About the talk
Leading Chief Information Security Officers discuss cybersecurity budget allocation
We were trying something different here while our next panels were getting mic'd up. This is going to be the Cecil Fantasy League Draft, and this is how the structures going to work. So essentially we've given each of our cesos up on the stage a million dollars. The first round is $400,000. The second round is a $300,000 by 200100 thousand and honorable mention. It's basically a 5 round fantasy draft. And what we're going to use is the Verizon dbir categories of the different types of threats that can happen and
hcso will be tasked with selecting in this order which threats are most relevant to this industry. So you'll see that will have two people representing the financial sector one from the healthcare sector and one from the telekom media sector and what we'll hopefully learn from this is which threats are most prevalent for various Industries, not necessarily the specific companies that they're using to plug these Gap but what they see is most important in the biggest threats to their existing in this And then after the draft will go through and see if it's even a useful
exercises. This is even how she feels look at how they spend a budget if it's more even even spending across different areas. So once they're all their mic'd up by a welcome to Malta to come on down to the stage. And please welcome our she's so fancy League panel was great to be here and it's so great to be running a panel. That's a little bit different. I like doing things differently. And this is sort of a cross between a fantasy sports league and security which is not something that we do quite often. Some of us might try but it doesn't usually work but we're
going to do that because from where people would spend their money into where people might want to be investing. So I think this is a very valuable just got you and of course in the real world, we have to mitigate many many kinds of risk, but we're going to start with draft round number one, which is I think that we've got a $400,000 ride and that's been if somebody handed you $400,000 and you're the cisf. What area would you likely? Primarily focused on with that money and you know, I'll turn it over and then of course the second part of the expression is going to be why so it's
not just a random pics of introduction and then answer the $400,000 question to go right into the questions then okay 7 answers to think like this might answer would be actually denial-of-service. We we we tend to be kind of the plumbing of Wall Street. So, you know anything that happens to us can take that multiple institutions. So that would actually be the very first place I would start. All right. My name is Myrna Soto recently joined Forge Point capital of an investment partner from cheating
a little bit up here on stage used to be the former Global Chief Information Security Officer for Comcast spent a lot. I'll just leave it at that I would say I would focus on Insider threats and inside or misuse huge huge opportunity. There's a number and I'll speak in my queue in generic terms. There is a plethora of activism communities that spend a considerable amount of time trying to get employed by certain company with the sole purpose of Espionage another issues.
I'm rich biatch on Executive Vice President Chief information security officer at Wells Fargo in this particular list. I would also go with inside of misuse misuse do being categorized as unintentional rescue meaning team members employees that are doing things unintentionally and then obviously on the other side of the house those individuals that may be looking to potentially do harm inside a threat on Bell. However, since war room full of startups a coin that's a term that use very very inappropriately.
So the whole definition of what an Insider is needs to be, you know found out before you look to Market your product are so just a little bit of a marketing Claire therefore be careful jumping on board certain terms cuz they can put you down in the pigeonhole that you may not want to get too cuz you may want your product to be more holistic. And I didn't introduce myself. I'm just a Steinberg today. I spend most of my time as an advisor to younger cybersecurity and other emerging technology companies merging Technologies today being a and blockchain primarily. I
also write a column which is what I spend the other portion of my time on and have a couple product companies as well risk Insider threat insiders are always a bigger problem than Outsiders. They know what day do you have? They can make a small mistake at least a big consequences and its technology gets better and better, you know, where on firewall version 30 40 50, whatever we're at now. We're on human brain one. Out and you can bring one. O hasn't really changed in tens of thousands of years and it's the same mistakes
that were made in the past has made a new technology a venue which obviously leave so much more serious consequence of self. That's where I would start. How to round two was there with that $300,000 draft. So you've already invested the 400 so, you know, you've dealt with the issue that you've already mentioned to the group. What's your second priority with the money is great. So I would actually picking cider. Missy says as the second one. Part of this is knowing your business and knowing what the threat stars to your business. So so is an example of large custodial bank is not going to
be all that that worried about ATM skimmers. We don't have ATMs but I've never going to hit our radar Insider misuse when I look at that Fred that's getting really scary. So we're rather than trying to get you to click on a phishing email. We will actually be enough people will pay you right so they can they can stay like hey if you can help us with swift codes internally will just give you $100,000 to help us out. That's that's a scary scary threats. So that's intentional.
I would save for my next $300,000 round. I would invest in cyber-espionage when I mention Insider threats. There is a very strong tie into the Espionage piece. So I'm double-dipping a little bit but it's it's amazing and all my previous experience company not to be named. It was amazing to see the amount or the increase in attractiveness that our infrastructure and our data elements had around the time that we were about to cut a close a quarter or make a particular announcement. If we had an m&a deal in the works our security team would kind of lever up their game because there was an increase
in the potential to have folks interested in that information phishing attacks and other things would increase at that time cyber-espionage is a is a real issue. Only more so for larger publicly traded companies, but definitely an area that I would spend easily spend $300,000 in. Fighting fighting it trying to get tools and Technologies and increasing my level of use that dirty word intelligence around what is happening in our environment that may be directly related to cyber-espionage.
For my $300 I will go with whatever primarily because the adversary today. It's kind of one of the directors of choosing and I might like to apply a wrist for me there when I'm looking at things that's bone ability X Red X acid value times probability of occurrence in the progress of occurrence of the adversary use in the websphere to deliver these days is much higher than it has been in past and we're predicting it to increase so therefore that's why
I would spend the money there. So I just say I done my CSL stuff on the tech side and tech companies and I would go with the intelligence often simple reason. It really goes back to the ancient times the Sun so you got to know your enemy and knowing what's going on and how people are likely to attack you and what they're looking at. Can I really help with every other decision that you're making in terms of Defending? So that's where I would go up to the third round. So we've covered some really serious issues. But now they've got to
look at you know, where would you go number three? I think for me I would go into cyber-espionage next. It is a little bit kind of tied with Insider initiation because a lot of the same reasons I'm very concerned about that being a target from nation-states etcetera. So that's that's where I put my money next. So I'm going to cheat I'm going to go out of the parameters of the selection. If you oblige me, I would spend my next round on iot security having come
from Recently working for one of the largest isps in North America and understanding the connectivity in the home and the future of iot. I believe that these security landscape around that have a have a lot to be desired and there's several opportunities to increase risk posture in that space. There's also not only an Enterprise component too. But of course of consumerization opportunity for those companies that do have a consumer Revenue stream Wow, didn't take you long to shed your skin from being a seesaw to a VC
while we were up here the category think I'm going to go with cyber cyber where crime where these categories being different. So, you know, when we talked about cyber Espionage, I put it into a different category. I put that into the asia-pacific arena as far as the threat and then obviously cybercrime I put into Eastern Europe and then of course you have nation-state which is kind of a kind of anybody. So you're just just so you can understand where my decision is is coming from stove crime where I will I
will extend that out to his to be I believe that means the monitoring and the understanding of the Underground The monitoring in the understanding of how transactions of being carried out by cybercriminals they understanding of who the who the sacral cybercriminals are and attribution and the disruption of those Network and then of course from a crime where perspective obviously having the appropriate controls to mitigate the risk that are associated with all those tools that cybercriminals look to utilize I can still make it work in the framework color Outside the Lines.
I would go with the data also in the end. That's often what we're actually trying to protect. That's the element and i n e r t I just assumed if it's a large enough organization. There's a coyote vulnerabilities out there because it's so many problems that are out there because devices came out without security and and that's I'm just getting all that but it's kind of interesting because one of the things that's changed about the sea is his role is that things that were never under the purview of the security department now have to be and then I gave it to recently and I ask people how
many of the cisl is in the room are responsible for which coffee maker gets put into the break room. And you know that sounds strange and weird and ridiculous. But if somebody goes out and buys a connected coffee maker and someone forgot to turn off the the ethernet Jacks in the break room Woodstock scene happened to I unplugged it in you don't have an unknown device going on to a network who knows which network I said, we've sorted entered the world where you know machines and devices. We were not responsible for now. I'll causing us problems. And I mean I see you're
smiling, but it's good for investing and it certainly creates issues. For the hundred-thousand-dollar round round 4. So we've dealt with lots of you. No big issues when we go from here still got some money to spend but it wasn't our highest prayers take some liberties with that too. I would actually say miscellaneous errors and I'm going to interpret that as being errors that happen inside the company and it's going to be my training and awareness budget. So that's that's something that I think it's really important Ivy
security really does begin and end with the end-users doing the right things and frankly. I wouldn't want to have a budget like this and not spend anything on training and awareness. All right. I'm going to go back in the lines. I would say my next investment or my next spend around to spend would be on web application attacks. It's kind of a cross-section between attacks on those web application properties. But also at the same token kind of a devops secops type of hygiene check, you know, we continue to live and what I kind of
