What can be more enjoyable than discussing digital transformation digging into a delicious dinner with security leaders?
Moderated by Tom Field , Senior Vice President of ISMG and Bil Harmer, Americas CISO for Zscaler the dinner table was filled with passionate security representatives representing law firms, insurance companies, healthcare, media and entertainment and even LA County, the largest county in the country.
As the night progressed and dinner led way to dessert and coffee, the conversation proceeded until we knew had to end and get ready for work the next day. Events like this break up the daily routine and remind us why we got into information security in the first place. Hackers look at things differently, break things and challenge conventional thinking as much as possible within the cloak of corporate culture.
Here are my three key takeaways from the evening on the challenges and security can be perceived as an enabler and not a hindrance to the rapidly transforming digital era.
A) Not everything can be on Cloud Nine
We had a heated debate on what goes to the cloud and what stays on the ground. Can law firms upload sensitive contractual agreements to the cloud? What about secret medical research information? Patient record data? One argument was that migration to cloud can actually increase the security of your data, which until now was residing in a flat network on legacy servers with unpatched ports and services. What does policy and compliance have to say about this? How can companies increase ownership and control of data on the cloud through increased logging and monitoring?
B) Enterprises should enable employees for increased password security.
This topic came up randomly as an extension of what can and cannot go on the cloud. Someone mentioned an average employee without a password management solution usually has three kinds of passwords. One for the corporate, one for social media and shopping sites and one for banking and financial sites, with each of these passwords being a variance of the initial corporate password. So when of them gets compromised the others are just a few combinations away. We discussed hardware tokens, passwords based on typing style that are hard to emulate and therefore harder to crack. We agreed that employers need to consider solving this problem for the employees and kill those sticky note passwords for ever.
C) Trust is the lubricant of speed
Build relationships. How can companies support continuous CICD and make sure that security is engaged early on in the process? Can we automate static code analysis and vulnerability management before an application is promoted to production? Someone quipped that famous quote from the most interesting man on the planet. I rarely test my code, but when I do, I do it in production.
That got a guilty chuckle. One CISO shared his own success story of how he rose up the ranks from being an engineer to a CISO by building relationships with business and cutting down on the security engineering speak. Security can be an enabler for digital transformation if they are engaged early on. Security folks should be aware of perception, are they considered a trusted advisor or an inflexible negator.
The drive to the Lawry's Prime Rib restaurant can be challenging in the busy LA traffic but the drive back was faster as the traffic got streamlined much like the hesitation in our head. Some of the office goers went back to their individual premises. Much like the theme of our discussion that evening. Digital transformation can be a tough balancing act for information security. Frantic like the early hours of the evening, but settles down with the calm of the night. We have to go out and embrace new technology, those who don’t will miss out. Thanks Gina Stillman for the invite.