-private partnership, Conway noted that there's already a plethora of standards, and that "compliance is the antithesis of innovation." So how could innovation persist within the context of regulation and standards? Gorman offered a historical example: standards for electrical safety didn't kill innovation in the electrical industry. In fact they served as an effective spur to innovation.
Financial Sector: State of Public-Private Partnerships in Mitigating Cyber Risk.
Terry Roberts (INSA Cyber Council Co-Chair and President, Whitehawk) moderated this panel, which included Joan Dempsey (formerly Deputy Director of Central Intelligence and currently Executive Vice President, Booz Allen Hamilton), Neil Jenkins (National Protections and Programs Directorate, US Department of Homeland Security), James Katavolos (SVP Citigroup CYber Intelligence Center and INSA Financial Threats Task Force Co-Chair), and Phil Venables (CIRO, Goldman Sachs).
Dempsey began with an overview, illustrated with the story of the Bangladesh Bank fraudulent transfer incident and other high-profile attacks, including those in which hacktivists have attacked various central banks. Spearphishing, he said, has grown in both efficacy and persuasiveness—the attackers now clearly have personal data and understand many institutions' internal practices. Banking Trojans in the wild are now showing the ability to bypass two-factor authentication. We need, he summed up, a more sophisticated understanding of the threats, and we need threat-based defenses.
Referring to the morning's presentation by Assistant Secretary Silvers, Jenkins reiterated that the Department of Homeland Security considers helping you protect your assets to be one of its goals. It's distributing information on threats and vulnerabilities, and it has the legislative authority to facilitate analyst-to-analyst sharing.
Katavolos described Citi's intelligence-led approach to security that prioritizes the threats. Sharing indicators, "wonderful" as that may be, isn't in his view sufficient, since "we're already swamped with indicators." Venables reviewed instances of quick intelligence sharing across the public and private sectors. He noted that the useful information that tends not to be shared involves the root causes of the incidents, since these inevitably involved revelation of sensitive vulnerabilities. Concerns about exposure to litigation remain a powerful disincentive to such free discussion of root causes.
To Roberts's questions about what governments and banks seeing in the threat stream, and what the private sector needs from the government, Jenkins thought the two sectors were seeing similar, but not identical threats. There's more evidence of state-directed espionage against government targets, more organized crime hitting banks. Some firms, Katavolos noted, see far more nation-state espionage, others see attacks on their customers. Financial services aren't a monolith. Not all are at same maturity level, so we need some degree of customization from the government. Agencies should engage at the appropriate level of maturity.
The Government "obsesses," and rightly, about the threat from nation states, Venables noted, but the principal threat to the financial sector is global organized crime. And taking a national model of security and applying it internationally raises interesting unanswered question. How, for example, should governments (that don't otherwise cooperate) cooperate against organized crime?
Dempsey thought there was a role to be played in information sharing by companies like Booz Allen Hamilton that occupy an intermediate place between the government and the financial sector. She also noted that the continuing growth of the Internet-of-things presents a risk that underlies all infrastructure. Lizardstresser's recent use against networked security cameras is an example of the sort of IoT threat against which information sharing could prove useful.
It would be easy to overestimate the sophistication of the threats we actually see in the wild. Katavolos noted that the majority of the attacks we see remain simple and unsophisticated. The business email compromise tactic, for example, still works, as do other simple approaches. And a familiar set of vulnerabilities continue to be exploited. Katavolos concluded with a plea for better hygiene, and advanced baseline controls. Threat information can bring conviction to these basic, yet important, defensive measures.
Answering Roberts's final question to the panel—should organizations form multidisciplinary teams to take analysis to a higher level?—Jenkins advocated forming such teams: "People with different expertise, coming from different background, see different aspects of the challenge." Dempsey agreed that the fusion center approach is invaluable. Venables pointed out that the financial sector tends, intrinsically to share threat information. Financial sector firms and regulators are "wired for sector defense." But the financial system is global, and its security is only as good as its weakest link..
Why Nine out of Ten Cybersecurity Companies Fail, and Why One Succeeds.
SINET's Robert Rodriguez chaired this panel, whose members included Sandeep Bhadra (Principal, Menlo Ventures), Greg Dracon (Partner, 406 Ventures), and John M. Jack (Board Partner, Andreesen Horowitz). Rodriguez began by asking the panel to compare today's market with its recent past, and to forecast its probable near future. Jack noted the periodicity of investments, and that cyber tends to follow valuation trends. Investors should look for entrepreneurs with ideas they can believe in: "Look for ideas that can become part of the fabric of the enterprise, not just a point solution."
Dracon thought cyber now a bit over-valued. The problems continue to outpace the solutions, but "venture tourists" have inflated valuation. Bhadra said that a lot of companies may be rushing for an exit where there's no room for an exit. Companies need self-awareness to determine whether they can get an easy exit, or must instead go public.
