ISMG Editors: London Summit HighlightsDiscussion Outlines Key Trends and Themes
In the latest weekly update, four editors at Information Security Media Group discuss highlights from ISMG's in-person London Summit which took place this week, including the most concerning emerging threats if collateral damage from the Russia-Ukraine war isn't all it was reputed to be, building a cyber risk playbook that helps businesses identify actual exposure, and how stress and burnout are emerging in the workplace today.
The editors - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Mathew Schwartz, executive editor, DataBreachToday & Europe; and Tom Field, senior vice president of editorial - discuss:
- The future threat landscape;
- The art and science of translating cyber risk and loss exposure into quantifiable measures;
- Protecting the health of our security leaders and their teams.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the May 13 edition discussing what have we learned from the Conti leaks and the May 20 edition discussing the case of the "Dr. Evil" of ransomware.
Anna Delaney: Hi, welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this is our weekly conversation around the most important themes in the industry. And joining me this week are Tom Field, senior vice president of editorial; Matthew Schwartz, executive editor of DataBreachToday and Europe; and Tony Morbin, executive news editor for the EU. Great to see you all! Long time!
Tom Field: It's odd to see each other virtually now.
Delaney: Yeah. You remember how that feels?
Matthew Schwartz: It's a poor substitute for the real thing, I feel.
Tony Morbin: Two years of seeing Tom twice a day, and then, before I actually see him in person, but yeah, great to see people in person.
Delaney: Yes. For our audience, we all met in London this week for the ISMG London Summit, as you can tell by our backgrounds. So Tom, talk us through your background.
Field: I think I was with you when I took that picture, you and Matthew on the way to dinner the other night after our cybersecurity summit. We were then near Southbank, and lovely picture as the sun was starting to set behind the London Eye. And of course, we got colorful photos on the way back as well. That was a nice way to cap off several days in London with the opportunity to bring the team together and to host our first live summit event in two and a half years.
Delaney: Yeah, it was fabulous. Tony?
Morbin: Yeah, pretty standard House of Commons, Big Ben, but without the scaffolding. As Tom was mentioning, we can actually see it now. It's a lovely view.
Delaney: And, Matt, you've got a rather arty shot, but still London.
Schwartz: Still London. This is Kings Cross as I was pulling out of the station on my way back home up to Scotland. So a little bit of blurry train motion. Feelings of loss and regret having to leave London after a successful event and seeing everyone in person.
Delaney: Yeah. It was two years since you've been here as well.
Schwartz: Nearly, yes. It was wonderful to be back. There were attempts to do it before, but there's been some ups and downs the last couple of years. Great to finally make it.
Delaney: And I'm showing you another side of London — yesterday at the Chelsea Flower Show. London in full bloom. But there is a theme here, it is London. Tom, what were the highlights from the conference?
Field: Where do we begin? First of all, the notion that we did put on our first live conference event in two and a half years, having the opportunity to see speakers that we hadn't seen in that time and to meet new people and to have the vibrancy of the topics that we talked about whether it was ransomware, or resilience, or mental health. I think that we benefited from having the thought leadership of Don Gibson, the security leader with the UK's Department of International Trade, because he brought good topics and good speakers to us. He was a steady presence throughout the event. I think he kept us very tapped into the zeitgeist so to speak, that we're able to ensure that we were talking about the topics that were most relevant. We had speakers who were new to us, but certainly had great depth of expertise in their topic. It was such a terrific opportunity to bring everybody together. And of course, we had two stages going in at a time. We had a video studio going. So it was as much busyness as usual. But if I were to share, what for me was the single biggest highlight, and we're talking about the first live event in two and a half years in London, first opportunity to be up on the stage with this team, and the attendees that we had, the response that we had, the single highlight I will share with you, because it was this - it was the opportunity to get this team together for the very first time. Anna, you and I have worked together for two and a half years now. Tony, for about two years. Matt and Tony, you had never met before. Anna and Matt, you had never met before. Tony, you and I had never met before. The opportunity for us to finally get together and to be able to share this experience together on the same stage, in the same city was to me absolutely priceless.
Delaney: We all recognize ourselves in that pic. It was great. It definitely was.
Morbin: Or maybe do a haircut, didn't quite make it in time for the show.
Delaney: Tony, what were the highlights for you? What topics stood out?
