CDM Media Virtual Summit Explores How IT and Data Security Leaders Prepare for the Unexpected While Assuring Business Continuity.

While Covid-19 has forced IT to reimagine how work gets done, it hasn’t diminished the pace of change and thirst for direction in the constantly shifting IT landscape, particularly when it comes to cybersecurity. 

That was evident at a recent CDM Media West Virtual Summit, where industry experts and top practitioners gathered to discuss, among other things, security trends, the need to think creatively about new architectures, and how to drive innovation.

With organizations already facing increased risks because of digital transformation efforts – which have expanded the attack surface, added complexity and introduced new compliance concerns – Covid-19 has upped the ante, says Renee Tarun, Deputy CISO of Fortinet.  Organizations have had to vastly scale their remote workforces and secure all of those connections and devices. And this at a time when bad actors are using AI to churn out zero-day attacks.

Of course, technology alone isn’t the answer to any security challenge, she says.  You need to address: people (build a culture where everyone sees they have a role to play); process (so it is clear what assets you have and how they are protected, and have policies and procedures in place before anything happens); and tech (automating what you can to free up experts to focus on higher order challenges and leveraging convergence – say, of the NOC/SOC – instead of fighting it).

The migration to cloud also continues to complicate the security picture, says Brian Johnson, SVP of the Cloud Security Practice at DivvyCloud by Rapid7.  While cloud adoption simplifies aspects of IT and helps drive innovation, it also introduces complexity and problems you didn’t have to deal with before. 

When cloud is adopted, he says, the asset count explodes (more server instances and resources such as load balancers to manage), many more people are touching these resources, and the resources change far more often.  “It becomes a giant noise problem,” Johnson says.  You need to automate away the noise to focus on the signal. 

Given the problem is exasperated with multi-cloud, he argues enterprises need to adopt a unified data model and build Cloud Security Centers of Excellence to bring together diverse teams to expediate learnings.

Tony Bishop, SVP, Growth Platform & Marketing at Digital Realty, was also calling for adoption of a new model at the Summit, a data-centered architecture.

Data has gravity, Bishop says, because once it is created it gets processed through various interactions and transactions, then it is aggregated and exchanged, then analyzed and enriched, then re-aggregated and exchanged, etc.  That makes data hard to move and stresses the common practice today of backhauling data to a central location.

This practice is increasingly untenable given data often needs to be local for regulation purposes, and needs to be integrated with other data, some of which is on premise or in the cloud.  A better approach, Bishop argues, is to adopt a data-centered architecture: create data exchange centers at points of presence around the world and bring users and cloud services to those centers.

Jose Gomez, Sales Engineering Manager at Imperva, has a different take.  He says with the threats today you need to be able to safeguard the edge against things like DDoS attacks, your apps with tools like Web application firewalls and runtime protections, and the data itself using database activity monitors and other tools. 

“Everything needs to work together to protect all paths to the data,” he says.  “Whether those threats come from the outside or are insider threats, and regardless of where the data resides, on premise or in the cloud.”  Ideally you want user-to-data tracking, the ability to know where your data is, who is accessing what apps and what data, and where your data goes.

New wrinkles

Even problems IT has already “solved” are surfacing anew.  Consider BYOD.  Researchers forecast that within 5 years 30% of enterprises will need to enhance their BYOD policies as workers show up with wearable technologies, personal applications and even IOT devices such as smart speakers, says Nemi George, VP, Information Security Officer at Pacific Dental Services.

Security professionals are trained to block, stop and control, he says.  “We have to reinvent ourselves so we’re in a position to support what the workforce demands.”

Besides the usual considerations around privacy and support, smart watches raise simple questions about a user’s willingness to enter 6-digit passwords, say nothing about compliance questions for devices that collect health information.  How will your policy scale across these new use cases?

George believes BYOx will require a shift away from perimeter defenses to a zero-trust model where every connection requires validation of the user and device ID.

Ultimately, however, the industry has to confront the elephant in the room:  Traditional security can’t keep up.  There are too many tools, too many alerts, too much complexity and too few experts, says Chris Bontempo, IBM Security Marketing Leader. 

The industry has to get behind Open Source efforts to build a sustainable security platform that simplifies and accelerates enterprise security efforts and promotes cooperation among practitioners and among industry suppliers, he says.  The goal is to build a more unified approach that spans tools and teams and enables work to get done faster. 

