Chairs were thrown. A table was flipped. Someone broke a bottle. And a portable LED projector got a scratched lens.
Ok, it didn’t quite happen that way, although there was a broken bottle at the reception afterward.
At our CISO panel at RSA on “Can Data Breaches be Stopped?”, there was a lot of agreement on the current state of affairs in security, but there was also no shortage of a difference of opinions on a path forward.
Some of you who couldn’t attend have asked for more information on the panel and a recap of some of the topics discussed. I’ve captured a couple key highlights here that were a bit more contentious as the discussion progressed.
(From left to right: Ameesh Divatia – CEO, Baffle, Martin Bosshardt – CEO, Open Systems, David Bradbury – CISO, Symantec, Kurt Lieber – VP and CISO, Aetna, Kim Green, CEO, KAZO Security, Jack Miller – CISO, Open Systems, Hussein Syed – CISO, RWJBarnabas Health, David Tsao – CISO, Veeva)
DOES COMPLIANCE = SECURITY?
When discussing the trend of increasing breaches, one of the questions that emerged was the fact that compliance does NOT equal security, especially from the perspective of security practitioners. Compliance is often viewed as a checkbox for legal or regulatory reasons, but does not necessarily mitigate the risk or threat vector. Some of the CISO commentary follows:
“There is a big gap between security and compliance. We need to make efforts to close this gap. The whole compliance aspect, the frameworks, were invented years ago and didn’t apply to microservices or cloud. We’ve got to – especially with legislators – we need to sit with them and we need to lobby them and close these gaps. We are regulated by proxy, and the auditors and the legislators who pass regulation are defining the requirements for us.”
“I don’t think compliance will ever keep up with security. I spend every day in security and I barely keep up. How can compliance auditors keep up? Compliance frameworks are a helpful crutch. I’ve seen companies rely too heavily on compliance in the past. Where I am, we don’t use compliance frameworks – we look at risks and the threat actors and their behavior and targets, build a risk matrix and start from there for our security controls.
If you’re taking a compliance-first approach, you’re simply waiting for the next breach.”
“Compliance focuses on reporting. If Pintos were blowing up – we solved it, went back to auto manufacturers and said fix it or get it off the road. We need regulations over software development – we keep putting weapons out there. Shift the focus to software development.”
“On GDPR, there’s not one company that’s fully compliant. A lot of security experts aren’t being consulted. There’s a complete disconnect on compliance to security design to implementation.”
OPERATING UNDER AN ASSUMED BREACH POSTURE OR ZERO TRUST MODEL
A lot of customers we work with are operating under an assumed breach posture or zero trust model. This assumes that their environment is already compromised and they need to focus less on the traditional perimeter and more around time to identify, time to contain and alternative security architectures. What are considerations and ways you are looking at methods to operate under these conditions?
“We’ve talked about the perimeter for a long time. The perimeter is gone. It’s changed. Used to be data center. Start moving out of data center, and take a data centric approach so your information, your data can be secure wherever it goes.”
“We have the benefit of having built our infrastructure using cloud native solutions and companies are going through this transition. If you build infrastructure the right way, deploy hardened images, and leverage immutable infrastructure that allows you to replace or rebuild on the fly, you can mitigate a lot of the risks and remediate much faster. The pivot point that is occurring is security is finally getting to implement security by design.”
“It depends on the model and situation – you build your protection scheme based on what you’re trying to protect. In a hospital, it’s more heavily perimeter vs. cloud. You build your protection profile and controls for that specific environment. You have to simplify your environment — segment it out. Try to move into silos and that could buy you more time in the face of an attack.”
“Breaches are here to stay. People get very nervous when there’s a breach. It’ll be okay if you have basics in place. I don’t want to scare anyone, but there’s a balance. The breach is going to happen, but as long as you’ve taken care of the basics, you’ll be OK.”
“You might need to find another job (laughter), but you’ll be ok.”
Many thanks again to our CISO panelists. It was a spirited conversation with some great insights.
What are your thoughts on the disconnect between compliance and security?
Do you operate from an assumed breach posture?
Learn more about Baffle here.