What We Learned at Gartner Information Security & Risk Management Summit 2018 in Maryland

Share and earn Cybytes
Facebook Twitter LinkedIn Email

 Information Security & Risk Management Summit 2018 in Maryland

The Gartner Information Security & Risk Management Summit at National Harbor, Maryland ran from June 3rd to 7th. Gartner’s event is a great opportunity for cybersecurity professionals to network with each other and attend panels on topics ranging from CISO responsibilities to cloud security, from intrusion detection to risk assessment, from endpoint protection to compliance. Fortunate attendees got to gleam knowledge from industry stars like IBM Security’s Bob Kalka, Cisco’s Gil Zimmermann, Microsoft’s Michael McLoughlin, Herjavec Group’s Robert Herjavec, and Gartner’s own Augusto Barros, Earl Perkins, and Roberta Witty.

If you couldn’t attend this year, here’s your opportunity to enjoy what I believe to be the highlights of the event.

Talking to Business Executives is a Key Corporate Cybersecurity Skill

We know how enterprises can maintain and improve their security stance. But money makes the world go ‘round, and if you want good cybersecurity practices to be implemented, you have to convince the non-technical executives.

Security is often a hassle for the non-tech C-suite. You must treat them like customers that you have something to sell to. When you sell security effectively, customers feel satisfied that you’re solving their problems.

Gartner’s Leigh McMullen said:

“Today, the battle ground for the digital industrial revolution is the customer experience. It’s not about cost; it’s not about efficiency; it’s not even about product. It’s about experience.

We as security people want things to be controlled. We want them stable, but people’s expectations are being set by forces outside our control, which means we need to change how we engage if we want to be successful. We have to give up control to gain influence.

Security should not wreck the customer experience, but it often does. Customers, and that is everyone in your enterprise, want the effort they put in to match the value they expect to get. If you deliver the wrong experience, they’ll just tune you out.”

As much as possible, you should translate how you speak about technological realities and solutions into business-speak. Less cybersecurity jargon, more Fortune Magazine.

Gartner’s Paul Proctor said:

“When we talk about technology risk and security, primarily in technology terms, stakeholders treat us like wizards who cast spells and protect the organization. Making risk and security more transparent and business-aligned is an absolute requirement to get you out of the wizarding world.”

If you’re going to cast “wingardium leviosa,” just explain that it’s a levitation spell.

Executives often get blamed after a significant cyber-attack. You need to sell them defensibility.

Gartner’s Leigh McMullen said:

“We have treated security like a dark art for so long that when an organization gets hacked, people don’t understand. So, the primary question is, ‘Who screwed up?’ You can’t guarantee the organization won’t get hacked, so stop selling your executives protection, and start selling something they truly need, defensibility.”

The risk assessment process must include any applicable non-technical executives in order to be conducted properly.

Gartner’s Paul Proctor said:

“Offering executives decision-making in the context of operational outcomes makes these engagements more than interesting to them. It directly impacts the decisions they make. You are now helping them do their job.”

Your customers naturally fear risk. That fear has had a negative effect on security innovation – an absolute must as cyber threats evolve.

Proctor said:

“Organizations are slowing down because they fear this issue. If you can improve their comfort and understanding of risk and security, you can help your company move faster. That is truly a business value of security.”

Better Security Through Proper DevOps

Cloud researcher Mark Nunnikhoven discussed the importance of good DevOps. The phrase is often misapplied. Essentially, DevOps is all about striking an effective balance between development and operations. It’s that simple.

Properly implemented DevOps features increasingly efficient delivery pipelines, due to constant feedback loops. DevOps can create “a culture of collaboration that reduces risk by decreasing the size of changes to production environments,” featuring people, process, and products.

In order to reduce risk when implementing DevOps improvements, make lots of smaller changes rather than making fewer larger changes. If you try to deploy a very large quantity of new code all at once, it can be more challenging to fix new bugs and vulnerabilities.

Good cybersecurity starts at the development stage, rather than as an auditing step, which results in more outdated perimeter approaches to security hardening.

If proper DevOps security means that the development process takes more time, then so be it. All stages of development must be designed with security in mind. The earlier a bug is found, the easier it is to fix.

“Soft skills” such as social ease and being able to communicate effectively are key to getting development and operations to work together successfully. Few security professionals can excel with “hard skills” alone.

The post What We Learned at Gartner Information Security & Risk Management Summit 2018 in Maryland appeared first on Comodo News and Internet Security Information.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Comodo
Comodo Cybersecurity is a global innovator of cybersecurity solutions, and a division of Comodo Security Solutions Inc. For over 20 years, Comodo Cybersecurity has been at the forefront of successfully protecting the most sensitive data; and today, we deliver an innovative cybersecurity platform that renders threats useless across the LAN, Web & Cloud. Comodo Cybersecurity’s ongoing mission is to protect what matters most, while enabling businesses and customers to confidently accept risk in a world where preventing all attacks is impossible.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?