Sibos 2020: The cyber resource problem - is it totally unsolvable?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] so [Music] [Laughter] [Music] just [Music] [Music] [Music] hello and welcome to day two of cyboss spotlight sessions a series of individual passionate presentations with top speakers and experts creatively tackling topical industry issues stimulating debate and facilitating a wonderful exchange of ideas my name is ushi nuni i'm a journalist conference mc and host of the siemens advanta and harman audio talks podcasts it's great to be here again i hope i hope you're enjoying your cyboss now we're dealing today with the theme of cyber security which is absolutely such a big deal and one of the most memorable um examples or memorable illustrations of the importance of cyber security um that i've heard actually came to me from a gentleman who was a cyber security expert at a conference a few years ago and he said the problem with companies and how they look at cyber security is they think of the analogy of your car alarm and it's good to have an alarm on the car just in case somebody happens to be walking past and they happen to decide to try and break into it and the alarm goes off and it's all safe and it's very much you know an occasional episode and he said that is not the case in cyberspace at all in cyberspace it is the equivalent of having an absolute map in the boot of your car 24 7. and he's got a you know a chainsaw and he's trying to saw into your back seat and he is absolutely relentless and he never gives up this is the thing about cyber attacks there is no respite from cyber attacks whatsoever so it's so important to have the right staffing to deal with this 24 7 365 problem particularly in banking and financial services now we're going to look at the cyber resource problem today and ask the question the bold question is it totally unsolvable well i hope i uh i hope i have an answer i'm hoping for but let's wait and see what our expert speakers say and it is really the case that in cyber security one of the largest macro level risks is not just those nutters in the boot of your car with the chainsaw the criminal gangs it's the fact that there's not enough qualified resources within most companies to deal with it and you know as you're going to find out i suspect during the course of our amazing guest speakers uh you know you're going to hear that there's a massive shortage of skills in cyber security and you know it's kind of incumbent on us uh to solve this problem and to involve the right partners and right methodologies to do so um you know we're going to ask the question for the long term you know is this untenable and how do we look for alternative answers so education programs are built from grassroots encouraging women in cyber and internal cross-training or sharing resources across institutions but are all these measures enough or is this totally unsolvable we're going to ask this question again and again and we have some brilliant people to help us answer and it's a great pleasure to introduce to day two of sibos to our stage right now the director of amazon web services a very brilliant individual who's gonna i suspect educate a lot of us out there myself very much included please welcome to cyber spotlight jonathan allen hello i've worked at amazon for nearly four years and before that i worked for global retail bank for 17 years with my final that role there as a divisional cto as such i've been pretty privileged to see both sides of the fence on this seemingly intractable problem so what have i learned in that time firstly we know that there are not enough humans skilled on the planet to currently fill the cyber talent gap so we need to think about this challenge differently we need as we like to say in amazon to innovate out of a corner now back in 1997 this was the first website for amazon.com jeff bezos wrote the html himself and this is his legendary door desk emblematic of amazon's leadership principle of frugality basically it was a wooden door held together with four by fours of course in those early days amazon was not a sure thing at all in fact the early 2000s amazon was struggling greatly with speed and time to market engineers and developers would spend months just building out the infrastructure and the security before they even started to be able to code the product itself after diving deep on this problem jeff and the other leaders decided on a radical way forward all teams would be split into two pizza teams with autonomy and accountability and they would both publish and leverage each other's team's apis to communicate this allowed them to finally spend their time innovating not solving the same infrastructure and security challenges over and over nearly 20 years later amazon now has a million employees all still organized into highly autonomous two pizza teams now how do you ensure at this scale folks focus on the right things well you use principles in fact so far in this talk we have mentioned frugality and dive deep which are just two of the 14 principles that binds amazonians together in addition to these principles teams are strongly encouraged to establish their own tenets applicable to their function and we use these relentlessly they are at the heart of our decision-making process and our culture here is a tweeted tenets quote from cole mccarthy one of our many senior principal engineers talking about his team's priorities within amazon web services you will find that security is job zero for every single one of us this is a powerful binding principle for employees and their teams who build and run our services all around the world if we quickly look at the footprint of aws our global infrastructure is comprised of 77 availability zones within 24 geographic regions with announced plans for nine more availability zones and three more aws regions in indonesia japan and spain within those regions much like the building