The Gartner Security & Risk Management Summit is an essential event for CISOs, CIOs, and other security professionals. It provides three focused days of learning and testing, reinforcing security plans and strategies, as well as understanding the market and available solutions.
Our pan-European F-Secure Countercept team and I attended the summit to meet with our peers and clients across the industry, and to share our latest market insights. I also gave a talk on Rethinking Response (our manifesto for detecting, responding and mitigating attacks in a collaborative and effective way, prior to business impact), which sparked a healthy debate and received overwhelmingly positive feedback.
It was also fantastic to have some great discussions with end-user organizations about their challenges and for them to challenge our and their own thinking.
My team on the ground and I identified some emerging themes that speak to the challenges security professionals face internally, the ability of the threat landscape to still shock and stun, and how CISOs can garner the backing of security partners to improve their organization’s security posture – and further their careers. To sum it all, here are our key six takeaways from the Gartner UK summit.
1. Security professionals are overwhelmed – rightly – by their service options
There is still much buyer confusion on the difference between an MSSP, MDR, and managed EDR, which comes as no surprise given the crowded market. At the F-Secure booth we had some great conversations on how to set the right buying criteria; depending on the business need, organizations have the option to build or buy a service that aligns to the specific threats your organization faces.
But even setting buying criteria is an intricate process. Organizations should not be afraid to push their potential partners in this process – any partner that will not support and assist in helping you determine how they can augment and empower your overall security strategy is not the right partner.
2. CISO empowerment comes via strength in numbers
When it comes to getting buy-in to both the broader and the nuanced aspects of a cyber security strategy, many CISOS are still trying to overcome the challenge of delivering their message in a way that best resonates with their C-level colleagues. The Rise of the CISO talk – which explored how a CISO can aspire to be a board member, whether that be a risk board or executive board – identified that there is a gap to fill when driving the business case up the chain. CIOs need to do a better job of building the cyber security agenda at board level and offer a clearer steer to the CISO on the (business driven) direction they want the cyber strategy to go, whilst the board representatives need to come from a broader background for them to fully understand and assess the cyber threat.
This is where security partners should provide the language and context to drive and support this process.
3. People first, technology second
Everyone – myself included – often wants the latest and greatest in tech. However, despite my job title, this does not always apply in cyber security. At the summit, I talked to many CISOs who have technology high on their agendas, with their immediate sights on introducing – for example – AI, and data and log aggregation and orchestration to inform, drive, and back up decisions they make.
I have seen this approach time and again, and it most often fails, simply because technology is only as good as the people who are using it. It is not often to implement technology and assume existing security teams can just add it to their pile of work. Technology investments need to be thought of more in the broader operational context, with the people running and using them being the first factor for consideration, such as: How will it help the security team provide a better defence? Does it increase the ability of our people to detect and respond to attacks 24/7? Does it supplement existing roles and responsibilities, or hinder them? Does it fit into our broader business goals in the both short and long term?
4. Letting the attacker lurk – Rethinking Response strategies
After my talk on Rethinking Response – where I outlined the evolution of threat hunting as well as our vendor-agnostic methodology for detection and response – the team and I had many conversations on one particular aspect of the methodology:
Allowing attackers to dwell post-breach on a compromised network until the extent of the breach is known.
Several CISOs directly approached me straight after my talk and mentioned that it’s a huge challenge to convince their colleagues to balance the risk of immediate eviction with a more considered approach to response, which could ultimately give a better outcome in terms of understanding the attackers’ objectives and goals – this can ultimately ensure, for example, that the targeted assets are better protected in the future and that the techniques used to breach the organization aren’t successful in the future.
5. Developing effective detection and response capabilities
The most common barrier to building and maintaining detection and response capabilities in the enterprise remains the cyber security skills shortage. We hosted a lunch for security professionals to share our own experiences and advice in tackling the skills shortage. Some key insights from this session included:
- Using your limited in-house resources wisely by focusing on important projects and functions, and outsourcing the rest;
- Getting everyone to play a part in cyber defence by increasing overall cyber awareness and developing a strong security culture.
- Considering diversity. Think of how to attract non-traditional applicants.
6. We can all learn from Maersk
The NotPetya attack remains one of the most devastating cyber attacks the industry has even seen, and integrated logistics stalwart Maersk was right in its center. They gave a truly inspiring talk on the incident and their bold approach to recovery. Their transparency in how they mobilized suppliers and customers to work together in rebuilding the business over days and weeks is an amazing case study for us all. One day I am sure it will be a movie. I’ll be in the front row.
The insights above were gleaned during the Gartner 2019 event, but perhaps you took away something different? If you have any questions or feedback on any of these insights, do get in touch with me or with your contact in Countercept Sales.
If you missed my Gartner talk on Rethinking Response, I will be sharing those insights in my upcoming Rethinking Response webinar, on 25 September 2019. Sign up now.
Categories