Are you, Rodriguez asked, seeing trends in successful companies? Bhadra thought that a clear vision builds successful companies. Dracon observed that cyber is such a mainstream problem that it now takes a diverse set of skills to address, not just technical ones. Jack pointed out that there are approximately twelve hundred venture-capital-backed cybersecurity companies in North America today. Companies fail, essentially, for three reasons: they don't execute, they don't have good differentiation, and they don't have market space. The space is currently over-funded.
Practitioners need to give some feedback to companies in what's a very crowded space, according to Bhadra. Companies don't get enough honest feedback from the market. They also can easily misconceive what counts as success. Success, Dracon said, is building a sustainable business. It's not measured in how much money you raise, or who's on your board. There's a crucial marketing talent needed to elevate yourself above the noise. Many tech companies can't do this. Both Dracon and Jack agreed that small companies can make big sales in cyber, which is why it's an attractive field to them.
Given the strong interest in cybersecurity, and the large number of startups in the field, why, Rodriguez: asked, aren't we seeing true disruption in the market? Jack answered that "cyber's an incremental world. Bhadra disagreed—he argued that we're in a period of transition. Incremental change will persist through that transition's endstate. Dracon pointed out that we're dealing with sophisticated adversaries. Enterprises are "trying to achieve Defense-grade capabilities on a shoestring."
As the panel concluded, they discussed what made a successful pitch. Their consensus was that a good pitch to investors should be concise, and above all differentiated. Clarity is vital, said Bhadra. Successful entrepreneurs are absolutely clear about the problem. Jack (taking the last word) summarized by saying that "we invest in people; we want to know the people and how they got where they are."
Voice Privacy—Are You Listening?
The panel on voice privacy was moderated by Joyce Brocaglia (CEO and Founder of the Executive Women's Forum). The panelists were Lynn Terwoerds (Co-Founder of the Voice Privacy Alliance), Jim Routh (CISO, Aetna), Jenna McAuley (CISO, Mercer) and Galina Datskovsky (CEO, Vaporstream).
Brocaglia began by pointing out the continuing movement away from keyboards and towards voice. McAuley noted that voice has been in use for a long time (since the 1950s), and Datskovsky offered the opinion that, (like it or not, we use voice recognition in our enterprises). She observed that voice and text are governed by different legal regimes. Text must generally be preserved longer than voice, and the two are differently discoverable in legal proceedings. Voice's context is difficult to pin down. It's more ambiguous than text.
To Brocaglia's question about how one finds voice records, Datskovsky replied that it's difficult, because the records are so voluminous. It tends to be custodian-based. You may search by metadata. Voice is a lot more enduring than you think, the panel agreed. Anything you say to SIri, for example, is saved for months. Voice will be—it already is—heavily regulated. The GDPR will be particularly interesting. Voice is ubiquitous, and it will greatly complicate endpoint security challenges. It's convenient, and it's inevitable.
Replacing Current Legacy Security Solutions with More Nimble and Innovative Products and Infrastructure.
Jay Leek (CISO, Blackstone) moderated a panel consisting of Roland Cloutier (CISO, ADP), Jim Routh (CISO, Aetna), and Stephen Ward (CISO, TIAA). They opened with a discussion of procurement. Routh's opinion was that procurement organizations were gifted at creating friction. Thus to move forward you need some parallel process. "Acquisition criteria are stacked against early stage companies." Those criteria value financials, length of time in business, etc. Instead of applying such criteria rigidly, Routh urged that buyers "look at the founders' talent and the company's soul. Talent attracts talent, and we often see early-stage companies pivot from solution to solution. This is healthy, and not a sign of lack of focus. Rather, it shows that they're making intelligent use of feedback. If you're a customer of an early-stage company, Routh said, you are, effectively, their market. You can set the price, and you can test competing approaches. Ward agreed: adopt a "fail-fast" attitude, don't punish, get tech in quickly, and get it out if it doesn't work.
Leek noted that he had more than four dozen vendors. When you're in that position, how does the large number of vendors change how you think about your team? When you can introduce fast new tech, integrated into your ecosystem, you can focus on outcomes, Cloutier said. "You don't have to have holistic engineers. You want people who can respond to issues." According to Routh, "We all share a lot of information, about what works and what does not. We spread the risk."
Leek asked the panelists to discuss what went wrong when something didn't work. "Sometimes I've not recognized early enough a company's ability to scale, and change," said Ward. "If they start missing items on the roadmap, they're not ready for us." Ward also warned that you can fall in love with a technology, and "sometimes it's tough to realize it's a bad marriage. The sooner you cut free, the better."
Routh observed that a technology that's been bought by a bigger company often becomes problematic. Cloutier said, "We've failed when we've pushed a good tech and good relationship where it can't work."
To Leek's question about the criteria for getting in the door, Routh said that "There must be forty or fifty vendors who come in and tell you the same thing. We want game changers, not incremental improvements." It costs a lot to integrate technology, and some vendors seem not to realize this. A lot of companies tell you who their investors are, Routh noted, and he dismissed this as not that interesting. Considering investors, Leek observed that it's not necessarily a bad sign if an early-stage investor drops out. It might be an indicator worth pulling threads on, but by itself it isn't necessarily bad.