blocks of life the periodic table we find the aws services now over the last 14 years aws has been continually expanding its services to support virtually any cloud workload and it now has more than 175 fully featured services for compute storage databases networking analytics machine learning ai mobile iot security media and application development deployment and management and when you look at each of those services you'll see a lot of what we focus on is the democratization of security because the biggest constraint resource that any of us have is our skilled security engineers there are simply not enough humans in the world with the right skills to do all the security work that collectively we have and we do have that problem at aws hiring people is hard we hire hundreds and hundreds of security folks every year and we still struggle to keep up with the pace of our own business our customers say the same thing so do we have a mechanism in place that allows us to keep up with the evolving business landscape now one of the things that's really interesting about aws is that it focuses a lot of energy and effort on scale now the scale of cloud is of benefit financially organizationally it helps support your business helps you innovate new ideas at incredible speed but it is immensely helpful in the security space many people are used to focusing on the security issues that occur in their business or their industry but with millions of customers across an incredibly broad swath of infrastructure industries we see things before most of the rest of the internet can when we see those things we take that information that knowledge those signatures the behavior profiles and build that knowledge into the services that we vend so that every single one of our customers can take advantage of them not just the biggest banks in the world but also the university student who's operating on the aws free tier who gets exactly the same experience as the big guys that is very empowering especially for new businesses when you don't have the expertise to build those things yourself so we talked about advantages of scale just to give you some interesting numbers in a month we process one quadrillion observations in cloudwatch that's 1 000 trillion that power gives you an incredible statistical view of what's going on on the internet and carefully examining that and understanding what happens we can build models for certain kinds of behavior there are 230 services that have security compliance and governance features as part of them we've got this incredible effort to perpetually raise the security bar all services support server-side encryption we are happiest when our staff have no access to your data period and encryption keys with keys that you can manage if you choose to do so is a part of this now one of the things we don't have at aws is a security operations center at our scale if you're relying on humans to see something on a screen you're going to fail you need to automate as much as possible and escalate the rest to a human when we talk to customers we talk about reducing the burden on manual remediation of security across the board here are the first five things to automate ticketing identity access management policies logging threat detection and alerting alongside automation we talk about some of the very common goals for security encrypt everywhere embed security and development know who can access what granular permissions and of course automate through the infrastructure services internal experts and vibrant community of partners offered by aws we have earned the trust of over a million active monthly customers including the largest banks broker dealers insurers and market centres in the world such as allianz barclays bbva capital one guardian national bank of australia nasdaq santander open bank state street as well as the industry's newest innovators such as robin hood betterment monzo and newbank customers love the fact that the scale of aws reduces their security burden by reducing and differentiated heavy lifting but what is working with all these customers taught us about scaling the talent transformation to achieve this well firstly it has taught us that it's far easier to train a developer and security than to train a security expert to be a developer this isn't necessarily new for years we've had the aspiration that developers and engineers can be our security engineers our champions of security but it does not work this way historically bespoke styles of information technology have been the norm until the emergence of cloud computing the difference has been using common cloud building blocks that remove the undifferentiated heavy lifting and burden however re-skilling is not straightforward there is a bunch of perfectly natural human reactions that we have to maintain the status quo we need in a holistic approach to re-skilling for those of us that have read the great daniel pinkbook drive daniel discusses motivation covering three primary areas firstly autonomy the desire to execute what we need to do in the way that suits our hectic lives secondly mastery the ability to be the best that we can be at whatever we focus on and finally purpose what we do needs to matter to the mission of our business so we need to focus our approach with this front of mind now when i was leading my own team on their journey i was reminded of this great quote by roslyn carter a leader takes people where they want to go a great leader takes people where they don't necessarily want to go but ought to be so with the benefit of hindsight what are the 10 steps that i have used myself and i have seen work with financial customers all around the world to reskill everybody to be a champion of security in the cloud step one is to know that this is a different journey for everyone much like this picture where four folks are leaning one way and one person is leaning the other way there will be highs and