Topics on Top of CISO's Minds June 2024
Peer Roundtable for Senior Security Leaders Executive Recap from 6/18/24
This is a summary of the Senior Security Leader cohort discussion during the Peer Roundtable on June 18, 2024. This executive summary captures the essence of the discussion, focusing on the major topics, challenges, and potential solutions discussed by the participants.
Eighteen Cyber Security leaders participated actively in to the round table conversation about the following topics:
1. How to enable other teams to follow the security practices systemically
2. Quantum cryptography and experienced around it and
3. Human behavior improvement, how to enable people with Cyber skills
Did you know?
CYBERTHREAT CASE "STORY"
NEXT COHORT
SECURITY VALUATION PYRAMID
Flipbook View
Topic 1: Systemic Security Practice Enablement
In organizations that are not yet having mature practices to systemically enforce Secure Development Life-Cycle (SDLC) and/or DevSecOps, it is normal that teams ask Security teams last minute approvals for going alive with business solutions. The question was how can these companies move to more mature process. Our summary of the conversation is:
1. Getting the C-Level support for Cyber Importance, due to business benefits and liability avoidance is key. When this is in place the tone form the top will help you to implement systemic SDLC.
2. Once that is in place, it is crucial to help people in a positive tone instead of pushing them away with “punishment mindset and mandatory approaches”. Practical approaches here might be:
a. Build a process that is integrated with the development process
b. Make the process transparent and easy to understand
c. Be clear about the business risk
d. Avoid Fear, Uncertainty and Doubt (FUD)
e. Gamify and use positive leaderboards instead of hall of shame´s (Giant carrot was mentioned)
3. When implementing the SDLC process employ all the normal Change mgmt. practices and remember that changing the culture takes real effort. Few power points and tone from the top is not enough.
Topic 2: Quantum Encryption
The conversation was relatively short as the team did not have that many real life experiences about the topic yet. Here's a brief summary:
• There are product companies that do already actually develop Quantum resistant algorithms, but they are not necessarily extremely vocal about this.
o NXP as a security solution focused semiconductor was mentioned as one example: PostQuantum Cryptography | NXP Semiconductors
o SSH Communications was another example: Quantum Safe Cryptography (QSC) Security Solutions | SSH
• The worry Petri shared with the group was related to the fact old encryption algorithms are usually not decommissioned in time at Enterprises. This relates to the fact that the Active Directory team cannot usually enforce the usage of the attack resistant algorithms to a vast eld of applications, which are sometimes hard coded to use age old algorithms.
o As an example of this: Petri referred to the Nation state case example of this: Petri referred to the Nation state case study (Click to Access On-demand), where the attacker was able to open 25-char encrypted password in 81 seconds. This was due to the usage of NTLMv1 and RC4 algorithms.
• The question to you is: How do I enable all of the applications in your company to be capable to use the latest encryption and hashing algorithms. If you want to discuss this with Petri…just book a time.
Topic 3: How to make employees your allies
• As with the first topic the positive approach was considered the king and tricking people to fail for phishing scams was considered as trust destroying approach.
• Using a common enemy, is it AI or an imaginary villain dog or anything else makes the stories more memorable and encourages people to talk about Cyber in the Coffee corners.
• Giving positive feedback to people who behave correctly, creates dopamine, which leads to behavior change. This expects obviously lots of repetition, which must be done in a way that people stay engaged. The feedback should also be instant to create the behavior conditionalization impact (reference to Dr. BJ Fogg books about behavior change)
• AI can be your asset of providing people individualize simulations and learning, avoiding the gossiping at the corridors about the latest simulation.
• As a reference: Qualcomm won the CSO50 award recently because they transformed their worst performers to the best performers.
Cyberthreat Case Study Deep Dive
Access on Demand
Learn as Petri Kuivala walks you through a real-life cyberattack case involving a nation state called Panda, which was related to a larger M&A case between two large companies. See the several-year hacking timeline and a high-level overview of how it happened and mistakes that could have been avoided.
Learn:
How to be prepared when the “s” hits the fan
How to be the successful CISO at the time of the storm
The most important things to do to prevent a cyberattack in the first place
Next Cohort
Wednesday, July 17, 2024, at 1:00 PM Eastern
Meet with Petri
Ask Petri Kuivala about the Cyberthreat Case Study or any of the resources available. He's also open to discuss your current challenges beyond what's provided. Click the button to go to Petri's calendar.
Resources
• Security Value Creation Pyramid: A framework for layering security initiatives in corporate settings, inspired by Maslow's hierarchy of needs. Provides a structured approach to prioritizing foundational safety measures and advanced value-creation strategies.
• Should CISO Report to CIO: What is essential regardless of the reporting structure.
• Enterprise Cybersecurity in Digital Business: by Ariel Evans: Guides CEOs, CISOs, and compliance managers on setting goals and addressing cybersecurity gaps within organizations.
• Evidence-Based Cybersecurity: by Pierre-Luc Pomerleau and David Maimon: Introduces an evidence-based approach to enhancing cybersecurity operations relevant for security professionals and policymakers.
Copyright © 2020- Peer Roundtables. All Rights Reserved