At Sekurokon 2024, Managing Director Asia and Group CISO Prashant Haldankar moderated a panel of fellow Sekurian experts, to comment on industry trends in the form of a lighthearted Hot or Not gameshow. The players were:
Pablo Borges
Director, GRC
Amila Elcic
Managing Consultant
Chris Ekert
Managing Consultant, IRAP
Sasha Goldenberg
Managing Consultant, Offensive Security
Read on or watch the video to see more in-depth discussion about the Hot or Not cybersecurity topics.
Risk Strategy
Risk Matrix
Amila: Not
General risk matrices are not hot; business risk matrices on the other hand are relevant to strategy, and are hot.
Strategy Risk Management
Amila: Hot
Companies tend to include as part of their strategy, the increase in revenue, but need to also include information security risk related to that increase. For example with the financial or reputational impact following a data breach, a company may not achieve its revenue goal. Hence risk and the mitigation of that risk needs to be aligned with growth strategy.
FAIR Methodology
Amila: Not
It’s a very good standard, but it is not widely accepted.
Balanced Scorecard
Amila: Hot
This is important and many companies use them to align strategy with current processes. The Balanced Scorecard covers four perspectives:
1. Learning
2. Customer
3. Operational
4. Financial
If the metrics are going in the expected direction, they will align with strategic goals.
Risk Appetite Statements
Amila: Hot
Risk appetite statements are very important for defining, and aligning with goals.
Risk Matrix
Amila: Not
General risk matrices are not hot; business risk matrices on the other hand are relevant to strategy, and are hot.
FAIR Methodology
Amila: Not
It’s a very good standard, but it is not widely accepted.
Strategy Risk Management
Amila: Hot
Companies tend to include as part of their strategy, the increase in revenue, but need to also include information security risk related to that increase. For example with the financial or reputational impact following a data breach, a company may not achieve its revenue goal. Hence risk and the mitigation of that risk needs to be aligned with growth strategy.
Balanced Scorecard
Amila: Hot
This is important and many companies use them to align strategy with current processes. The Balanced Scorecard covers four perspectives:
1. Learning
2. Customer
3. Operational
4. Financial
If the metrics are going in the expected direction, they will align with strategic goals.
Risk Appetite Statements
Amila: Hot
Risk appetite statements are very important for defining, and aligning with goals.
Security Governance
Governance, Risk, and Compliance (GRC)
Chris: Hot
It’s imperative and should be in place for organisations now.
ISO27001
Chris: Hot
It’s an easy way to lift the credibility of an organisation and a widely known certification, not only within cybersecurity, but outside of as well.
Essential 8
Chris: Hot
Chris considers Essential 8 as “low-hanging fruit” which organisations can put in place.
Privacy Impact Assessments
Chris: Hot
Risk is increasingly talked about. After all, organisations don’t want to be seen in the news for data leakage.
IRAP Assessments
Chris: Hot
IRAP provides independent assurance. It’s starting to push outside of just governance now as well. There’s a fair amount of technical controls under IRAP’s purview, so it’s quite important.
Governance, Risk, and Compliance (GRC)
Chris: Hot
It’s imperative and should be in place for organisations now.
Privacy Impact Assessments
Chris: Hot
Risk is increasingly talked about. After all, organisations don’t want to be seen in the news for data leakage.
ISO 27001
Chris: Hot
It’s an easy way to lift the credibility of an organisation and a widely known certification, not only within cybersecurity, but outside of as well.
IRAP Assessments
Chris: Hot
IRAP provides independent assurance. It’s starting to push outside of just governance now as well. There’s a fair amount of technical controls under IRAP’s purview, so it’s quite important.
Essential 8
Chris: Hot
Chris considers Essential 8 as “low-hanging fruit” which organisations can put in place.
Offensive Security
Pentesting
Sasha: Not
Pentesting is great. It’s a must when you have a new application that is launching and you want to make sure it’s secure. But it’s only looking at one small bit of your whole; just because you’ve pen tested your app doesn’t mean you won’t be breached. Pentesting is not a guarantee of security and there are more things on top you need to do to have a comprehensive view.
Purple Teaming
Sasha: 50-50
People seem to think of purple teaming as a halfway point to a red team. It’s actually the other way around, in Sasha’s opinion.
The red team should be done first to identify all the controls and then do the purple teaming to identify the lack of controls and then improve them. Purple teaming requires the customer side to be involved the whole time, compared to red teaming. That said, it’s an amazing tool when used properly.
Red Teaming
Sasha: Hot
People seem to think of purple teaming as a halfway point to a red team. It’s actually a separate engagement altogether, in Sasha’s opinion.
A red team can be done to holistically assess a company’s security posture, while a purple team is about fine tuning detections and collaborative testing. Purple teaming serves a different purpose, and requires the customer side to be involved the whole time, compared to red teaming. That said, it’s an amazing tool when used properly.
Pentesting
Sasha: Not
Pentesting is great. It’s a must when you have a new application that is launching and you want to make sure it’s secure. But it’s only looking at one small bit of your whole; just because you’ve pen tested your app doesn’t mean you won’t be breached. Pentesting is not a guarantee of security and there are more things on top you need to do to have a comprehensive view.