Many open source security projects are already underway, including work on standards to facilitate interoperability of tools, development of new code to address gaps in commercial products, and in areas such as intelligence and analytics.  One project, called STIX Shifter, is designed to translate security queries into queries native to multiple tools and then translate the responses to present an integrated view of indicators of compromise.

Ideally suppliers could eventually integrate their wares using open source constructs and save enterprises from that difficult job. 

Facilitating innovation

The problem with many of the innovations discussed is getting there from here.  Change is daunting, and with cloud, the internal IT team is no longer the only game in town.  To compete, says Charles Nelles, VP Global Infrastructure at American Express Global Business Travel, IT has to offer the same performance and functionality at similar costs, AND, most importantly, high value to the customer.  In other words, deliver the “cool” factor.

That’s hard because technical debt and complexity slows down decision making. But shifting the mindset can help when you’re pursuing innovation, Nelles says.  He recommends the new island approach.  Instead of trying to change the minds of people on your island, create a new island and invite along people that are excited about being part of something new. 

Juan Orlandini, Chief Architect, Insight Cloud & Data Center Transformation, Insight, concurs, saying change is better in small bites.  He gives the example of rethinking IT operations to support development teams focused on innovation.  “You need to start with a small project where you can show meaningful change,” Orlandini says.  “Then do quick short sprints to show the project is real and that will help change people’s minds.”

Many organizations have taken the new island approach with digital transformation efforts, which are typically focused on rethinking how to best serve customers. 

These efforts are critical because customers today hold all the power, says John Murphy, Enterprise Account Executive at Freshworks.  If customers get frustrated, they can use social media to sink you.  That power enables them to demand exceptional service, meaning enterprises can no longer just offer a call service and call it a day.

If you want to create customers for life you need to be able to engage with customers everywhere (phone, email, chat, bots, social media, etc.), predict their needs (suggest other things they might want/need), and be able to consider the context of their query to make your engagements more meaningful, Murphy says.

To win, you need to be able to create a centralized customer record that draws in every customer interaction — from sales calls to social media mentions, support calls, email queries, etc. – and then leverage AI to help customers help themselves or help your agents help them better.

While Covid-19 has imposed a new normal on IT work practices, the discussion at CDM Media’s West Virtual Summit made it clear that it is still business as usual, with practitioners trying to harness the latest advances to protect their organizations and find new ways to drive business innovation.

Dear readers,

Back in September 2008 (one year in to founding CDM) we ran our very first summit for C-level execs in financial services. Little did we know that Lehamn Bros, Bear Stearns , WAMU and others would (unfortunately) declare bankruptcy four days before our very 1st gathering in Scottsdale, AZ. The summit (somehow) run exceptionally well and we ‘bared the storm’

This is different, but COVID-19 has businesses concerned and the event industry is no different. Large scale events like SXSW & RSA are seeing premier sponsors back out. The Mobile World Congress was cancelled and major companies like Visa, Facebook, and Ford are limiting work travel for their employees.

At CDM Media, we host/support 300+ events every year. We specialize in local, intimate summits, think tanks, and roundtable dinners which are very different to the large scale global/national events that we’ve seen cancelling/shifting in days gone by. With smaller numbers, comes more contained environments but even still, we are closely following constant updates surrounding the Coronavirus to make sure we are keeping our attendees & partners as safe as possible. My team are following guidance from the World Health Organization (WHO), the US Centers for Disease Control and Prevention (CDC), as well as keeping up to date on travel restrictions, whilst seeking general advice from local government agencies/officials. In addition, we’ve spoken to all our event host partners who will be playing their part to provide locations that are safe and sanitized. Proactive management has helped our clients/attendees prepare and plan with purpose. Knowing that, our number one priority is people’s health and safety.

Right now it’s business as usual for our events and given the outstanding support from both our C-Suite community and event partners, we’re very optimistic that our events will go ahead as planned. For our part, we will continue with our relentless efforts to make them incredible learning, sharing, and networking experiences.

The ripple effect of concern surrounding this virus can be felt in various industries and communities. We have ongoing discussions with our staff about keeping them safe and following protocols set by the WHO and CDC. Like most other industries, precaution is key and we will continue to do what is in the best interest of safety, for everyone involved.

