DAN LOHRMANN, CHIEF STRATEGIST & CSO SECURITY MENTOR, INC. SEPTEMBER 6, 2017
WHAT S ON THE AGENDA... INTRO ON CULTURE CYBER THREAT TRENDS GLOBAL CHALLENGE IOT + OTHER REGULATIONS COMING THREE STORIES HOW CAN WE PREPARE FOR FUTURE CYBER CHALLENGES? THE JOURNEY TO A CULTURE THAT ANTICIPATES CYBER RISK FINAL THOUGHTS 2
The Power of Culture Peter Drucker: Culture eats strategy for breakfast. Culture isn't the enemy of strategy and performance, but an equal player in the game, not to be underestimated or overlooked. David Novak, co-founder and former CEO of YUM Brands, on how he built YUM brands: Success is all about culture. and Build your team with a set of core values and staff recognition. Say thank you. 3
MIT Sloan: Achieving Digital Maturity Based on a 2017 global survey of more than 3,500 managers and executives and 15 interviews with executives and thought leaders, MIT Sloan Management Review third annual study of digital business reveals five key practices of companies that are developing into more mature digital organizations. 1) Implementing systemic changes in how they organize and develop workforces, spur workplace innovation, and cultivate digitally minded cultures and experiences. Reference: http://sloanreview.mit.edu/projects/achieving-digital-maturity/ 4
Future of Work: Alternative Workforce 5
Deloitte s Future of Work: Culture Still Key 6 http://www.prnewswire.com/news-releases/deloitte-the-future-of-work-is-here-and-organizations-should-stop-speculating-and-start-acting-300497223.html
Small group: Break into groups of 3-5 Where Were you on 9/11/01? 1) 2) 3) What was security like before the event (offline + online)? What was security like after the 9/11 event (offline + online)? Do you have a culture of security now? Yes or No and why? 7
CYBERTHREAT RECAP 2014 8
CYBER THREATS 2015-2016 9
CYBER THREATS 2017 - CHANGE & GROW Symantec: Ransomware will attack the cloud McAfee: IoT malware opens a backdoor into the home Kaspersky: Commodification of financial attacks LogRhythm: Entire Internet will go down for a day Everyone: More DDoS attacks via IoT Everyone: Lack of trust More Fake News White Hat Security: Nothing will change. Forcepoint: Rise of the Corporate Incentivized Insider Threat FireEye: Security integration and orchestration considered the benchmarks of new technology investment You Ain t Seen Nothing Yet IDC: 2017 will be worse in every aspect of information security 10
Global Cyber Emergency Ransomware Epidemic 11 11
INTERNET OF THINGS AT RSA17 & GARTNER RISK SUMMIT A NEW BUZZWORD FOR ALL TECH? HUNDREDS OF IOT HEADLINES - NEW PRODUCT ANNOUNCEMENTS - INTERNET OF THINGS (IOT) THEMES RELATED TO ATTACKING DEVICES - CONSUMER - CRITICAL INFRASTRUCTURE COMPONENTS - GOVERNMENT SMART (EVERYTHING) - PANELS - MENTIONED IN MOST PRESENTATIONS ACCEPTED - HANDS-ON IOT DISPLAYS IN BASEMENT OF MARRIOTT MARQUIS BOTTOM LINE: IOT WAS THE #1 TOPIC AT THE RSAC 2017 IN SAN FRANCISCO 12
Homework: Regulating the Internet of Things By: Bruce Schneier https://www.youtube.com/watch?v=b05ksqy9f7k 13
How Can We Build A Culture That Anticipates Cyber Risk Three Stories to Help 14