lows and some twists and turns and then we have to remember change curves and think about how we're going to motivate folks to unlearn and relearn 2020 is the year that the entire planet has been going through profound change curves denial anger bargaining resignation and finally acceptance are perfectly common stages when we are faced with inflection points in our personal lives and our career as leaders we need to consciously lead our teams through it step two is that we have to make agile teams actually work this includes holistically mixing the skills not just going halfway between agile development teams and waterfall driven infrastructure teams which we often see as wagile this can and does happen when you are still leveraging traditional siloed infrastructure technology putting the different skilled individuals together in a dedicated team is the crucial key here when starting out and moving forward this allows businesses outcomes to become much faster when the team can self-service their needs and not have to go through gates to get to resource and services but instead can operate within guardrails they are all going to learn how to establish and build secure cloud infrastructure as code through apis now classroom training is still very useful virtual is fine what is needed is dedicated focus and time with a range of cloud courses that will always have a security at their core step four as our ceo andy jassy likes to say there is no compression algorithm for experience so it's critical that folks have a safe space to allow them to build an experiment personally when i was learning cloud i used the free tier of consumption within an aws sandbox environment anyone with a credit card can do this step five bring in some experts when i was on this journey the ability to bring in professionally certified aws engineers from a partner and get them to pair program with each member of the team over two days was like putting rocket fuel into the team at this point it's really important that you make it real building something and then getting it live and operating it securely in cloud is crucial as you will build your new muscles most effectively when it matters now comes the crux how do you scale one skilled cloud team who understands security will quickly become a bottleneck for your organization how do we scale that for everyone well nature has found a way to do this and nature is no dummy we can scale through a process of cellular mitosis the ability to take our first skilled cloud team of perhaps 12 folks and split them into two teams of six and then bring in more human resources who might not yet have the skills needed and then have them go through the same first steps that we went through in this list is super important when the second team gets something live then it's time to split the teams again 2 becomes 4 and so on this is how you scale step 8 is cementing the new skills in place and working hard to reward the mastery part of the motivation equation all aws courses and exams work to ensure that individuals have the ability to build and run securely as part of their curriculum but the associate architect exam is the one to really focus on at the start with a significant portion dedicated to ensuring the most commonly used security building blocks are really understood by all now when you take a quick look back at some of the mechanisms we've covered classroom pair programming sandbox access going live the final piece is ensuring that online training resources are perpetually available you need multiple methods for folks to be able to reskill themselves at their own pace and there is a magic percentage of certified individuals in your business that need to hold this aws certification before you see exponential growth re-skilling and that is 10 what we see around the world is that when this percentage of technical employees pass the associate architect exam you then see a hockey stick shape adoption pattern occur finally the last step is to ensure that leaders reward and recognize the effort on the journey to being a champion of security vouchers gamification t-shirts these all help when i was on the journey with my team and we realized that aws certification was such a transformational key i remember standing on stage and asking everyone to get certified sure enough i proceeded to get a question from the front of the audience when was i going to take the exam an uncomfortable moment being able to walk the talk for leaders is utterly crucial and while i didn't reveal to anyone that i was studying for the exam it was with some satisfaction and relief when two months later i was able to reveal that i too would pass the exam now one of our customers who has taken this to a very high level is national australia bank i was privileged that they shared their journey on stage with me last year at the aws re invent conference now in november 2017 nab announced a company-wide transformation to accelerate their strategy and a significant part of that journey was of course to attract and invest in talent starting in july 2017 they had seven people aws certified and they started lunchtime coaching streams by august of that year things are picking up steam they now have 150 folks attending the lunchtime sessions by november they are out of space lunchtime sessions are now subscribed by march 2018 150 folks are trained but only 15 are aws certified but they had big aspirations when one of the nab executives announced at the aws sydney summit about their partnership with aws after 24 hours 1900 had registered for training after 48 hours 3 000 had registered for training and they branded their growing efforts the nab cloud guild as of december last year they had 4 500 plus employees trained 817 employees aws certified and 1134 aws certifications were held by nab employees incredibly impressive and they are well on their journey the ability to leverage the democratized secure building blocks