Sincerely,
Glenn Willis
CEO

PS- We urge all CDM event attendees to adopt the ‘virtual handshake’ (elbow pump/heel tap) at our upcoming events.

Wouldn’t it be nice if life were more automated? Thankfully it is. Before we start panicking that robots will steal our jobs, let’s focus instead on how robotics and AI can improve our jobs. Some industries (like sales) depend on personal touches, but there’s more to sales than just a phone call.

The best sales tend to stem from lengthy research. When aspects of research are automated, an algorithm can quickly identify buying trends. Data extracted by AI gives a more rounded picture of a sales target than old school methods. Decisions can be made based on data rather than hunches. This efficiency can cut the time ordinarily spent at the top of the funnel.

The same way travel companies use an AI algorithm for setting airfare prices, sales companies can use AI to customize price proposals for the most advantageous deals. AI can also be helpful in determining whether a customer is likely to go for an up or cross-sale. Sometimes the cross or upsell with the wrong target can end a deal in its tracks. Reliable forecasting can fix that.

Sales organizations that resist the imminent AI advances will likely struggle. Historically the sales industry is slow to adapt to big tech changes. As more companies digitize operations, the days of cold calling will become extinct. Even today, many corporate email and phone systems have machine learning in place to screen out unwanted solicitation.

Companies that embrace AI will reap its rewards. Consumer buying choices are already largely effected by AI. An algorithm determines what streaming choices are best suited to our tastes. Our phones know more about our buying choices than we do. Tracking pixels embedded in web pages generate retargeting that aims to get you to buy that thing you were looking at online. Organizations with the highest level of customer satisfaction are doing so by pivoting their sales strategy based on machine learned data.

More resources…

https://www.forbes.com/sites/forbesbusinessdevelopmentcouncil/2019/09/20/how-companies-are-using-ai-to-improve-sales/#180f06585dc0

https://www.resourcefulselling.com/ai-is-changing-sales/

Data security continues to be the biggest threat to most organizations in the US. With the new revelations (and subsequent charges in the 2018 Equifax breach) cybercrime will remain a trending topic. Many consumers are still waiting for a piece of their settlement from the class action lawsuit as a result of the breach.

What worries experts more than traditional hacking are the alarming rise in ransomware attacks. Ransomware differs from malware or a typical security breach in that victims’ software is held hostage until hackers are paid. Ransomware has become much more innovative. Some companies even specialize in it.

In the past ransomware was somewhat rare as it required criminals to be well-versed in coding. Today’s digital intruders are much savvier and work with third party programmers. This phenomenon is not all that different from Software as a Service (SaaS). Instead of useful, problem solving software, Ransomware as a Service (RaaS) lives in the shadows of the internet. Developers are creating and selling products that make ransomware easier to deploy.

One of the most egregious instances of ransomware occurred in 2016 when Hollywood Presbyterian Medical Center paid over $17,000 in bitcoin to get their operations back online. For hackers, medical records are a hot commodity as they have endless potential for blackmail.

The idea of hackers getting into medical and government records is a frightening notion, but scarier still is the remote capability to shut down operations of vital services. This is especially precarious when considering electric power grids. With an efficient RaaS program, even a low-level cybercriminal could potentially bring an organization to a total standstill. Cyberwarfare will likely replace the battlefields of yore. Instead of striking cities with drones, one could use ransomware or malware to suspend electricity and other forms of digital communications.

The best way to avoid paying out for ransomware attacks is to always be backing up your systems and data. Diversify backups between cloud and hard storage. With growing dependence on cloud storage comes a greater need for quality cloud security. As futuristic as ransomware attacks sound, having a contingency plan is another strategic way to avoid the fall-out. Just as your office has a plan for a fire or tornado, so too must there be a plan for data breaches and ransom attacks. As they say, a good offense is a good defense.

More Resources…

https://www.nytimes.com/2020/02/09/technology/ransomware-attacks.html

https://www.wired.co.uk/article/ransomware-2020

It’s no question the Iowa Democratic Caucus of 2020 was a mess. Reporting was delayed for days and what data did come out is subject to much scrutiny as data sets did not match up. While the 2020 election cycle moves on, many are left wondering what happened?

