This month, we hear about the inaugural International Cyber Expo, which was postponed multiple times due to the pandemic and focuses on cybersecurity on an international scale. Ian Thornton-Trump, the Chief Information Security Officer (CISO) at Cyjax, and Tristan de Souza present a retrospective on the exposition, which took place in London this year.
Security magazine brings enterprise security and risk professionals this entertaining and illuminating video podcast on the latest challenges and intriguing flashpoints within cybersecurity and the geopolitical landscape.
Much of the discussion centers on the importance of accepting the reality that a data breach is almost certain to affect a company at some point. With this mindset, says Thornton-Trump, CISOs and the entire C-suite can move toward preparing for “what we do after we get breached.” While preventing a breach must be a part of the plan, cyber-realism must also come into play.
And clearly breaches are not the only threat to organizations these days: ransomware stalks the landscape. After a summer of serious ransomware attacks, it seems the Biden administration may be considering taking the fight to the threat actors themselves. Thornton-Trump notes that by sanctioning the companies that are responsible for processing the ransom payments, as well as the cybercriminals themselves, the administration may finally be putting the squeeze on ransomware.
CISOs now are seeing information security from a political lens, a cyber lens and traditional security concerns around fraud. CISOs at different companies have different worries — some are focusing on recovering from data breaches, while others focus more heavily on prevention. Thornton-Trump and de Souza discussed a combination of these two focuses — breaches are inevitable, so structures must be in place to respond to them.
A CISO position is an advisory role, and they need to make sure that they are equipped with all relevant information for the organization to resume normal business operations after a data breach. Part of the panel discussion Thornton-Trump participated in also circled around the CISO role as customer-facing. That level is an interesting spin on the job — now, CISOs are expected to be the point person on cyber incidents for clients and customers.
One topic that trended at the show was the NSO Group exhibition. The NSO Group is known for their Pegasus software, which is implicated in the death of journalist Jamal Khashoggi and the release of over 50,000 phone numbers from politicians and activists. The group presented at the International Cyber Expo, and Ian noted that the NSO Group has a problem with public relations and morality, which they need to fix before they’re welcome in the cybersecurity environment.
Another trending topic was the physical security presence at the Expo — Thornton-Trump remarks that physical security organizations oftentimes seemed more engaged and excited about new developments in the field compared to their cyber counterparts. One reason for this could be the sense of disappointment felt by cybersecurity leaders who have been let down by vendors in the past. The business side of the CISO role involves a lot of negotiation — fighting for budget increases that fund necessary security upgrades is an integral part of the job. Having business know-how and the ability to frame security spending as a savings tool in the long run are keys to being a successful CISO. “As cybersecurity becomes more about a risk to the organization, you need to be able to make business cases,” Thornton-Trump says. A good CISO doesn’t approach budget discussions alone — working alongside the financial and/or marketing departments can improve budget negotiations by educating other company members on the importance of security.
Looking to the future, our hosts discuss the reasoning behind inviting organizations like the NSO Group to exhibit on an international scale. Although there is a legitimate use of surveillance software provided by the NSO Group, we’ve seen many examples of software being used in the criminal market and against activists and human rights advocates, like Cobalt Strike. The video podcast also speaks about rehabilitation —being a good internet citizen needs to be seen as advantageous to their organization. The NSO Group’s inclusion in the exposition is a step towards that mentality.
When we look at the use of cybersecurity tools by bad actors, considering the humanitarian implications of those usages are important for the cybersecurity sphere. With Pegasus allowing users to see everything that someone does on the internet, the scope of the moral question around their technology must include its potential for nefarious use. When it comes to data privacy, large companies like Google and Apple also use surveillance to monitor internet activities. These uses raise similar questions as the NSO Group’s Pegasus software — can we separate intent from risk when it comes to cybersecurity tools?
Criminal use of malware generates funds that organizations put towards the development of stronger malware — a circular problem that continues to further itself. A start in the fight against ransomware is to target companies emanating from countries on the U.S. sanctions list on a financial level, which involves restricting their use of cryptocurrency and could decrease the amount of malware globally.
As cyberattackers like BlackMatter target pieces of critical infrastructure, the United States is poised to go after future attackers in the strongest possible way. The Biden administration’s redefinition of critical infrastructure to include food and product supply chains positions the government to respond to the recent cyberattack on the New Cooperative. The U.S. government’s support of businesses facing cyberattacks could play an integral role in their fight against cybercrime.
A final takeaway from the International Cyber Expo reveals that organizations are gaining a collective level of cyber awareness, which is the first step to defending against future threats. Circling back to the disappointment some cyber executives feel after being let down by aspirational vendors who ultimately don’t deliver, Thornton-Trump offers some advice: engage in collaborative efforts with security researchers to secure your product.