of the cloud and enabling everybody to become a champion of security is going a long way to solving the cyber recruitment challenge at scale thank you very much thank you so much jonathan absolutely brilliant a very inspiring presentation some real practical takeaways there uh the importance of automation like things like ticketing identity access policy logging threat detection and alerting and a great sound bite there if you leave your security to somebody looking at a screen in a room you will fail it needs to be automated we all have to up our game i can't imagine there's anybody who's doing that who's watching right now but uh it's a very kind of striking image there also bonus points there for the um for the buzzword wagile which is a new one on me a mix of waterfall and agile that's a keeper and a great quote there there is no compression algorithm for experience fantastic so to actually build to scale within an organization you need to deploy cellular mitosis how fascinating okay thank you so much for that presentation and i'm sure there's lots of online resources for folks who want to find out more about that brilliant educational program okay we are going to move on and meet the group head of global human resources at standard chartered bank please welcome to the stage hello everyone i'm i head human resources globally for standard chartered bank let me start off by why are we having this conversation today even before covert 19 we knew that there was a real skill gap a real shortage of skills of cyber security professionals it was estimated that approximately 200 000 cybersecurity jobs uh don't get filled every year late 2019 there is a very interesting research which confirmed that they are 2.9 million trained cyber security professionals but the world needed another 4 million to be able to meet uh the challenge that was out there in the world to meet the skill gap this challenge has been intensified post the covet crisis the information systems security association which is the largest global non-profit association of certified cyber security professionals has tracked a 63 percent increase in cyber attacks globally since the pandemic began they've called forward 19 a once in a lifetime opportunity for hackers and online scammers there's variety of reasons for that i think the cyber criminals have exploited vulnerabilities and security loopholes that have risen as a result of people using much more of their personal devices working from home um there is heightened activities on insecure digital tools as well as increased leniency in access management which which employers had to do uh to enable their employees access third-party third-party networks as a result um an area where there was already a skill gap has even been further intensified so the the increase for cyber security professionals uh has increased even further when we were already facing a challenge our experience and our point of view very strongly is that we cannot meet this skill gap by having a strategy which only relies on buying talent from externally so you know our entire proposition has been built on building uh a sustained and a diverse talent pool to be able to meet this skill gap so what is it that we are doing what is it in stan chart that we are doing to meet this challenge first a bit about us as as a company we are across 60 markets employ more than 90 000 colleagues given the complexity of our business the complex local regulations as well as our expectation to meet international standards some of the challenges around cyber security are intense are further intensified for us significantly more complex than it would be in smaller more nimble organizations we need cyber talent across the organization it's not one department so we need them in our first line which is largely trust data resilience operations in our second line which is risk and compliance and our third line which is the audit function within stand chart just this year we have hired 500 approximately 500 colleagues largely within front line and if you look at our data 30 to 35 of that has been internal so yes we have continued to rely on external hiring but increasingly we are being able to narrow that gap and and just this year we've been able to get 35 of that talent pool filled internally that number becomes significantly higher as we go more senior within the organization so at md level and above approximately 70 of that talent has been hired uh internally our ambition is to make this 50 50 in the short term and actually in the more medium term flip this over and have 70 percent of the talent being hired internally and relying externally for only 30 of the hiring where we've had to do external hiring it's been in strategic areas where we don't have capability in the bank as well as markets where we don't have internal talent pools in the external hiring there are two specific areas we have focused on the first one is gender and i want to talk about that for a while and the other one is focusing on early careers really building a sustained pipeline of talent for the future uh across our multiple markets let's talk about gender first there was a 2018 survey on cyber security professionals across uk us and asia pacific and and the data said that women represent about 24 of the the cyber security workforce globally the data also said that while women are have higher qualification than their male colleagues so 55 percent of them hold a postgraduate degree as opposed to 45 men having a postgraduate degree there was enough as evidence that they earn lesser than their male counterparts for those jobs that's clearly an opportunity that we feel very concerned about and a space that we want to bridge so you know where we've had to do external hiring we have significantly relied on increasing the talent pool of female candidates that we go after i'm really pleased that the external hiring that we have done this year about 35 of them have been women and at senior levels actually the number is very similar so you know it's not just at junior levels we've been able to to position ourselves as an attractive employer to senior female talent the other area that i want to talk about is early careers it became very clear to us as we were thinking through a long-term sustainable talent strategy that we can't keep relying on the same educational institutions the same talent pools that we have done before and this year for the first time we have launched a very clear apprentice program uh where we've got uh cyber apprentices joining us for a two-year structured rotational program 50 of them are women and interestingly 50 of that apprentice program that we have hired uh our colleagues who are school leaders so we have very strategically moved down to the school lever category as a potential pool uh for future talent we are in the middle of a very exciting program that we are launching in singapore where we are looking at a cyber outreach program targeted at uh school going children uh to build a build awareness of the cyber threat but also talk about the interesting job opportunities in in this area so a huge focus on internal hiring where we have gone external which still continues to be a big area of focus for us uh we have really dialed up our focus on gender but also having a sustainable early careers proposition that is going to be uh that's going to ensure that we've got a pipeline which extends up for several years talk about internal how have you been able to focus on internal and i think the real focus for us has been reskilling upskilling of our entire workforce so as part of our future skills agenda we've picked up nine skills that are going to be really needed uh for banking in the future the cyber skills is one of that one of those nine future focus skills we've got academy an internal academy that's focused on cyber skills it is enabled by our online learning platform called discover uh the academy is not just directed towards our cyber or our ics professionals 1500 ics professionals but it is also very specifically targeted towards rest of the organization especially those job families that that have an opportunity to get reskilled or upskilled for jobs within the ics stream the take-up of the academy has been fabulous i think within two weeks of the launch we had 70 adoption rate very high adoption rate between the ics professional but a huge amount of interest across the rest of the organization and the work that we are now doing is targeting the academy to specific job families in the bank where we believe based on data there is an easier opportunity or the real opportunity for us to be able to reskill them to take on cyber jobs so it is an investment uh you know it is an investment that you need to be able to do for a few years to be able to reap the benefits but we believe it's a really important investment if we are going to be able to build a sustainable talent pool uh for cyber jobs uh internally just a few learnings from all of this you know so you know from our experience would have been some of the learnings i think having a one point of contact for all of cyber security hiring in across the organization is important you know we found initially there was hiring happening in multiple different places and being able to have a globally consistent framework a global set of standards um and having a one point of contact has helped us maximize the opportunity we have focused a lot secondly on employer branding efforts so both the recruiting professionals but our line managers in the ics space have done education sessions external conferences you know taken out time to speak to universities about the kind of career options available uh internally as far as cyber security is concerned uh last but not the least we've actually challenged ourselves to take a few risks right have a bit of an innovation in this space you know we we realized very early on that we have preconceived biases for the kind of people that we wanted to get in and by challenging ourselves to target school leavers you know by challenging ourselves uh to to to build new talent pools go after um you know female talent pools you know women in the tech space we've been able to broaden uh the supply of of talent that that we've been able to access in this speech in this space finally huge amount of training that we have done both for our recruiters and our line managers which includes training like unconscious bias training to ensure that we are not hiring in our own image uh but challenging ourselves to hire expansively in summary we recognize there is a skill gap the skill gap has been very well published signed posted we believe that skill gap will increase even further and it's our strong view that by continuing to have a strategy which is largely focused on external buying we are not going to be able to bridge that skill gap so the strategy we have put in place is a build from within and where you buy be sure that you are buying diverse talent has been a strategy that has played out and this needs to be supported very strongly by a learning agenda and a re-skilling agenda internally we believe this is really good for our workforce really good for our business and definitely good for the wider society thank you very much thank you so much tenush that was a pretty sobering presentation uh if you don't mind me saying some uh some pretty shocking stats there um you know there was a gap in cyber security before covert and now it's it's absolutely going bonkers it's really intensified uh the infosec association has tracked a 65 increase in cyber attacks after the pandemic and um she's described this as a once in a lifetime opportunity for hackers and online scammers things like work from home using your own device lenience and access management you know this does need to be fixed but there isn't really the talent pool to fix it there um it's