What about build vs. buy? Cloutier said that in large environments, you're going to need institutional knowledge, and you're going to build, and you have to be able to integrate a technology into an ecosystem. The panel agreed that "we're all integrators."
Ward's closing thoughts were that technology is having a hard time solving the talent problem. "t's easy to train for cyber security." There's no talent problem. Instead, "there's a mentor/education/training problem." Cloutier advised trusting in the group. Sit down with other senior security executives. Leek closed with this advice: "I'm always looking for things I can deploy without increasing labor."
Staying on Top of Emerging Threats with Emerging Security Technologies.
Moderated by Aimee Rhodes (CEO, Security Current), the panel included Brian Lozada (CISO, Duff & Phelps), John Masserini (CISO, MIAX Options), and Mike Molinaro (CISO, BioReferenceLabs). Rhodes opened by asking what were the leading, emerging technologies the CISOs on the panel were seeing this year. Their quick list included threat intelligence, and behavioral analytics. Perimeter defenses are out; data tracking—fingerprinting, watermarking—is in. Companies with emerging technologies are attractive to CISOs because of their willingness to partner.
The panelists concurred that this was a relationship industry. CISOs look at fundamentals—how long have you been around, who backs you, etc.—but it remains a relationship industry. A recommendation or an introduction from another CISO goes a long way. Proofs-of-concept are important—they show the value of the tool—but, as one panelist put it, "the fastest way to get me uninterested is to tell me you're going to charge me for a POC."
A question from the audience asked what emerging threats the CISOs are seeing that they wish someone would address. Their answers centered on threat intelligence (especially actionable intelligence derived from dark web chatter. It would also be interesting to address the surprisingly detailed knowledge of financial industry targets' inner workings. And, of course an answer to the insider threat would be of interest.
Rhodes asked whether security budgets were growing. "As long as you can relate a budget to a business value," Masserini said, "funding isn't that difficult." To get the budget, or to make the sale, Molinaro said you've got to know your audience, and speak business language. Lozada advised that technology that slows down the business "is a no-sale." Know your culture, and know your business case.
The panel closed with final advice on pitches: "Be brief, be brilliant, and be gone."
SINET Thinks Forward with Feris Rifai: Talking Value-at-Risk with Your Board of Directors.
Feris Rifai,CEO of Bay Dynamics, took up the topic of value-at-risk, and how to communicate it to your board.
You need, he said, to learn to think risk in order to talk value-at-risk to directors. Not all risks are equal. Vulnerability without threat is not a risk, and neither is threat without vulnerability. Begin by identifying the most valuable assets, and then apply the risk equation, and assign your security resources accordingly.
Are you looking at threat models in a structured way? Are you thinking of threats, vulnerabilities, and impacts separately, or are you looking at their points of intersection? Boards are becoming more involved, more interested, and more engaged. They're concerned about cyber, and they're holding the CISO's feet to the fire. Sarbanes-Oxley is in the process of repeating itself in our industry (that is, boards are increasingly held liable for cyber security issues). CISOs need to communicate, and they can't be exclusively technical.
Rifai then offered several steps CISOs should follow in approaching the board:
- Paint a picture that tells a story.
- Focus on asset value.
- Present the top risks.
- Present trends.
- Explain actions' impact.
- Support your case with technical metrics.
- And, above all, use a consistent format.
CISOs, Rifai concluded, tend to have short tenures because they can't communicate their insights. CISOs need to get their house in order, work closely with their board, and be good at prioritizing. Rifai closed by advising CISOs to think, speak, and act like a risk professional. And risk professionals mitigate, accept, or transfer risk.
Communicating with the Board on Cybersecurity.
The final panel was on communicating with the board about cyber security. James Kaplan (Partner, McKinsey and Company) moderated a discussion among Charles Blauner (CISO, Citi), Gary Greeenfield (Board of Directors, Diebold), Jay Leek (CISO, Blackstone), and Linda Levinson (Board Member, Hertz Corporation).
Levinson began by noting that board involvement has changed dramatically over the last five years. Cybersecurity is no longer an issue simply to be bucked to the audit committee. This has happened because of the increasing (and accurate) perception of the magnitude of cyber risk. A really serious cyber incident, according to Blauner, is one of the few things that could destroy a major bank.
Greenfield agreed that board members now get it. He believe we need to seed boards with tech-savvy people. Speaking as a board member, Levinson said, "I want to know that controls, that safeguards, are rigorous. I don't need to know them in tech detail."
Leek doesn't think technical savvy is really that important on the board. Threat profiles very greatly from company to company, and CISOs need to educate the board on its specific risks.
Blauner thought that regulators, above all, want to see that the board is able to credibly challenge what it hears from the CISO. Thus CISOs must be able to understand their audience and speak its language.
To the final question about what would be the most important item for a board agenda, Leek thought it should be one that gets the board asking questions. Blauner thought it should be threats in the reals world that could seriously damage the business.
SINET CEO Robert Rodriguez closed the event and thanked the participants. He summarized the key points made at the conference, and finished with a look forward to the next SINET conference in Sydney, Australia.