Morbin: There was so much. I'm afraid I'm going to have to miss loads of it as I run through some of the things I particularly liked and a couple of quotes. The threat landscape hasn't changed one job from the Ukraine war. Russia was already a hostile threat. There has been a cyber war but the Russians have been the victims and they let not pick you out too early. And then basically saying that it's the shift to the public cloud and errors like misconfiguration and phishing are still a bigger threat than state APTs. Although one change we have seen is the increase hacktivist threat, and particularly the threat to reputation from hacktivists going forward. The normal things apply, keep up-to-date and look after ID. There's always going to be zero days, it's how we contain it when it happens. Use your ransomware playbook to defense against virtually any attack. Because the escalation from Ukraine fallout is going to be appropriate to defend against anything. Patch or be punished. Work from anywhere means you can be attacked from anywhere. Access control is a focus. Cloud security architecture misconfiguration cause whole loads of problems. One financial institution noted how administrators exchange information, they're their fund administrators exchanging information via email. What they're doing is looking to drive and shift the information exchange via portals that they can control them and control where the traffic's moving, shifting their business to architectures that are going to be more secure. Another interesting point was that pre-Colonial Pipeline, the only constraint on ransomware operators was the number of affiliate of affiliates they were able to get. Our defenses were incidental, including Colonial. As a result, we've seen a more vertical integration in the ransomware ecosystem and the focus of the ransomware gangs is now on smaller organizations that wouldn't be regarded as critical infrastructure — basically getting the heat off. It's not so much they're targeting as they are triaging where they've gained access. So they're going after the smaller victims. There was a nice line from one of the sessions you did - the global talent pool is there, but it's difficult to access due to legal issues of employment, cultural issues. For me, the big one was resilience. Once, business continuity was about one time event. Now it's all the time, and how do you continue to operate as a business. It was pointed out that business resilience and business recovery are different. Having a backup is not enough. You need good backups in place but it should encompass the whole business, including physical resilience, and a long term strategy of how to survive. Nothing's 100% secure, but you need to be comfortable with the level of risk you have. And also get a budget for unknown things that might happen. Who owns cyber risk is known by everybody in the business, but it needs to have board accountability. It's certainly not just an IT issue. Businesses need to be able to articulate their risk, what's the vulnerability, what's the impact of the risk, so you've got to come to the board prepared with a simple story. They own the risk, they're responsible for it. But businesses will only take ownership of the risk if they understand the risk and the value of the data or whatever it is at risk to quantify it and get the business to accept the risk.
Delaney: Great overview, Tony.
Field: If you missed the summit, please talk to Tony.
Morbin: I missed loads more I am afraid. You'll still miss a lot if you didn't go to the summit.
Delaney: I'll pass the baton to Matthew. I'm sure you'll have other stuff to add. But Tony did mention Colonial and Colonial came up a lot. It seems to be such a pivotal moment in the history of ransomware. We'd love your thoughts as to what you'd like to add, but also whether you learned anything new.
Field: If I can add, I think it's important to point out what Anna was talking about here. Colonial did come up increasingly. What's unique about that is that's an entirely American event and yet it had such repercussions. Matthew, go forward.