The simplest answer is that the app developed by former campaign staffers broke. Traditionally, the Iowa Caucus relied on precincts dialing in their results. This year, an external app was used so that election officials could report their results. The app was not previously tested and wasn’t able to handle the volume of submissions. The phone lines were also not equipped to handle the volume of inbound calls from election officials, leaving many people on hold for hours.

Cybersecurity experts are baffled by the lack of testing. The Iowa Democratic Party is reassuring media outlets that no hacking occurred, and the data was not compromised. With such seemingly minimal oversight, it’s hard to trust the future use of such an app. The results of future elections will likely be called into question if efforts to modernize processes aren’t fully vetted. The big world impact could be a continued decline in public trust of elections, which has serious implications.

What the situation in Iowa taught us is that critical voter data is vulnerable when newly developed technology is rushed into use. Unfortunately for the state of Iowa, this snafu has called into question its significance as a gauge for predicting election outcomes.

More Resources…

https://www.morningbrew.com/daily/stories/2020/02/04/went-wrong-iowa-caucuses

https://www.cnn.com/2020/02/04/politics/iowa-caucuses-what-happened/index.html

It’s been said that humans are becoming nothing but data for companies. That’s certainly a cynical outlook, but it’s not entirely wrong. As the CCPA ratchets up regulations on how companies can store and collect data on users, it begs the question what happens to our data after we die?

Several companies specialize in the destruction of your consumer data after you pass on. Recently California enacted data security laws that now allow you to request a company destroy any data they’ve collected on you. This option is currently only available to California residents, but it’s expected that other states will follow suit shortly.
If you’re dead, why would you care about your personal data? Good question. Think about it this way, all the iTunes music and movies you’ve purchased over the years, are actually the licenses to stream the content, not the actual content itself. Those licenses expire upon your end of life. Not leaving behind digital copies of your favorite films to friends and family may sound like a frivolous thing to worry about, but the implications of your digital footprint are much bigger.

Consider your medical records. The UK legally stipulates that medical records must be kept for at least 10 years after you die. Access is considerably restricted, but it is out there and subject to data breaches. Is there anything in your medical history you’d prefer stay private?

Most if not all search engine and email companies do not have any limits on how long it can store the private content of emails, cloud storage or other personal details. Would you be okay with your entire inbox being exposed to the world in the event of a breach? Probably not.

Some consumer companies do not have a great reputation for data security. When you are alive, you’re able to control what happens to your data and privacy in the wake of a data hack, but in death you and your reputation are powerless. There are things you can do now to prevent potentially embarrassing information to be leaked but it requires a careful comb of your digital profile. Perhaps you should be asking more companies to destroy your data, and maybe be more mindful about whose cookies you freely accept online.

More resources

https://www.forbes.com/sites/bernardmarr/2017/02/01/what-really-happens-to-your-big-data-after-you-die/#242b72e61184

https://www.technologyreview.com/s/612283/six-things-to-do-with-your-data-before-you-die/

If we’ve learned anything from global politics, it’s that every piece of technology equipment is vulnerable to hackers. The very idea of a data breach is enough to keep a security executive (or CISO) up at night. Bad press, huge revenue losses, eroded consumer trust and worse, heavy penalty fees have led the industry to develop the Zero Trust model.

Zero Trust is fairly literal. Meaning, it’s a security system that does not trust any user attempts to access (or work within the applications), of an enterprise system unless their ID can be verified at several points. It was created by John Kindervag of Forrester Research in 2018. Since then it’s become a buzz word that few truly grasp the meaning of.

Ordinarily, an organization’s data accessibility assumes that if you are able to log in, you can be trusted. This model has become outdated as cybercrime gets more sophisticated. 64% of organizations have experienced a phishing attack in the past year. Most hacks are the result of a phishing link in an email being clicked on. In fact, 90% of data breaches involve some sort of phishing element. Often the entry point for a hacker isn’t where the data they want lives, but it grants them access to whatever isn’t restricted. Zero Trust aims to make these kinds of scams impossible. If implemented correctly, attempts to hack into an enterprise system would trigger alarms for the security team, thus thwarting the attack before it starts.

Many organizations do not have the resources to entirely overhaul their current security measures, but thankfully Zero Trust is scalable to fit the needs of your organization. There are many iterations of Zero Trust and some of them may already be in use at your company. A lot of IT staffs have already started rolling out pieces of Zero Trust, including virtual seminars and fake phishing scam links in employee email accounts. The bigger Zero Trust picture is that data breaches are preventable, but it comes down to good training, strong security measures and knowledgeable security professionals.