call the developer plague of agility and time to market for products and services and continue to have challenges with the efficacy of the products that we are utilizing a lot of them end up being your core web application properties. I will go with miscellaneous errors, but with this definition of being able to understand the protocols in the information and having to transparency in your network so that you can understand what is legitimate traffic and
not legitimate traffic adversaries today. Do a good job of being able to hide in the noise. So you have to have the ability to reduce that noise also one particular way of reducing the risk of iot is obviously understanding and which ones are normal. So miscellaneous errors from my standpoint is allowing traffic to exist in your environment that hasn't been trusted and identified. I would close actually with what you began with which is denial service because one of the trends
that we've observed recently is that the magnitude of the denial of service attacks is growing faster than the ability to defend against them. They're just getting much much larger items fan with you and that is not a good sign towards the future and denial of service attacks Also Serve another great purpose for hackers, very very good distraction mechanism. So if you launch a denial-of-service attack while you're doing something else, you know, if someone's website goes down if they
are more likely then they would at other times than this other bad things happening. I saw, you know, I'm so my concern about that. Not that we can discuss all the panel but one that I was involved in more than one denial-of-service is a distraction. So the reality of it is is it when someone's being denial-of-service and its public yes, a bad guy May jump on board. It's kind of like when there's an emergency and somebody puts up an American Red Cross fake website for you to donate that. But again, I hear people keep keep saying this all the time but it's it's
really not part of the adversaries plan is usually a piggyback ride the mean meaning somebody chases low-hanging fruit cuz they know somebody's getting ddosed seems to be going faster than the typical legitimate party is adding bandwidth and you know at some point that's going to come home and be a problem. I'll maybe not to the largest financial institutions in the lake, but you're going to see it in Middle TN. Going to start affecting more honorable mention.
I can actually kind of maybe bridge the gap between what what you were both saying in terms of you know, I destructive now. Where is a type of denial of service that actually really does concern me kind of start thinking more and more about you know, what would happen if somebody's not only just taking your data but actually causing the company harm like actually taking take trying to take you out. You know, that obviously is a very very big Challenge and then something that I can kind of bleeding to both the denial of service and mention categories to have money for it either way.
I would piggyback threat modeling but I would add a spin to it to say that it's more about simulating potential threats and being able to do more than just a red team type of test exercise more of a red team capabilities for entry and or they're also testing the efficacy of your mechanisms and your efficacy of your detection capabilities. If there's any startups out there doing that, please give me and I will go outside the range and say yes, I've arranged for those of you that don't know what a cyber ranges it's actually being able to do everything. Everybody said around threat modeling and
everything else and actually make it real and a virtual environment where you make a virtual environment of your environment and you can attack it. You can actually see if your incident response. Yeah, she take new vendors products you actually put it in there and then you unleash the tax to see if there if their products actually do what they say they're going to do. My honorable mention would be educated management to give me a bigger budget next year relevant conversation for
this audience. Do you prefer to deal with one vendor for multiple Solutions or to go for a best-of-breed, you know between different different parties. What's your general? Yeah, I mean might my general tendency we want best-of-breed, but they also have to play nice with the other tools. So that's kind of a splitting the difference answer, you know where we can partner with one strategic bender and it makes sense. We want to do that. But you know, I think of the I think ultimately you don't want to deploy like a lot of things that don't talk to the other things cuz we have to have eyes
on multiple panes of glass and it just becomes a staffing challenge. Tom and answer that two ways to as a former operator, the goal was always to rationalize the number of tools and processes to the point already made that the correlation and the interconnectivity of knowledge makes you that much stronger. However, there is a big gap when you try to consolidate with the larger players. There's a big gap on the Innovative side that requires you to continuously invest in purchase from up-and-coming smaller companies
that it in your hope as an operator may end up being acquired by some of your larger Partnerships as a venture capitalist best to breed all the way. So there's no product out there that solves it. So we want product to be able to API with other things. We spend an enormous amount of our budget innovating creating patent something we had like 50 and information security last five years. So if your product is closed you probably have a closed opportunity your product is open and allows you to work with other things can go a long way. So an example I
like to give is the whole agent-based technology to roll out an agent in my environment probably 18 months so not to be very happy with agents just because of the pain associated with it. However, if you can hold me m and ride on an existing agent, that's a wonderful way, right cuz just have to push out an update rather than pushing out a whole new agent and going through all the different regression. Sing in the whole bed to go someplace. We're at a time to thank you everybody and I hope nothing bad happened while we were up here and
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.