Schwartz: I had great discussions about Colonial Pipeline. I wonder if it's a lazy reference in the security industry now. I'm not calling anybody out definitely. I was at a conference in Dublin in November, on cybercrime, which was fantastic. Everyone was able to bring their own presentation. And everyone had a presentation on ransomware. It's a hot topic. It brings a lot of different things together that we've been battling/combating for years. Colonial Pipeline is interesting, because it has so many different aspects to it. I think when you're trying to illustrate both from the defensive side, the offensive side, and how governments have increasingly responded, it's a good example. Definitely it is not the only example. But as it was a year, almost to the day from when the Colonial Pipeline attack happened, I think it was a perfect example to be hearing at the London Summit. Unfortunately, we'll probably have lots of fresher examples as we go forward, especially with RSA coming up on us quickly. So I think it was great. But there was so much discussed, as Tom and Tony have highlighted. I love the line from Ian Thornton-Trump about cyberthreats. It was in the first session that we had, where he said, "Everyone expected Russia to launch cyber war. Russia, to its chagrin, has found that it's the target of numerous online operations instead." That was great. I had a good interview with Ian, in our studio, where he further expanded on the threat landscape, and we talked about all sorts of things. But drones, for example, have completely changed what's happening. And as he said, "Who knew that satellite communications would change the landscape." That is an online attack we saw from Russia on the very first day of the war, attempting to knock out satellite communications used for such things as artillery and also drones. Elon Musk's company swooped in with the Starlink terminals and hooked everything up. So much is happening, so many different aspects. On the ransomware front, the Russia-Ukraine war has also had some interesting effects, as people discussed. You had the National Security Agency saying we've seen the volume of ransomware attacks go down recently, we think because of the war, the difficulty of routing payments, perhaps, it is part of that to the criminals. So many different wonderful things to analyze. Tony obviously has called out a whole bunch of them. I want to continue the risk discussion, just very briefly, because we had such good speakers this year. Many of them were at the spear end of a lot of this stuff. We had Douglas Mujana, who is at Societe Generale. He's their vice president of Information Technology Risk. Who better to talk cyber risk? And him, together with Milos Pesic, who is also a cybersecurity executive, I had them on a panel, speaking about the art and science of translating cyber risk and loss exposure into quantifiable measures. Tony excerpted some of that, but one of the points I loved that they made, was communicating cyber risk in a way to not just the board, but also the business leaders, the heads of the different business lines of business. Communicating it in such a way that they understood, for example, if they're going to be suffering a downtime of three days, or working with them to say you're hit by ransomware, what do you think your outage is going to be? And working through that exercise, so that something like a ransomware attack isn't just scary malware, it's the fact that you can't use your systems for a certain amount of time, based on the controls and the backups, and the restoration that we have in place. Getting to a dollars and cents or pounds and pence bigger for what that impact is going to be. And then this goes into another session that I was also doing, but basically coming up with a way to express that in business terms. What is the risk? And we're quantifying that risk in terms of the dollar impact, the outage impact, the reputational impact, going before the board and saying, 'you own this, do you wish to spend to mitigate it?' Or are you okay to just say, 'we think we can handle that risk, we're not going to bother.' Do we need cyber insurance to help us? Just elevating that discussion. And it was wonderful to see the uptake and the interaction that these ideas had with the audience, great engagement. One of the things I loved is behavioral change and user awareness. And there's been a great shift in recent years to not blame the user, which is paramount. If security functioned well, we wouldn't need user inputs to help ensure that it succeeded. And I had a wonderful panel, including a gentleman from Airbus, Adam Wedgbury, who talked about bringing in behavioral psychologists, and even marketing professionals to help ensure that what they're doing isn't to design systems that they hope users will use in a certain way. But to understand human nature, and to try to design better security in a way that is easier for people to use, easier for them to do the right thing. As another panelist, Ash Hunt at Sanne Group, said, "If I am presented with a security control that relies on the user to ensure that it is effective, I veto it immediately." I think that's a wonderful, more mature, more helpful and hopefully more successful attitude that we're seeing when it comes to cybersecurity programs.
Field: Matt, if I may follow up on the resilience, a theme I heard not just at London, but even at the virtual roundtable I hosted after the event is security leaders involving their senior leaders and their boards in tabletop exercises, in preparation for events, to be able to incubate that awareness that you're talking about of the business risk, and who has a stake in it. A line that came out of the discussion that we had yesterday, I thought was interesting was, there are no game time players when it comes to cybersecurity incidents. In other words, you don't just check yourself into the game and you're ready to go. You do need to practice, you do need to rehearse. This is a theme I'm hearing consistently.
Schwartz: Great example about the tabletop exercises. Douglas Mujana from Societe Generale brought that up. He said, some organizations are doing a tabletop exercise every quarter. And it's two hours out of their day. It comes around and they go, 'Oh, no! Not this again.' He said, make it real, get in with the business and figure out what it is they're worried about or having to deal with. So that when you are doing these tabletop exercises, they are more interesting. They're relevant. It's some challenges that they are having to deal with. He said that he’s trying to get them excited about that. Not fear and uncertainty and doubt, but tailoring it to the things they're dealing with. He said, that's also huge in terms of getting buy in. And as you said, getting that practice and that mindset that you're going to need when things inevitably blow up on a Friday night.
Morbin: As I was saying, it was the building of muscle memory, weren't they? Because a lot of people in this industry are coming from military backgrounds, you don't fight wars every day, but you practice a hell of a lot.