Futher reading…

https://www.phishingbox.com/resources/phishing-facts

https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

March 19, 2019 – Loews Hollywood Hotel, Los Angeles, CA

While there were subfreezing temperatures in Chicago, we were thrilled to hold our CIO and CISO Southern California Summits in beautiful Los Angeles, CA at the Loews Hollywood Hotel. These summits welcomed CIOs and CISOs as well as other IT/security executives throughout SoCal and featured conversations and thought leadership discussions around the latest topics including digital transformation, augmented analytics, smart spaces, cybersecurity, blockchain and much more.

A special thank you to our speakers for their excellent insight throughout this busy day:

• Tim Moran, Former Senior Vice President of Global Information Technology Financial Systems, Live Nation Entertainment (Master of Ceremonies)
• Paul Love, CISO, CO-OP Financial Services – All Eyes on You
• Nayaki Nayyar, President, Digital Service Management, BMC Software – BMC Helix: Future of Service Management
• Jeanne Holm, Deputy Chief Information Officer, City of Los Angeles – The Future of Autonomous Things
• John Gormally, Strategic Account Manager, BlackBerry – IOT EOT Security and Beyond!’
• Charles Sims, Director of IT, LA Clippers – Leveraging Cloud Identity for a Secure & Automated Enterprise platform
• Nemi George, Vice President, Information Security Officer | Service Operations, Pacific Dental Services – The Solution for Your Legacy System’s Security: The Cloud
• Amanda Mosello, Senior Security Engineer, Imperva – From the Front Lines: 5 Best Practices for Application Defense in Depth
• Guy Reams, Regional VP, Insight Cloud + Data Center Transformation – The Power of Pink: A Curious Investigation into the Influence of Female Leadership
• Brad Beutlich, Vice President of Sales Western Region and LATAM, nCipher – Relying on Perimeter Security is Dead
• Mark Norato, Senior Director, Healthcare Vertical, Tableau Software – Tableau’s 2019 Top 10 Business Intelligence Trends: Understand what’s driving BI innovation in Healthcare and Large Enterprise
• Michiel De Bruin, Chief Information Security Officer, Community Memorial Health System – Machine Learning Is Here to Help, Not Replace
• Jacob Burgess, Area Information Officer, Kaiser Permanente – Immersive Experiences
• Aaron Hopkins, Regional Sales Manager, Capriza – How to Accelerate and Simplify Approvals, and Why It Matters
• Bryan Ackermann, SVP and CIO, Korn Ferry International – How Augmented Analytics Will Help Your Organization
• Richard Greenberg, Information Security Officer, County of Los Angeles – Breaches Are Everywhere. What’s a Good Security Leader to Do?!
• Matt Clemens, Technical Director, Arxan, Inc – Mobile and Web App Security: How Do You Know You Got It Right?

Also, special thanks to the panelists who participated in the Executive Visions panel, The Revitalizing Change in the Role of the CXO, as well as the Women in IT Panel, Building a High-Performance Team for Digital Transformation.

Executive Visions Panel:

• Tim Moran, Former Senior Vice President of Global Information Technology Financial Systems, Live Nation Entertainment (Moderator)
• Mark Van Holsbeck, CISO, Avery Dennison
• Lance Hassell, Chief Operating Officer, Covenant Care
• Kathy Linares, VP of IT, Insulectro
• Paul Love, CISO, CO-OP Financial Services

Women in IT Panel:

• Helen Norris, Vice President, Chief Information Officer, Chapman University
• Louise Brandy, VP of Enterprise Applications, Essex Property Trust
• Kathy Linares, VP of IT, Insulectro
• Nayaki Nayyar, President, Digital Service Management, BMC Software
• Nicole McMackin, President and CEO, Irvine Technology Corporation
• Carol Fawcett, Corporate Vice President, Chief Information Officer, Golden State Foods

We are confident that our attendees created new connections with their peers, uncovered one or more new ideas that will impact their digital transformation efforts and found several new solution providers that can help them achieve their goals. We look forward to seeing everyone again at next year’s CIO and CISO Southern California Summits!