#1 LEARN FROM HISTORY SECURITY REPEATS ITSELF, WITH A TWIST MICHIGAN S WIRELESS ADVENTURE. FROM WIRELESS TO CLOUD TO MOBILE TO INTERNET OF THINGS - INITIAL DEPLOYMENTS LACK SECURITY. TWO OPPOSING CAMPS EMERGE: LEADING-EDGE ADOPTERS AND SECURITY NAYSAYERS. 15
SECURITY LEADER BALANCING ACT ONE EXTREME...... TO THE OTHER SECURITY IS A DISABLER. THE ANSWER IS: NO! (WHAT WAS THE QUESTION?) ALL NEW IDEAS ARE BAD, NOT SECURE. COOL FEATURES NOW GO FOR VIRAL. FIRST TO MARKET, WE LL ADD SECURITY LATER. WHAT SECURITY? Find the middle road. Make security an ENABLER! 16
SECOND STORY FROM CYBER STORM ONE Cyber Storm I 2006 Global, multi-national exercise Michigan one of three states participating in both How much would you pay for a new mainframe in a crisis? 17
SECURITY LESSON #2: FUTURE ENEMIES ARE NOT ALWAYS OBVIOUS CYBER THREATS (AND ACTORS) ARE EVOLVING QUESTIONS TO ASK: 1. WHAT NEFARIOUS PURPOSE COULD BE APPLIED TO WHATEVER I M INVENTING IN IOT? 2. WHAT PROTECTIONS ARE IN PLACE? 3. WE VE BRAINSTORMED TO SOLVE THE PROBLEMS, BUT WHAT NEW PROBLEMS ARE WE CREATING? 18
THIRD LESSON WE MUST CONSTANTLY LEARN & ADAPT TO NEW CULTURES 19
KEY QUESTIONS: WHAT NEW NORMAL IS BEING CREATED WITH TECHNOLOGY INFRASTRUCTURE PLATFORMS? WHAT ASSUMPTIONS ARE BEING BUILT INTO YOUR CULTURE? WE ALL HAVE BLIND SPOTS? ASK: WHAT IF? CULTURE CHANGE: WILL THERE BE A CYBER 911 CHALLENGING ASSUMPTIONS? ONE EXAMPLE: IDENTITY MANAGEMENT SMARTPHONE BECOMES A UNIVERSAL REMOTE 20
The Pragmatic Journey: 7 Keys to Strengthen Your Cybersecurity Culture 1)Genuine Executive Priority and Support 2)Honest Risk Assessment to Measure Security Culture Now 3)A Clear Vision of Where You Want Your Security Culture to Be 4)A Cyber Plan (Roadmap) to Arrive at Your Destination 5)Clear Cybersecurity communication to the Masses 6) End User Security Awareness Training for Everyone 7) Celebrate Success with Food and Fun. Say thank you! Reference: http://www.govtech.com/blogs/lohrmann-on-cybersecurity/seven-keys-to-create-a-positive-culture-for-cybersecurity.html 21
The Journey: In Other Terms 22
MISTAKES: MAKING TRAINING A PUNISHMENT 23
How about you? Is this another ipad-like craze? 24
MY (FITBIT) WATCH: 1) 2) 3) 4) RESULTING IN: 1) 2) 3) 4) 5) 25
Final Thought - Phone a Friend - We need partnerships to succeed 26
PARTNER: YOU CAN T DO IT ALONE OUR VALUED ECOSYSTEM INCLUDES (OPS AND PLANNING): DEPARTMENT OF HOMELAND SECURITY (DHS) MICHIGAN INFRAGARD MULTI-STATE INFORMATION SHARING & ANALYSIS CENTER (MS-ISAC) FBI, OTHER STATES, LOCAL GOVERNMENTS, PRIVATE SECTOR CONTRACTS MICHIGAN INTELLIGENCE OPERATIONS CENTER (MIOC) RESOURCES: Stay Safe Online: https://staysafeonline.org/re-cyber/ THE NO MORE RANSOM PROJECT: HTTPS The Department of Homeland Security (DHS) Critical Infrastructure Cyber Community or C³ (pronounced C Cubed ): https://www.uscert.gov/ccubedvp The Federal Trade Commission s Start with Security: https://www.ftc.gov/news-events/audio-video/video/start-security-freeresources-any-business 27
THANK YOU! Contact Information: Dan Lohrmann, Chief Strategist & CSO Security Mentor, Inc., email: dlohrmann@securitymentor.com Blog: Lohrmann on Cybersecurity & Infrastructure: Connect on LinkedIn or Twitter: @govcso 28