I’m still reeling off the high from the annual Security Congress put on by (ISC)² a couple of weeks ago. As I calm down, I’d like to review a few highlights from some speakers. Join me as we go through a few cybersecurity leader bios. They have a few good lessons.
Since this conference was co-located with ASIS International, you’ll see some physical security tips here, too. Okay, well, most of these are physical security tips.
This can still relate to cyber!
Update: I added one more!
Table of Contents
Robert Grant, VP of Global Security for Walt Disney
- Robert is a former special agent for the FBI. His example stems from the FBI after 9-11 changing its focus to preventing attacks, not solving crimes after they happened.
- Become a proactive security organization.
- Emphasize prevention, not response.
- It’s tough to sell security in a business environment.
- Disney tries to follow a security-made-fun practice.
- They send out monthly tip emails and videos designed with the touch of a creative team.
- They offer security advice in a humorous vein. There are off limits jokes like active shooters, for instance.
Michael Howard, CSO at Microsoft
- Align security with all business objectives of the company.
- Develop strategic partnerships as a department with many other departments (IT, HR, Finance, and Legal).
- “It took a lot of doing. When I first got there, my team knocked on many doors. We wore out a lot of shoe leather.”
- “Focus on building a security team that has leadership skills, strategic capabilities, tactical abilities, and subject matter expertise. Not all staffers have all 4 of these skill sets, but as a whole, each skill component is well represented.”
- More and more companies are looking for security leaders and staffers with business experience and training.
- “They want people to run security like a business.”
- In 15 to 20 years, it will probably be seen as normal for companies to hire security staffers with business backgrounds but training in security.
- What is your security identity or brand of the security company?
- Communicate the idea that the departments know where the company is going and is aligned with its business objectives. This can be done through a brand.
- Be willing to admit mistakes and learn from experience.
- It’s not easy. It’s important to be realistic.
- Push beyond the complicated assessment process. Commit the time and resources needed for improvement.
- This is so true – “Usually, the people who say ‘you can do more with less’ are not the ones that actually have to do the job.”
Robert Oatman of R.L. Oatman & Associates
- Get to the How of executive protection.
- Ask general questions first, so you get general concerns expressed to you.
- Avoid yes and no questions.
- Allow for elaboration and digression so that information can flow where it might not otherwise do so.
- Each security component should also be broken down and analyzed.
- Threats to transportation security can include:
- potential motor vehicle accidents
- road rage incidents
- planned vehicle attacks
- getting lost
- being late to appointments
- reckless driving
- speed should be kept reasonable
- routes should always be well researched
- common traffic choke points and potential safe havens should be identified in case the environment becomes unstable
- Interactions with a variety of contacts can include:
- transportation providers
- hotel security personnel
- venue management representative
- Relationships with destination staff can be important.
- Executive protection firms working well with hotel staff can create a home field advantage due to familiarity and knowledge of the facility.
- “Hotel security is a force multiplier.”
- “Go practice this stuff.”
- Conduct simulation exercises and learn. “Good decisions come from experience, and experience comes from bad decisions.”
Charles Foley of Watchful Software
- The Evolving Cybersecurity Perimeter.
- Cybercrime has a more significant margin of opportunity than illegal drugs.
- The cost of cybercrime is growing, as the average data breach now costs $3.5 million.
- The most expensive problems corporations face are not hackers trying to hack firewalls but someone who does unsafe things with data, even inadvertently.
- Market Connections and SolarWinds survey revealed that more than half of Federal IT leaders identified careless and untrained insiders as the greatest source of cyber threats against their industry.
- Effective training is important, but software controls that aid in compliance with data usage are also key.
- Essentially, use data loss protection that fires based on rules or data types.
- “If you do this right and you line up your policies, procedures, and technologies, your electronics can do the job.”