The EC-Council, the body behind the Certified Ethical Hacker certification, will convene a Global CISO Forum in Miami on Oct. 29 and 30, open only to a limited number of senior information security executives, to discuss a security landscape that is increasing in complexity and alarming Internet users. Apparently, when attackers start ripping off and decrypting large caches of LinkedIn's hash-encrypted passwords and state-sponsored attacks are a big enough threat to Gmail users that Google has to issue warnings, it's time for the world's CISOs to huddle.
The summit, scheduled in conjunction with the EC-Council's IS conference, Hacker Halted, will gather CISOs from the world's "largest and most prestigious" enterprises to talk about how these types of extreme events affect their companies and what to do about it.
But what can a forum like this do to prevent data breaches? For one thing, it provides a venue for the exchange of ideas and information. For a long time, attackers have been well-organized and shared information freely. "But due to proprietary, governmental and other borders, we guardians of information do not share information as well as they do," says Amber Williams, manager of strategic initiatives at the EC-Council. "This forum is designed to promote exchange of ideas and discussion, with six to seven experts per panel topic who will elicit a lot of responses from the audience as they go along."
That's all well and good, but, according to Danny Lieberman, CTO of Software Associates, most CISOs and infosec professionals already know what needs to be done for appropriate security countermeasures. For example, encryption is a cornerstone of securing data at rest, and our latest InformationWeek Strategic Security Survey recommendation list includes better vetting of service providers.
The problem is getting the CEO to agree.
While the EC-Council's Hacker Halted events see increasing attendance year on year, says Williams, the council is capping attendance for the Global CISO Forum at 200. The goal is to make high-level executives feel free to talk about not just best practices but the struggles they have had without fear of hurting their brands, she says.
You know the EC-Council is getting serious when it talks about "integrating war games into security strategies." Other topics of discussion planned for the summit include recruiting, training, and managing superior security teams; data loss prevention; and internally branding and integrating a security program while aligning it with business objectives. In fact, the EC-Council says one reason for continued breaches is the conflicts that arise from the differing goals of security and business development teams. The forum intends to address this issue and others not only through panels but also by encouraging an atmosphere of best-practice sharing.
It's great that the EC-Council and CISOs are on fire about this. But it's also clear that without approval from the CEO, anything with a price tag that doesn't have demonstrated business value will go nowhere. That is why CISOs should pay special attention to the part about aligning with business objectives.
What CISOs should really be asking at this forum, says Lieberman, is how their peers develop a real business case to present to the CEO. How do I put together a threat model and evaluate the risk? How do I get the CFO on board before I go to the CEO?
Lieberman illustrates a sample exchange, where the CISO is prepared to say to the CEO, "There is X percent chance someone will steal our company's intellectual property. I have put together a team to evaluate the risk, and that is its finding. It will cost $20 million if this IP theft occurs. I need a couple more employees and $1 million to buy hardware and software to protect that $20 million worth of IP."
Better yet, have the CFO on the team that helped put together this analysis, something the EC-Council plans to address. "Because we are inviting mostly C-levels, they will report to a board or another C-level executive," says Williams. "Part of what we want to share is how to brand a security program internally and sell it to the board, C-level executives, and the whole company. And in the case of governments, sell it to the many layers of government workers."
Another concern for many security chiefs, says Alan Shimel, managing partner at The CISO Group, is the changing nature of the threat. Many CISOs at work today came into that role during a time when financial fraud and cybercrime were the motives for attacks, says Shimel. "Now we have hacktivists and people who are financially motivated, but instead of looking for personally identifiable information, they're looking for intellectual property," he says. "Due to these different motives, hackers use different attack vectors."
Announced speakers for the event include Eddie Schwartz, CISO for RSA; Joe Albaugh, CISO at the Federal Aviation Administration; Ron Baklarz, CISO at Amtrak; and Richard T. Rushing, CISO for Motorola Mobility.