Jun 17, 2020
James Nelson, VP of Infosec, Illumio
How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency?
The best way for organizations to keep their ‘crown jewels’ secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant.
Most CISOs don’t talk to the board all the time so they don’t understand that’s the conversation they want to have. By making sure that the security team’s spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk.
Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth
part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3
Visibility into your environment
Controls necessary to repel attackers
Architecture of the network to create chokepoints (east/west, north/south isolation)
Threat modeling and regular threat assessment
Mechanisms to allow for rapid response
How long will current security controls hold a determined attacker at bay?
Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.
Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final)
What does “cyber resiliency” mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support?
Which cyber resiliency objectives are most important to a given stakeholder?
To what degree can each cyber resiliency objective be achieved?
How quickly and cost-effectively can each cyber resiliency objective be achieved?
With what degree of confidence or trust can each cyber resiliency objective be achieved?
(What do we as security people do to ensure that all of these are properly answered? --brbr)
Architecture of systems:
Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten.
We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)
Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email firstname.lastname@example.org
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
Comments, Questions, Feedback: email@example.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec