ChiBrrCon IV: Understanding risks and the role of the CISO
Dwayne McDaniel
Posted on February 22, 2024
There are a lot of fun facts to know about Chicago. You might have heard about the multi-topping hot dogs, the skyscrapers, or the fact the city dyes the river green every year. I also learned recently that Chicago is home to a university with an astounding 90+% job placement rate, Illinois Institute of Technology. We learned this from the president of the university, Dr. Raj Echambadi, as we gathered in one of their auditoriums to kick off ChiBrrCon IV.
Raj Echambadi, President of Illinois Institute of Technology, kicks off the 2024 ChiBrrCon
With over 600 registrants, this was the largest audience in the event's history. With 27 sessions to choose from, a digital escape room experience, villages, and workshops, there was content for everyone throughout this one-day event. The weather was unseasonably warm here in 2024, making it an extremely great day to get together for conversations, a lot of learning, and some fun. Here are just a few highlights from this year's event.
Understanding risk is key to managing security
"Did you know that space shuttle design is based around the size of a horse's rear end?" That is how Ira Winkler, Field CISO, CYE Security, began his keynote: "Your Cybersecurity Program is a Horse's Behind." What followed was a great talk on assumptions and managing risk.
The connection between horses and shuttles is due to the width of railroad tracks. While we use trains to move NASA equipment, those tracks still use this same width between rails today as when horses were still the primary mode of travel. He said we often do the same thing with our security budgets: we let the past model dictate how we forecast security needs. We need, instead, to challenge those assumptions and base our plans on the reality that we face today.
At the heart of his talk, Ira brought up measuring and communicating risk. We need to be able to translate the threats and vulnerabilities in terms of how much they could cost the company, along with estimates of what it would cost to fix the issues. He reminded us that there is no such thing as "zero risk" and that operating a business brings varying risks. Other teams care deeply about different types of risk than you might. Ira really set the tone for the whole day and event with his keynote, as there was a lot of conversation in the hallways about this very subject.
There is an accompanying article about this session recently published in Dark Reading if you want to read more on this topic.
Without being able to get the required budget, cybersecurity programs can't be responsive to evolving threats. @irawinkler #ChiBrrCon
Cybersecurity champions can help us all stay safe
Continuing with the theme of risk, Kyle Joerger, Technology Controls & Compliance Manager at CME Group, presented "Fostering Risk Culture with a Cybersecurity Champions Network," laying out the fact that security culture is really risk culture. Risk culture is all the attitudes and behaviors related to awareness and management of risks. If only the 'security' team cares about the topic, then it is going to be very hard to manage risk across the organization at scale. This is where Champions come in.
Cybersecurity Champions are employees who are naturally curious and interested in security and are willing to step up and speak out to help keep everyone safe. While they won't carry a security title, they will be the 'go to' security expert in their department, asking the right questions and sharing what they have learned about threat awareness and process adjustments the security team has researched.
This is a two-way conversation. Champions also act as a conduit for channeling feedback to the security team. As Kyle phrased it: "Having a champions network gets you a front-row seat to what others care about." With this insight, security teams can shape training and provide better tools in many cases.
If you want to start a Cybersecurity Champions program in your organization, check out the OWASP Security Champions Guide.
"Fostering Risk Culture with a Cybersecurity Champions Network" by Kyle Joerger
Rethinking default access
In a world where humans are, and are forecasted to remain, the weakest link in our security systems, we need a better way to manage access beyond passwords or even existing IAM roles. This was the basic premise of the session from Swapnil Pawar from Apex Fintech Solutions: "Secure Your Infrastructure with Cloud-Native PAM."
PAM stands for Privileged Access Management, though you may see the A stand for 'Account' in some conversations. PAM is a security framework built on the notion that identities need to be secured, not just managed, to protect your most valuable assets. PAMs work from a principle of delivering just-in-time access only when needed and only after verification. It is a way to embrace Zero-Trust architectures to deal with poor offboarding hygiene or situations where an attacker generates new users.
Swapnil also introduced the audience to the concept of Zero Standing Privileges, ZSP, which goes hand in hand with adopting PAM. Essentially, ZSP means that applications do not grant any permissions by default, and no long-term access is ever allowed. It is similar to how a good web application firewall will start with no ports open, meaning more configuration time but a safer overall stance.
"Secure Your Infrastructure with Cloud-Native PAM" from Swapnil Pawar from Apex Fintech Solutions
Hearing from the CISO's manager
Every ChiBrrCon has closed with a CISO panel, with Chief Information Security Officers sharing their stories from their time inside some complex organizations. This year was a bit different. The "Next Gen CISO Panel" didn't feature people with CISO titles, but instead, they invited the folks to whom CISOs report, essentially their bosses. The panel consisted of:
- Todd Fitzgerald, Vice President of Cybersecurity Strategy at Cybersecurity Collaborative
- Abbey Perkins, CIO at StoneX Group
- Nathan Winters, CFO at Zebra Technologies
- Sunil Shenoi, a Partner at Kirkland & Ellis
Each panelist made a similar comment that it is not that relevant who a CISO reports to. It is far more critical that they are able to talk in terms of risks and budgets. While security should be their primary area of expertise, they must balance those conversations with the other competing realities and risks of the business.
Abbey made a point that in an ever-changing threat landscape, it is important to be able to build relationships across teams. She suggested that people who want to get better at soft social skills and confidently present their findings should invest in improv training. While it might seem odd to inject an art known for comedy into a business conversation, she said it has helped the team at StoneX immensely in their communication and team building.
On a more somber note, Sunil reminded us that the CISO role will likely become a lot more visible as we see more congressional hearings and public scrutiny, as we have with SolarWinds. Anyone who wants to go down this career path needs to be prepared for that eventuality.
Bringing the conversation back to risk, each panel member made a point about striking a balance between being too transparent and just generating noise and not being transparent enough, making it impossible to build trust. The higher you go in an organization, the more critical it is to concisely and effectively communicate your recommendations and findings while accepting that every organization operates with some level of risk at any time.
Next Gen CISO Panel at ChiBrrCon
Managing risk means having good data
Your author was fortunate enough to present the session: "Stand Up Straight - Security Posture And You." This talk is all about understanding how the various tools of Application Security Posture Management, ASPM, and Cloud Security Posture Management, CSPM, for example, have evolved and what underlying problems they are trying to solve. I believe it all comes down to helping you answer the question of "What do I work on next?" based on available data about your risks and required efforts to remediate any known issues.
Throughout the event, risk was front and center of nearly every conversation. No matter what area of security you are focused on, from the CISO all the way to the Cybersecurity Champion, it all comes down to managing risks. How clearly we communicate about these risks and how we balance the competing priorities to remedy them is a challenge we all deal with. It is great to be part of a community where this is very well understood.
I hope to see you at ChiBrrCon next year, or perhaps sooner, and closer to you. Check out our Event page to see where the GitGuardian team will be speaking and make plans to come to say hello.
Posted on February 22, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.