great advice there work on three lines trust data risk and compliance the audit function uh focus on gender women represent 24 of cyber security function and are better qualified in many cases but earn less than their male counterparts in 2020 this is absolutely scandalous this needs to be fixed i know you're all going to join uh join us in trying to fix this in your organizations and it's really about upskilling the entire workforce with globally consistent standards employer branding efforts to get new people on board and take a few risks and train train train and build from within fortune favors the brave fantastic presentation okay we're gonna move on and have a chat with a very brilliant cyber security expert she is the senior principal global security cyber security evangelist and strategist at red hat please welcome to the stage lucy kerner hi everyone my name is lucy kerner my current role at red hat i lead security thought leadership technical and go to market strategy messaging and evangelism for security across the entire red hat portfolio globally i also create and present security related content to our field customers partners analyst and press and i also present at a lot of cyber security conferences i've close to 20 years of professional experience in software and hardware engineering cloud solutions architecture and more where i work on various aspects of cyber security so security resources have always been a problem you're not always rewarded for doing security like you are when you develop a new business application quickly this usually leads to cyber security teams being understaffed overworked and at the same time these skilled cyber security professionals are in very high demand and their significant turnover in cyber security positions in fact many csos don't have a long shelf life industry research suggests that average cso tenure is only about 24 to 48 months with many packing their bags even sooner a pre-covet 19 pandemic study conducted last year by isc squared estimates a global cyber security gap of 4.07 million and estimates that the global workforce needs to grow by 145 percent in addition 51 percent of cyber security professionals say that their organization is at moderate or extreme risk due to cyber security staff shortage so the sudden onset of the kova 19 pandemic forced many companies in financial services and other sectors to suddenly expand their digital walls due to the massive increase in remote access and for all too many companies this turned the cyber security research challenge into a full-blown problem exact exacerbating the cyber security shortage and then causing security to be overlooked or put in the back burner in many cases as these organizations focus and resources have shifted to things like shoring up building even building from scratch all these work from home capabilities across the business and many security teams are now being forced to direct being are now being directed to support general i.t operations and simply may not have the chance or the time to apply security controls to new system to enable remote working and organizations were now are now struggling to adapt quickly uh with the increase of bring your own devices which may lack security updates or you know corporate config settings and then even smaller financial firms who offload their security to mssps were just overwhelmed by security demands brought on by covet 19 as their um customers so this may lead to the mssps um being unavailable due to dealing with their own cyber security uh due to dealing with their own workforce disruptions so now let's dive into some prescriptive tips on how you can take strategic steps to tackle the cyber security research problem so my first advice to you is to tackle um you know secure cyber security is about people processes and technology and so you should take a look at all of these areas to tackle the cyber security research problem versus just throwing more people at the problem you need to look at ways you can to grow your existing resources internally and hire strategically you need to make sure that your organization is both an appealing place to join and a rewarding place to stay you also want to see what gaps you have in your organizational processes and technologies and if that is also contributing to your cybersecurity resource problem you also want to build a strong cyber resilient team by growing your cybersecurity workforce from within by further developing your existing i.t professionals as i said before it's important that you grow your existing staff from within and make sure your organization is an appealing place to work right especially since skills precise our cyber security staff are in very high demand and their significant turnover you want to establish things like internal security training certification programs and professional development programs you know provide that on-the-job work experience and access to career opportunities and cyber security and in general the it field is a continuously evolving area with new technologies that are constantly coming up that have to be secured like cloud technologies containers kubernetes open source technologies et cetera and you want to offer opportunities to nurture and develop the areas that are top of mind for cyber security professionals such as cloud security risk assessment you know things like that and you want to motivate cyber security professionals to stay with the company uh increasing the possibility that these professionals will remain at the current organization you know do things like providing that robust training professional development you know have a supportive management uh who supports professional growth and training and provides strong professional mentorship contribute to the cost of cyber security certifications provide that clear executable career path for specific cyber security roles encourage your cyber security professionals to