CSA Summit at RSA 2020 - Recap Part 2

By Frank Guanco, Research Program Manager, CSA

Read part two of the CSA Summit at RSA recap. In this post we’ll be exploring the big ideas and takeaways from the afternoon sessions. Several main questions and ideas our afternoon speakers addressed were:

1. How are enterprises supposed to prepare for incidents if their service provider is in control of their data?
2. Why is there still a shortage of security professionals, and how can we attract and qualify new employees?
3. How can organizations improve security training for current employees?
4. Who’s ultimately responsible for security given inter-country cyberattacks? The private sector or the government?

Secure Your IT Transformation

Digital Transformation was in the air as Jay Chaudhry, CEO of Zscaler and Christopher Porter, CISO of Fannie Mae, provided takeaways on this subject via key technologies enabling this transformation like cloud, mobility, the internet's connectivity layer, and the Internet of Things. Emerging trends in digital transformation include 5G having the potential to be the new Local Area Network, Zero Trust Network Access as the new norm for Enterprise Security. Porter shared Fannie Mae's takeaway with digital transformation by pointing out that 'data is new oil' and their lessons learned. Fannie Mae's lessons learned were to drive security into the fabric of your business, a mindset change for infrastructure, and how digital transformation is imperative and is a top-down initiative.

Incident Response in the Cloud: Fog of War or Skies Clearing?

In this lively talk by Aravind Swaminathan, Partner Global Co-Chair Cyber, Privacy & Data Innovation at Orrick, Herrington & Sutcliffe brought his perspective on managing inventions through the lens of legal forensics. Considerations such as who can control the environment, the details of the investigation, and risk assurance are of prime importance for negotiating the contract with providers. He stressed the importance of negotiating for what you really want. As he said, 'You won't win every time, but you won't win if you'd don't ask.'

Transforming Security for the Clouds

Shannon Lietz brought her expertise and expertise with DevSecOps in this session. From the pipelines of DevOps creating value and availability to DevSecOps creating trust and confidence, determining your key performance indicator can be your metric for world class security. Securability is ephemeral, but this risk reduction is significant and having KPIs and planning with this in mind will benefit your security posture.

Collaborating with Security to Enable the Business

During this panel session Jason Garbis (Vice President of Products, AppGate) asked our panelist what sorts of skills they develop in their team, and what they look for when hiring.

Stephen Scharf CSO at DTCC said "I look for intelligence and energy...those two things you can't teach. Do they look like they have a mindset that's problem solving... someone that's approaching problems from creative ways."

Towards the end, recapping the most important thing they think security professionals should focus on, Jerry Archer (CISO, Sallie Mae) said:

Security needs to surf the wave...need to have the solution before the business needs it. You want to be out in front of that problem. Security gets to lead that change, build security in from the very beginning. That way we get to fulfill the notion of security before everyone starts building on top of it.

Building the Next Generation Cybersecurity Workforce

The Co-Founder & Vice President of the International Consortium of Minority Cybersecurity Professionals, Larry Whiteside Jr. asked why there’s still a skills shortage in the cybersecurity workforce. His answer was partly that "Cybersecurity professionals are unicorns...you have to think a certain way." But he said that doesn’t answer it completely, he stressed that:

We can't say there's not enough people

Can say there's too many jobs

Can't say there's a pipeline if not taking steps

So how do we start taking steps? By partnering with diverse candidates and organizations and increasing training opportunities. Companies should reach out in their local community. Most highschool and college students don't even know this career field exists or that it’s an option. He ended his presentation saying: “2020 is the year of action whether it's big or small...we all have a responsibility to take some level of action”

Key Takeaways

• Be confident there's a problem and a way to solve it
• Talk to HR
• Create a training plan for your team

A strategic view of the future of our industry from the incomparable Dan Geer

In this session Dan Geer (Chief Information Security Officer, In-Q-Tel), examined the hard choices we’re faced with. He ended his speech admonishing everyone to remember that we can’t be passive. Freedom isn’t free. You can read his full presentation here.

Other articles summarizing the sessions:

You can download this year’s summit presentations here. Below are links to articles that were written about several of the sessions at this year’s summit.

• Glenn Gerstell: Government Vs. Private Sector in the New Digital Reality - Journal of Cyber Policy

• John Yeoh: Next Cloud Security Challenge: Containers and Kubernetes

• Dan Geer: A strategic view of the future of our industry from the incomparable Dan Geer

Join CSA for our next big event in Seattle — SECtember 2020

Held in CSA’s home city of Seattle among the giants of cloud computing, this event will feature in-depth training, networking opportunities and interactive sessions with global experts. The inaugural SECtember will be held Sept. 14-18, 2020, at the Sheraton Grand Seattle.

The call for papers is now open. Visit sectember.com to learn more.