What an incredible couple of days at DEEP 2017! Thank you to all our special guests, speakers, customers, and friends for truly making Cybereason's first security conference an unforgettable event. DEEP 2017 included keynotes, unique perspectives and remarkable stories from security industry leaders and beyond. We’ve done our best to recap the highlights and the energy from the show, including rundowns on talks from Tim Boomer, Laura Louthan, Robert Bigman, Sam Curry, Tarah Wheeler and Steve Wozniak.
Got to be real
Tim Boomer purely exemplified the main theme of DEEP 2017. The notion of solidifying real connections and beginning to talk about and approach cyber security in an honest, meaningful way. He spoke wonderfully about connecting with people on a deeper-level. He set the stage and the spirit of the show, which was to remove the rules from the cyber security conversation and provide an opportunity for professionals to come together to foster real connections, not just exchange business cards.
Mending the IT, security divide
IT and security professionals don’t always get along. To folks in IT, security personnel constantly say no to technologies that could help an organization meet its business goals. Meanwhile, security departments view their IT colleagues as people with little to no regard for security controls. But both departments need to work together if they’re going to keep an organization safe from attackers, said Laura Louthan, citing statistics like the average cost of a data breach ($3.62 million) and the likelihood that an organization will be breached in the next 24 months (27.7 percent).
The trick to building respect between the CIO and CISO is being transparent, adaptive and responsive to each other’s needs, said Louthan, who founded a security consulting firm after holding leadership roles at Sephora, Equifax and Bank of America.
What you can learn from a three-letter government agency
Robert Bigman, former CIA CISO, delivered a bulletproof talk and left the audience with a few important points to muster when it comes to being the best CISO and how to get cyber security to permeate everything, to be ingrained within your organization’s DNA:
- Governance beats the best technology every time. Be sure to embed your security teams within the IT organization, and make sure you solidify and your corporate approach IT and cyber security.
- Cyber security is not IT security. Cyber security is a discipline. It takes a different mindset.
- Isolation, isolation, isolation. The only bulletproof way to stop hacking is to isolate your corporate networks. Don’t let your IT environment be a Tootsie pop (Hard on the outside and soft on the inside). Always keep an eye on your third-party vendors and systems.
- Don’t trust your weakest links…administrators. Make sure to vet your system admins and do as much recon on them as possible! Focus on training admins not just users, monitor them. You can learn more about your network and what’s happening on your network from your admins than any cyber solution. Reward your admins for speaking up and reporting “malicious” activity.
- It’s all about the data, stupid. Remember that data protection is different than cyber. If you don’t know where all your data is…how can you protect it?!
- User misuse logging is more important than threat intelligence. Threat intelligence only matters on your network --- monitor your own user activity, don’t spend time and money on external threat intelligence.
Talking with Steve Wozniak: A thinker and a tinkerer.
Steve Wozniak has been a Silicon Valley icon and philanthropist for more than thirty years. He has helped shape the computing industry with his design of Apple’s first line of products the Apple I and II and influenced the popular Macintosh. For his achievements at Apple, he was awarded the National Medal of Technology by the President of the United States in 1985, the highest honor bestowed on America’s leading innovators. Engineer, author, and podcast host Ran Levi sat with the Woz and asked him about the current state of education and his beginnings at Apple. Here’s some of what Woz had to say.
The benefits of tinkering
“True creativity and invention originate from tinkering...you have to love to build and take apart things, constantly trying to improve your design with fewer and fewer parts.”
Into the great wide open
“Pick something that doesn't exist and go do it."
Leaders and followers
"Tesla is in last place when it comes to self driving cars."
The key to happiness
“Happinesses is going to be how I judge my life, not accomplishments.”
The power of passion
“All the great things I've done at Apple, we didn't know how to do. But we had the passion to do them.”
“I've written a ton of malware just for fun, but I always destroy the source code.”
"Apple's not smart enough to make their parts repairable and easy to take apart."
How to keep your security gig
Sam Curry, Cybereason CISO, wowed us with his “How Not to Lose your Job in 13 Months” talk. When talking to other C-suite executives and board members about security, CISO need to frame the discussion around one of these topics: risk, revenue, employee efficiency, strategic value, cost and customer satisfaction.
Failing to do so makes security leaders seem like hobbyists instead of business-savvy leaders who want to contribute to the organization. Also, avoid using technical terms, Curry said. The C-suite doesn’t care about server management but they do care about patching exploits that hackers could use to infiltrate a company.
Contrary to what conventional wisdom calls for, security leaders shouldn’t have an answer for every question, Curry said. A better approach would be to start a project and ask a manager for feedback before completing it. This allows the manager to provide input and lets the CISO incorporate this feedback before the project’s deadline. And security can’t be done alone. Security leaders are going to need co-workers in sales, marketing, product and other departments to help tell the story of why security matters to others in an organization.
“Nothing erodes trust faster than a CISO who knows everything. Listen a lot, be humble a lot, and make new friends,” Curry said.
Keep security weird
Hiring a diverse group of analysts is one of the best ways to bolster an organization’s security, said hacker and author Tarah Wheeler. People with different backgrounds and viewpoints lead to a security program with varied perspective on how to keep a company safe. New minds are needed to solve security problems, she said. Unfortunately, businesses aren’t fully onboard with employing people who color outside the lines.
“It's pretty uncomfortable hiring someone that feels different. That discomfort should be sought out. It changes the way we think," she said.
Wheeler also talked about how ransomware is forcing companies to be more transparent about security incidents. While organizations can hide data breaches, ransomware attacks aren’t as easy to quietly sweep under the rug.
“WannaCry was the best problem the security industry has. Why? Because it can't be ignored, it can't be hidden. Knowing is always better than not knowing,” she said.
Keep the DEEP conversations going
Although DEEP 2017 officially wrapped up on Wednesday, we hope the stories, expertise, and conversations will continue! In the coming weeks we'll be posting more content from DEEP, including some videos of speakers. And, hopefully, we’ll see you next year at DEEP 2018.