take advantage of all the free online conferences training courses et cetera that are now more readily available with all these online training going all these training going virtual due to covet 19. and in general you know establish a culture in your organization to never stop learning since there is always more to learn in order to stay ahead of new technologies and bad actors you want to establish a culture within your organizations to encourage cross-collaboration cross organizational training sharing training so that security is no longer just the responsibility of the security teams you want to develop existing i.t professionals whether it's your developers your infrastructure ops teams and your security and other teams within your organization and you want them to be cyber security experts as well so you can grow the team from inside with this cross-pilonization efforts especially as your organization is looking into consuming these newer technologies and cloud containers kubernetes server lists etc it's important that you establish these cross collaboration and training efforts since many of the security tools out there and ways of thinking about security is different in these parameter-less ephemeral environments where everything is automated so what can i do specifically you ask for example when i was a senior cloud solutions architect for the north america public sector at red hat i saw our enterprise customers who were growing their cloud footprint in their organization established things like weekly lunch and learn training sessions between security teams development and infrastructure ops these cross organizational teams would do things like quarterly mock breaches and tabletop exercises together and even go to escape rooms designed to successfully escape the room by solving security puzzles together be creative with how you establish this culture of cross-collaboration cross-pollination and cross-training across the organization my next advice to you is take a hard look at security tooling and resources you need to have a clear idea of where are the cyber security skills in your organization you may be surprised to find that these skills may live beyond your just your security teams you know look at how your resources are currently allocated across roles in your cybersecurity teams you know roles that may be currently understaffed include security operations security administration risk management penetration testing you know roles that may be currently overstepped include compliance forensics operational technology security etc so then also take a look at your security tooling are there people on your staff that are holding on to tools without really needing it for example i spoke to one enterprise customer and he frankly mentioned to me that the only reason he was using some expensive vendor security tool was because now he can have a point finger to point to in case something goes wrong you know are you inter as you're introducing cloud technologies in your environment have you updated your security tools processes and practices to secure this new environment or are you still using legacy practices controls and tools i was at one enterprise insurance customer and the security team there were trying to use one of their traditional legacy security tools to secure their containerized infrastructure and they didn't understand why it kept crashing you know they didn't realize that you can't use these tools to keep track of ip addresses in a containerized infrastructure where containers are coming up and down you know since the environment is ephemeral you know are you using free open source tooling and libraries versus using enterprise supported open source pro products from vendors and if you are using free open source tooling and libraries is security in place to mitigate the risk of using these uh free open source tools and libraries for example how are you dealing with vulnerabilities when they get introduced now how are you ensuring that developers are not downloading malicious content from a public source versus trusted content that is vetted that is uh vetted my next advice to you is be strategic with hiring start by going after new workforce entrants such as recent college grads who have degrees that are relevant to starting a cyber security career including computer information sciences engineering and then when you hire professionals remember that to not just limit your scope to establish cyber security professionals i.t generalists have a solid foundation have a solid foundation to contribute to an organization cyber security practice look for people who are who have skills that would be a valuable to a cyber security professional you know successful cyber security candidate will have skills across a wide variety of disciplines from you know data security linux hardwing linux systems computer programming cloud technologies cloud security security risk management assessment security compliance threat detection remediation network security architecture monitoring support and then troubleshooting things like that right and then look for more seasoned professionals who may have uh security cyber security work experience and knowledge of advanced cyber security concepts and finally depending on your organization and requirements it may make more sense for you to augment your staff with a managed security services provider um you know their services next advice to you is to put a consistent automation strategy placed across your organization now organizations have limited time limited budget resources you obviously can't fix everything or simply you know keep throwing by and simply keep throwing bodies at the problem at all the things you have to do to keep your organization secure results is not the solution you want to implement a consistent enterprise automation strategy across your organization a strategy that can interconnect infrastructure ops application