Field: That's a good point. Anna, I hate to do this but I want to set you up for a conversation here. We've talked an awful lot about the London event. To me, the highlight of the content was the panel that you moderated at day’s end, about CISOs health, about mental health. And I've attended and moderated a lot of summits and panels. I've seen people laugh, I've seen people get angry. I've seen people get engaged. I'm not sure I've ever seen people cry until the session that you moderated. I think it was a highlight and I'd love to hear your take on it.
Delaney: Yeah, it was amazing panel and important discussion. And when we talk about security, underfunded and understaffed always come up. But we also talked about the resilience of our organizations. What about our people? We've been having great conversations this year about how cybersecurity is now a national security threat. The security-led leaders and their teams are now frontline workers and emergency workers. If we don't look after our people, how are we going to protect our systems and our organizations? There were some sensitive themes that were raised. And just showing that our leaders are human beings, and they have challenges as well. I do hope these discussions go further than discussions, though. How can we make change in organizations? The CISO of Penguin, Deborah Howorth did say that there's only so much your organization's can do. You have to look after yourself, you have to look up to number one. And that means putting boundaries in place, and whatever that takes to look after your well-being and the well-being of your teams as well. So I learnt a lot. I thought it was engaging. There was a very engaged audience as well, some great questions, I've got to say.
Morbin: It was very revelatory, your panelists, and I think you're saying about the ongoing impact, I think anybody in the audience in a position of power to do so, were sitting there thinking, 'yeah, our organization needs to be more supportive of its people.' I think that message totally got across to everybody in that audience.
Field: Anna, you did a terrific job moderating that session as well. I like to think that the work that we do here on a weekly basis gives you the practice so that you're a game time player.
Schwartz: You mean, having to handle you, Tom, on a weekly basis?
Schwartz: Anything can happen, anything will happen. Be prepared for the worst, hope for the best.
Morbin: Tom said early on, we had our own practice in resilience with speakers who had COVID and coming up with adapting our plans and having to change things around but that's life.
Delaney: That's absolutely right! Tom, Matt, you were doing a bit of improvisation there. But the show must go on.
Schwartz: It's always fun. I think showing up is a big part. I say that for the attendees as well. The energy in the rooms was palpable. I was speaking with individuals, attendees, who said this is the first event they had been to in two years, probably. Their eyes lit up a little bit, I think with the opportunity to mix a bit. The discussions that we had ending, as Tom said, with a phenomenal panel that you did that hit home for a lot of people gave them some marching orders that weren't just about EDR or XDR, but how can we make our programs better, more humane, more sustainable. We just had a wonderful range of themes and experts and energy.
Field: I will say, I hugged deliberately and I tested negatively. It was a good event.
Delaney: Bring on RSA. That's what I’d say.
Field: This was the 10k race in advance of the marathon coming up in two weeks.
Delaney: Yeah, our dress rehearsal. We often, at these conferences, talk about current themes, but also future trends. What was one word that sticks out that perhaps represents or even sets the tone for the next half a year?
Field: I'm going to go back to response. This is something I'm hearing consistently in all the events that they host whether they're actual or virtual. The notion of having this response plan and team ready and tested in today's environment, with the landscape that we have, and our presence in the cloud, and the lack of visibility, and then all the different devices and hundreds of personal offices that we have. Response for me is the big one.
Delaney: Nice! Tony said automation, I think.
Morbin: Yeah, I'll go back on that with a few seconds more to think about it. I'll jump back. It's a bit more clichéd, but resilience is. And I think having just coming out of the pandemic, and then we've got the war and so many things happening, resilience is key.
Schwartz: I will say the unexpected. At the CYBERUK conference here a couple of weeks ago, Jen Easterly, the director of CISA, in the United States, did a Monty Python riff, right? Because it was Britain. No one expected the Spanish inquisition. And that was her metaphor or her pop culture reference for encapsulating what it's like to have been in cybersecurity and what it will be like. You don't know what's going to come storming in your front door. Be prepared, try to learn from the past, but be prepared to have your expectations challenged and sometimes impinged upon with a British accent I suppose.
Delaney: Can only get better. Thank you very much. This has been a great discussion, and loved meeting you all in person as well again, or for the first time, so that's been great. We have to leave it there, unfortunately.
Schwartz: It's fun to do it virtually. But let's do it again, live sometime soon.
Field: Maybe in a week.
Delaney: You're on. Thank you very much, Tom, Matt, Tony. And thank you so much for watching. Until next time!