ESG Blog: Takeaways from the CISO Summit at Black Hat 2018
In this video, my colleague Jon Oltsik and I share some of our thoughts from the recent CISO Summit at Black Hat 2018.

Aug 30, 2018
Doug Cahill   ESG Blog: Takeaways from the CISO Summit at Black Hat 2018
Author: Doug Cahill

 

In this video, my colleague Jon Oltsik and I share some of our thoughts from the recent CISO Summit at Black Hat 2018. While respecting the event’s Chatam House Rules that require us to keep CISO comments anonymous, we have a conversation about some of the takeaways from the panels and presentations at the event on central cybersecurity topics including:

  • The role of machine learning in a cybersecurity program.

  • How risk has become the language of the CISO.

  • The importance of personnel diversity in cybersecurity teams.

  • The positive impact of integrating security with DevOps (“DevSecOps”) processes.

We close with a few comments about cybersecurity platforms, which we dive into a follow-on video by sharing key findings from a related recently completed ESG research study. Thanks for watching!



Video Transcript

Doug: So Black Hat 2018 was two weeks ago and Jon and I both attended the CISO Summit at the front end of the week. While we have a lot to share with you about Black Hat in general, boy, Jon, the CISO Summit was really interesting. I'm really glad we got to attend, thought you did a great job moderating a panel on machine learning.

Jon: Thank you, Doug.

Doug: Certainly, machine learning and AI in general was a theme throughout Black Hat but I thought some of the comments from customers about going through the vendor hype around ML and specifically in how they're using machine learning in their own environment was really interesting.

Jon: Yeah, there was pretty consistent feedback on just ignore the hype. Ignore the hype. There's too much hype out there. And what was interesting to me was that the people on the panel were doing this themselves. They were developing their own algorithms, they're hiring data scientists. And the advice they gave was pretty simple. It was, "Start small. So don't try to boil the ocean, pick something that's really impactful. And start now." Because the technology is real and the problems are real, and you really need to move forward.

Doug: I also heard them suggest that you really wanna have your processes tight, your sort of SOC and response processes really tight, just in the event that your ML algorithms do throw off false positives.

Jon: That's right.

Doug: You wanna have good, solid proven processes. So yeah, embedding data scientists into their security team developing their algorithm, because one of the things I heard was, you know, the data set against which they're training algorithms sometimes cybersecurity vendors don't have access to that data set, it's sort of customer specific, environment specific data sets.

Jon: Yeah. I mean, the key to machine learning or artificial intelligence is the data set. And the bigger the data set, the more familiar you are with it, the better you can train it and tune it and that's really what their message was.

Doug: Absolutely. So another theme we heard throughout the CISO Summit in general and I know, for us, in general, talking with CISOs and customers is the sort of evolving role of the CISO and in the language of risk and how you manage risk and really having more of a business orientation than a technical orientation.

Jon: And that was throughout Black Hat, we heard that. And that's really kind of antithetical to Black Hat, which is more about hacking and exploits and threat intelligence. So yeah, I think what we're seeing is the business leaders are putting the pressure on the security team. They're saying, "We're willing to spend more money, but we want to understand what we're spending money on and what does that buy us? In other words, what risks are we mitigating?"

And so that's a consistent theme. We're doing some research around that ourselves and it was refreshing to hear that at Black Hat.

Doug: Right. One of the things that was clear was this notion of how do you measure risk? What's the baseline of risk? How do you convey that to the board, to the C-suite and the board? And what's clear was hey, you want to understand where your crown jewels are, that was an expression that was used often. You understand risk associated with your supply chain.

Jon: That's right.

Doug: And you wanna snap the line and show progress, hopefully, over time.

Jon: Yeah. You also wanna benchmark, benchmark against yourself, benchmark your European division versus your North American division, benchmark against the industry in general. And yeah, I mean, we're spending ridiculous amounts of money on cybersecurity, so it's a very valid question to say, "What am I getting for my money?

Doug: Absolutely. You know, one of the panels, I'm not sure we've talked about this, actually, since Black Hat, was the diversity panel, sort of the challenge of hiring and building a cybersecurity team, and it was a very strong case for bringing diversity into your team, because those of us with different backgrounds, different experiences are gonna look at things differently. We're gonna look at the threat landscape and threat modeling a little bit differently. We shouldn't be hiring people that are just like us and agree with us. So that was some really provocative and insightful feedback.

Jon: Yeah, and that's especially important because people like us aren't attacking us. People who are attacking us are from different parts of the world, they have different socioeconomic backgrounds, different political leanings. Not that we're gonna hire those people, but diversity of opinion, diversity of experience really can help in that environment.

Doug: Yeah, you bet, you bet. Funny how we talk a lot about tech, of course, in cybersecurity, but boy, it's always about...just as much about skills and processes and culture. You know, one of the topics I like thinking about, talking about, writing about is DevSecOps and since we're honoring..

Jon: Which we heard a lot about.

Doug: Which we heard absolutely a lot about, we did at RSA as well, it's a cultural shift as much as methodology in using different tech.

Jon: You're right. Culturally, this is completely new, but it's not going away, and we need to, as a security community, we need to accept it and do what we can.

Doug: Right, absolutely. In fact, the CISO who talked about DevSecOps at the CISO Summit said, "Hey, maybe it should be called SecDevOps," just to make the case that we need to really integrate security into our DevOps processes.

Jon: It's not a bad thought.

Doug: But it is integrating and it's every step of the way, so it's doing AppSec in your development process, integrating things like code scanning, composition analysis in your SDLC. It's doing things like vulnerability scanning in your test phase, and make sure you've got hardened configs before you go to production and then doing runtime controls in production. And you get all kinds of efficiencies when you integrate it versus doing it after the fact.

Jon: And doing that for a...in a growing portfolio of technologies, like containers, microservices, things like that.

Doug: Yeah, great point about containers. Because containers and Kubernetes is all about automation, so it really begs the case on how across the build / ship / rent continuum you are integrating and automating.

Jon: And I would think if we do this right, we'll improve security.

Doug: Absolutely. That's one of the reasons I like talking about this area, because I'm optimistic that this is the way to move the needle.

So one of the things we're hearing in this general space around cloud security is this notion of platforms and we can spend a lot of time on platforms, and in fact, the next video, we're gonna talk about cybersecurity platforms.

Jon: Because we have great research, Doug, as you know, on platforms that we've done and so we'll go into detail on that.

Doug: Sure, absolutely. So stay tuned for a discussion on cybersecurity platforms.


Post a comment