development and all the activities performed by security operation centers in the 2020 cost of data breach report it states that that fully deploying security automation can reduce the average cost of a breach by 95 but only 16 percent of organizations have done so automation helps improve both security and compliance by helping by helping you reduce that risk associated with things like human errors automation also allows you to bake security in from the start and allows you to do things like dev set gobs successfully automation allows uh for everything as code infrastructure as code security as code compliance code and this is very important to do since if it gives you that repeatability consistency ability to share ability to verify and ability to audit which are all key to security and compliance and when you look at some of these recent cloud security breaches out there like the capital one breach it started all out with a configuration error you know if you back these configuration in an automation language that everybody speaks everybody has visibility to and it's backed by change control so the minute there's a change you know you everybody knows about it right you don't have you you know you you know from much earlier if there's gonna if there's a problem right instead of finding out you know three months later or whatever that you've been breached right so this and configuration uh misconfiguration problems is one of the top reasons for breaches today including recent cloud security breaches so you know automation allows you to do that continuous monitoring continuous security and have with controlled automated remediation you want to take a baby step approach to automation things like start with a single project automate tasks that are performed repetitively like config management software packaging and patch management so you can do vulnerability identification and remediation now work iteratively and to deploy automation you know measure results and adapt and plan for expansion and ensure all automation is is verifiable and in the ideal world you want to have a common automation language for the whole enterprise organization and you want to be but to be successful in achieving this goal your automation language should be open unbiased widely adapted widely supported by an active community simple you want to find people who can learn this language you want to make sure that the automation language you set in place is easy to learn simple easy to write you can actually find people who can understand that and how to and pick up this automation language quickly right um something that's modular some something that is um uh a lot of people can knows how uh knows can pick it up easily right like if it if it is based on a markup language for example right it's and then um uh it's an example automation language that has all of these characteristics is ansible so what's my summary and call to action you know while the global cyber security workforce gap is daunting uh it's not surmountable it's not insurmountable now start by doing the things we talked about you know have a strategy in place to deal with covet 19's impact tackle the cyber security resource model but not just by throwing bodies at it but tackling across people processing technology build a strong cyber resilient team within your organization develop that cro culture of cross collaboration be strategic with hiring you know and look and look at a heart take a hard look at your security tools and resources and finally implement a consistent automation strategy thank you for your time and hope you enjoy the rest of your conference thank you so much lucy that was a brilliant presentation full of very useful information and takeaways i think one of the biggest most impactful facts you shared there was there's a 4 million head count shortfall in cyber security that's just mind blowing and i also thought it was very interesting what you were saying uh about the the value that companies put on cyber security i spoke to a gentleman called david uh professor david simchi levi from mit recently uh and he spoke about the scourge of short-term thinking in companies the fact that if you make a sale you know somebody will ring the bell on the sales floor and uh you know if you make a big cost saving you'll get like a big tick in the quarterly review but if nothing happens if nobody breaks into your servers um you know you don't necessarily get rewarded for that it's just you know you're supposed to you only really get the attention when something goes wrong so yeah that's a real kind of philosophical question for companies to address i think um look at people process and technology make sure they join and stay grow your staff from within and have a real talk with your it staff about legacy equipment and do you really need it in this era of virtualization and working with apis and third parties and again the importance of automation if you rely on one person looking at a screen you will fail um okay so that was wonderful uh just the key takeaways there in summary uh it's not insurmountable you can do it but you need to start now you need to have a covet strategy you need to focus on people processes and technology you need to build cyber resilience within your organization you need a culture of cross collaboration and you need to be strategic with your hiring and implement a consistent automation strategy so absolutely fantastic uh points there from lucy kerner thank you so much okay so we're going to wrap up for day two of cybos spotlight my name is ushi noni it's been a pleasure to have your company here please join us again tomorrow when we're going to be looking at risk management and the world of worries i hope to see you then [Music] [Applause]

Info

Channel: SibosTV

Views: 159

Rating: 5 out of 5

Keywords: CyberSecurity

Id: SkkG08qS3Gs

Channel Id: undefined

Length: 52min 0sec (3120 seconds)

Published: Mon Mar 29 2021