Aiden was proud to host the first in a series of discussions with technology leaders on the much-needed IT-Security Paradigm Shift — the trends in technology and leadership strategy that are helping organizations reduce cyber-risk and improve response times to cyberattacks.
Paul Ferrilo from Seyfarth Shaw LLP led the discussion as moderator with technology visionaries in government and private cybersecurity industries:
Casey Santos, CIO at Asurion
Gina L. Osborn, (Retired) Cyber FBI Assistant Special Agent in Charge & Army Veteran
Anthony Johnson, CISO at Delve Risk
Joshua Aaron, CEO at Aiden Technologies, Inc.
We’ve compiled the 5 top takeaways for leading conversations from the board of directors down to the engineers in order to bridge the gap between IT-Security.
#1 Avoid “cyber speak” for maximum impact and awareness across an organization
Technology leaders need to speak in a way that resonates with business leaders and not just “techies” in order to get on the same page. One way to do this is to avoid acronyms.
“It’s become part of our role to evangelize and to communicate what [cybersecurity] means in business terms. There are many aspects to this conversation and it’s important to be able to speak in plain language,” said Casey Santos.
Speaking in terms that upper-management and non-technical members of your organization can understand is key to winning support for better IT and security integration. These soft skills also serve a dual purpose: getting buy-in for better investment in cybersecurity from decision-makers, and growing your IT career—no matter your current role.
“Removing jargon from our vocabulary when we talk to executives and boards is where it really starts. As you move up in the ranks as a technologist, we need to do this or we can’t move forward…Aiden is focusing on bringing this into plain language so everyone can understand.” – Joshua Aaron
#2 Nudge management and purse stakeholders to take cyber seriously with real-world examples
“Most board members don’t understand how APIs work, what CI/CD is, and assume an acceptable level of cyber–risk is 0% — even though they’ll write off 10% of transactions to fraud,” – Anthony Johnson.
It can be hard to quantify all of the risks an organization takes on due to weak cybersecurity. While widespread cyber attacks are getting more attention in the news, many board members lack the necessary cybersecurity awareness to accurately gauge what’s truly at stake in their organizations.
One strategy is to make the consequences of poor cybersecurity more relatable, by illustrating how cybercrime affects our friends, families, and larger communities. For example, almost everyone knows someone whose identity was stolen or experienced credit card fraud.
“Not only educating them on what happens at a company but what can happen personally, gives you empathy. When it touches something personal, in addition to a company dimension.” – Casey Santos
Amplify those risks to core business KPIs, like customer engagement (Businesswire found 81% of consumers would stop interacting with a brand that had been breached) and you’ll get closer to bringing the point home. Gina Osborne recommends inviting a local member of the FBI to talk to your board members and other upper management about the consequences of poor cybersecurity, and why robust security starts from the top-down.
“Tabletop exercises are impactful, but it has to be personal. At my last firm, I had a security professional use a pineapple device to siphon PII (Personally Identifiable Information – like a social security number or telephone number) from local devices of people in the room … stakeholders were talking about it for months.” — Joshua Aaron
#3 “We’re not going back to the way things were” – making Automation and AI cybersecurity standards
“Thousands of endpoints need to be considered. Some were more prepared than others when dealing with this. When we go back to hybrid, we’re not going back to the way things were.” Anthony Johnson.
It’s no secret that the COVID-19 pandemic has accelerated digital transformation efforts much sooner than expected. This left some companies less prepared for the challenges of managing a remote workforce and their attack surface grew exponentially, almost overnight.
“Attackers are using automation too … if we don’t automate, we’ll be left behind.” — Casey Santos
Panelists recognized that as distributed environments and hybrid working are here to stay, tools to automate and automatically adapt cybersecurity processes are essential to reduce cyber risk now. Threat actors routinely optimize attack strategies with artificial intelligence and automation, and it’s time for organizations to fight fire with fire.
Anthony Johnson also pointed out the risks that remote data access and security response introduce in your IT security plans, “remote working is increasing human error because of the likelihood for distraction [when working from home] versus SOC environments for incident response. Automation is imperative to maintain security now, and likely well into the future.”
#4 Leverage high-visibility cybersecurity news to focus on fundamentals
“SolarWinds woke people up to the vulnerabilities we are facing. It doesn’t change my lens on how important security & tech are to solving this problem, but it makes more and more companies aware and increases their desire to invest more.” – Casey Santos.
Panelists like Casey didn’t see major structural investment into IT security in light of the SolarWinds hack. Moreover, Anthony highlighted that most large businesses appear to have made up for any loss of reputation or business continuity in responding to the breach.
What is more tangible is the pressure third-party vendors have to maintain robust cybersecurity, especially in the IT space. “Supply chain is critically important, but there are fundamental basics, understanding suppliers, vendors, patching — this is what sets the successful organizations apart,” said Anthony Johnson.
Moving forward, Retired Cyber FBI Assistant Special Agent in Charge Gina Osborne encouraged more firms to use HR as an onramp to better cybersecurity; train new hires to recognize insider threats and become familiar with access control (e.g. when people move from different jobs within an organization, do they maintain access to data they no longer need?).
#5 Diversifying the IT talent pool will reap significant rewards — but there’s still a long way to go
“Promote these opportunities to get people engaged. It’s up to all of us to find these junior people and assure them that coding is not a scary thing. There are two companies: those stuck with legacy tech and those moving toward the future.” — Anthony Johnson
A lack of diversity in thought, and representation, across STEM will hold organizations back from rising to the growing cybersecurity needs of today. Anthony pointed to the relatively small number of women minority CISOs as a sign that there still needs to be genuine, systematic efforts to mentor and train the next generation of cybersecurity professionals.
Casey Santos also pointed to a growing number of public-private collaborations between research universities and private companies like Apple and Microsoft, that are working to balance the scale in the favor of increased representation of BIPOC and other marginalized communities in the cybersecurity circle.