Kevin’s Key Takeaways – Cybersecurity Keynote from HIMSS21
Cybersecurity Keynote Panel: Get the basics right; boring works.
New tech is cool. AI is amazing. As a culture steeped in abundance, we expect everything we imagine to be delivered into our hands within minutes of finding and then ordering it. But when it comes to data risk management, there is no imaginary one-stop-shop tech tool to defend your business. If there was, we would just do that instead of all the following boring things:
Tabletop testing = Boring
Asset management = Boring
IR/DR/BC policies = Snooze
Training employees = Snooze
Network testing = Z…z…z…
Culture of security = What does this even mean?
To defend against a ransomware attack, every item in the above list matters.
In the HIMSS Keynote panel, Admiral Mike Rogers, Retired Director of the National Security Agency (NSA) and Commander U.S. Cyber Command, implored the audience to “Get the basics right. Culture is the hardest part of security.” He went on to say, “Take a risk-based approach” but we’ll unpack that another day.
Other speakers echoed a similar message:
- “Survivability is key,” shared Keren Alazari, Cybersecurity researcher, author and analyst, during the keynote. “There is no such thing as perfection.”
- “Survive and build back better. Don’t blame,” stated Alex Stamos, founder of Krebs Stamos Group and former CSO for Facebook and Yahoo.
These aren’t the cybersecurity soundbites we’ve all come to imagine are true from watching Hackers, Blackhat or Swordfish; these are, however, the thoughts of top professionals in our field.
To bring this idea to light, I offer the following question and answer:
How does a CEO feel better about his/her team’s response to ransomware?
Answer: They do all the boring things, and then they rehearse the inevitable, over, and over, and over again.
How?
- They bring in the right team to evaluate, draft and then implement a tailored Information Security Program, replete with all the necessary policies, and procedures to best protect the company.
- They draft and implement Incident Response, Disaster Recovery and Business Continuity Policies and Plans. They test them with tabletop exercises, incorporating all applicable stakeholders. They test their back-ups.
- They have cybersecurity training policies, and they ensure that their employees are trained.
- They test network security and have an update/patching policy that is properly executed.
- They invest in asset management, so they actually know what’s on their network.
- They have a culture of accountability for security, not a culture of blaming for security.
Please notice, nothing here speaks of the latest greatest firewall, MFA, AI, or darkweb research. It’s all boring, it’s all necessary, and it’s what you should focus on to best prepare for and respond to your next attack.
Let’s discuss.
BACK TO BLOGS