Purple Teaming
Sasha: 50-50
People seem to think of purple teaming as a halfway point to a red team. It’s actually the other way around, in Sasha’s opinion.
The red team should be done first to identify all the controls and then do the purple teaming to identify the lack of controls and then improve them. Purple teaming requires the customer side to be involved the whole time, compared to red teaming. That said, it’s an amazing tool when used properly.
Red Teaming
Sasha: Hot
People seem to think of purple teaming as a halfway point to a red team. It’s actually a separate engagement altogether, in Sasha’s opinion.
A red team can be done to holistically assess a company’s security posture, while a purple team is about fine tuning detections and collaborative testing. Purple teaming serves a different purpose, and requires the customer side to be involved the whole time, compared to red teaming. That said, it’s an amazing tool when used properly.
Adversarial Mindset
Sasha: Hot
The adversarial mindset is about thinking like that attacker and putting yourself in their shoes. It’s very hard to do because when you’re working on your company’s security, you’re bound by a rule set and scope whereas an adversary isn’t. Adversaries have no rules. One way to adopt the mindset is to ask yourself: if I was attacking us, how would I do it that might really help identify the areas we should be focusing on.
Physical Security and Social Engineering
Sasha: Hot
It should be very hot. When you get a red team assessment, 90% of cases probably, the red team is going to get in because they’ve sent someone a phishing email or called someone up on the phone and convinced them to give them some information or click on a link.
Companies invest a ton in their cybersecurity. And unfortunately, they invest a lot less in training their people and their physical security.
Adversarial Mindset
Sasha: Hot
The adversarial mindset is about thinking like that attacker and putting yourself in their shoes. It’s very hard to do because when you’re working on your company’s security, you’re bound by a rule set and scope whereas an adversary isn’t. Adversaries have no rules. One way to adopt the mindset is to ask yourself: if I was attacking us, how would I do it that might really help identify the areas we should be focusing on.
Physical Security and Social Engineering
Sasha: Hot
It should be very hot. When you get a red team assessment, 90% of cases probably, the red team is going to get in because they’ve sent someone a phishing email or called someone up on the phone and convinced them to give them some information or click on a link.
Companies invest a ton in their cybersecurity. And unfortunately, they invest a lot less in training their people and their physical security.
Compliance, Security, AI & Secure by Design
Compliance vs Security
Pablo: Compliance Not, Security Hot
Compliance and security are not mutually exclusive. You can use compliance as a driver of good baseline security.
Secure by Design
Pablo: Hot
With recent high profile incidents, Secure by Design is becoming more relevant not just for organisations but for vendors like Sekuro. How secure is your product? Do you embed security as part of what you do or is it just an afterthought?
PCI-SSF
Pablo: Hot
Software Security Framework or SSF is a set of good practices that help you improve your software development life cycle. Not only can it help drive your compliance, it also can help you drive improvements in end-to-end software development. If ISO or NIST isn’t giving clear enough direction, SSF may provide detailed guidance.
AI Governance
Prashant and Pablo: Getting Hot
AI is in its infancy, and it will be a long time before anyone would become an expert on AI, but currently there are international standards like ISO 42001 to give guidance. At this point, all one can do is get the basics right while building maturity.
For Australia, the AICD (Australian Institute of Company Directors) has released a paper advising directors on safe and responsible AI governance.
AI and IoT Solutions
Prashant and Pablo: Getting Hot
The response from the industry is getting stronger. For example, ACSC (Australian Cyber Security Centre) released (Internet of Things) IoT guidelines to help understand the threat landscape and threat management for IoT devices. Likewise, MITRE released a framework with threat modelling and ISO has standards for IoT. The problem now is that we need more secure products.
Compliance vs Security
Pablo: Compliance Not, Security Hot
Compliance and security are not mutually exclusive. You can use compliance as a driver of good baseline security.
Secure by Design
Pablo: Hot
With recent high profile incidents, Secure by Design is becoming more relevant not just for organisations but for vendors like Sekuro. How secure is your product? Do you embed security as part of what you do or is it just an afterthought?
PCI-SSF
Pablo: Hot
Software Security Framework or SSF is a set of good practices that help you improve your software development life cycle. Not only can it help drive your compliance, it also can help you drive improvements in end-to-end software development. If ISO or NIST isn’t giving clear enough direction, SSF may provide detailed guidance.
AI Governance
Prashant and Pablo: Getting Hot
AI is in its infancy, and it will be a long time before anyone would become an expert on AI, but currently there are international standards like ISO 42001 to give guidance. At this point, all one can do is get the basics right while building maturity.
For Australia, the AICD (Australian Institute of Company Directors) has released a paper advising directors on safe and responsible AI governance.
AI and IoT Solutions
Prashant and Pablo: Getting Hot
The response from the industry is getting stronger. For example, ACSC (Australian Cyber Security Centre) released (Internet of Things) IoT guidelines to help understand the threat landscape and threat management for IoT devices. Likewise, MITRE released a framework with threat modelling and ISO has standards for IoT. The problem now is that we need more secure products.