As we delve deeper into the digital era, the landscape of cybersecurity continues to evolve at a rapid pace. From the rise of continuous validation to the imperative of secure data lifecycle management, organizations are facing unprecedented challenges and opportunities. In this blog, we explore some of the top predictions for cybersecurity in 2021 and highlight key imperatives for staying ahead of emerging threats.

Here is the verbatim discussion:

Things are there oh yeah and and and there's another dimension it's not only where the data is but if you start looking at it as a life cycle how does data get created yes is it created in a secure way is it classified and and marked so we know how sensitive it is you know how does it get distributed and how does it die and that's when when I sit and I talk with it folks or or organizations you know HR whatever you know allas all right how do you kill off data and they'll look at me like why would I delete data okay old and inaccurate data it becomes costic over time and now what happens if that inaccurate data also gets exposed that becomes really minutes yes let me ask you this what what are some of your top predictions for 2021 all right um you know first off I'm G to make a prediction about your industry how about this right because it is you know that that continuous um you know validation is important uh especially right now it's predominantly being used on infrastructures right uh to maintain uptime and and you know weed out vulnerabilities I predict within probably two and a half to three years that very very important how are the users and the administrators coming in to do their work right is it set up um I was dealing with um uh a product the other day and it didn't have multiactor or second Factor authentication options for administ there's lots of different things and you know it used to be build whatever you're going to build and then slap on some security at the end right that's the bolt-on security that model fails and it fails spectacularly it fails because it doesn't really protect against risks it isn't sustainable over time against emerging threats it costs a lot at the end of the day between 20 and 200 times versus you know putting security and developing it correctly in the process things are there oh yeah and and and there's another dimension it's not only where the data is but if you start looking at it as a life cycle how does data get created yes is it created in a secure way is it classified and and marked so we know how sensitive it is you know how does it get distributed and how does it die and that's when when I sit and I talk with it folks or or organizations you know HR whatever you know allas all right how do you kill off data and they'll look at me like why would I delete data okay old and inaccurate data it becomes costic over time and now what happens if that inaccurate data also gets exposed that becomes really minutes yes let me ask you this what what are some of your top predictions for 2021 all right um you know first off I'm G to make a prediction about your industry how about this right because it is you know that that continuous um you know validation is important uh especially right now it's predominantly being used on infrastructures right uh to maintain uptime and and you know weed out vulnerabilities I predict within probably two and a half to three years that very very important how are the users and the administrators coming in to do their work right is it set up um I was dealing with um uh a product the other day and it didn't have multiactor or second Factor authentication options for administ there's lots of different things and you know it used to be build whatever you're going to build and then slap on some security at the end right that's the bolt-on security that model fails and it fails spectacularly it fails because it doesn't really protect against risks it isn't sustainable over time against emerging threats it costs a lot at the end of the day between 20 and 200 times versus you know putting security and developing it correctly in the process.

Navigating the complex landscape of cybersecurity can often seem daunting, especially for organizations grappling with the evolving nature of threats and the intricate interplay of technology and human behavior. However, amidst the complexity, there lies a simple yet powerful approach—one that focuses on practicality, collaboration, and understanding the fundamentals. By breaking down cybersecurity into manageable components and fostering a culture of awareness and preparedness, organizations can better equip themselves to address security challenges effectively.

Here is the verbatim discussion:

yep so what what we do uh you know exactly what I'm talking about right we we we had been um doing this for a few of these companies getting the CEO the COO the legal guys the marketing guys the operations guys and everybody together in a room and then discuss like let's imagine this breach has happened now what do we do the moment you do that now the operations guy see is my goodness there will be so many calls which is going to come to my call center thisy doesn't even have a script on how to respond to and I don't know how to handle this so there are couple of things that happens one is like you get more ready to face something like that A playbook emerges all those things but along with that these guys kind of envisage or visualize or feel the kind of pain they'll go through if a bad security incident happens and they realize okay I mean it looks knowing the risk the threats etc etc or and then protect but also building a great way to detect um which people are doing right now I mean I guess most of the organizations are building this sock and then doing the response and Recovery there's a much better awareness today in the kind of industry in terms of building the response and recovery so if people build the right kind of hygiene as you have mentioned if if organizations get these Basics right like knowing the asset inventory knowing where the data is how the data flows have basic hygiene and what you mentioned about two Factor authentication right that's that's very very important have the basic kind of security practices in place I'm not talking about all the text Etc and then having a basic mechanism to detect attacks and then respond and recover from it so a lot of times um cyber security is made to look very complex I I love nist CSF very much because n CSF for the first time came up and spoke about cyber security a language which business can understand that you need to identify your assets and threats and risks you need to protect and you need to detect attacks and you need to respond and recover from a breach right I mean it sounds very very simple now when you look at ISO or PCI they talk about W and d and this and that control it's not really very uh friendly from the perspective of management and other stakeholders so I'm a big fan of n CSF in terms of building an architecture a as am I I actually wrote a white paper years before that came out um talking about defense in- depth and a continual process and I broke it down into four things prediction prevention detection and response and it's circular continues to feed in yes and you know and and Gartner picked that up they they published some things a few years ago on on that white paper but nist and and I've worked with nist for many years on many different projects uh they move very similar it's it's they're one or two off right because they they go to identify they don't talk predict but yeah it's it's really from a continual management perspective you do need those four things right you need a prediction capability you need that prevention capability and those two give your highest Roi by the way but you you know you will never be perfect things will always get through or you will choose to allow vulnerabilities to exist Black Swan events so on and so forth because it's too expensive to protect against that's fine um so you need that detection and response capability and those to have exactly yeah a lot of people have that kind of perception and lot of people are not even aware of this problem that I need to know where data is and how data flows because like security uh guys are working in silos and they have no idea that the marketing team how they work on the data do they have an analytics team do they have an analytics partner how does the data go to the analytics partner what is the analytics partner doing Etc so I have seen like just this inventory problem the data uh where does the data reside and how does the data flow that itself is a major issue of course there is third party fourth party all those things are there oh yeah and and then and and there's another dimension it's not only where the data is but if you start looking at it as a life cycle how does data get created is it created in a secure way is it classified and and marked so we know how sensitive it is you know how does it get distributed and how does it die and that's when when I sit and I talk with it folks or or organizations you know HR whatever you know I'll ask all right.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Security is not a static concept; it's a dynamic process that demands continual attention and evolution. In today's digital landscape, where threats are ever-present and constantly evolving, relying on a single solution or treating security as a one-time event is no longer feasible. Instead, organizations must adopt a holistic approach that encompasses behavioral analysis, robust technology, and proactive measures to mitigate risks effectively.

Here is the verbatim discussion:

got to worry about the behavior stuff you have to understand the process why security is never a single solution it is never a moment in time it is something that must be maintained evolved and must maintain you know keep parity with the the emerging threats and attacks right and then it comes down to the technology and for this audience this audience plays a very unique role in developing the technology that can help by default right remove a lot of the attack landscape making sure that the code that you're using the libraries and the dependencies right don't have vulnerabilities when you're developing looking and testing uh what you're creating through the development process is hugely important and valuable right it's also reduce the costs because again risk cost friction right making sure that we've got the controls in place that whoever is going to maintain or administer whatever you're building can keep it patched can keep it secure can go in if something go you know uh bad happens and recover things like that very very important how are the users and the administrators coming in to do their work right is it set up um I was dealing with um uh a product the other day and it didn't have multiactor or second Factor authentication options for administrators just didn't support it I'm like how can you develop something today and not support Second factor or multiactor you should support it for everybody every user but at minimum for the administrators right it boggles my mind that is poor engineering and development right so you know there's lots of different things and you know it used to be build whatever you're going to build and then slap on some security at the end right that's the bolt-on security that model fails and it fails spectacularly it fails because it doesn't really protect against risks it isn't sustainable over time against emerging threats it costs a lot at the end of the day between 20 and 200 times versus you know putting.

Highlights :

Understanding Behavioral Patterns: Effective security strategies necessitate a deep understanding of user behavior and process workflows. By analyzing patterns and identifying anomalies, organizations can detect potential security threats early and respond promptly. Behavioral analysis empowers organizations to anticipate and adapt to emerging risks, ensuring a proactive defense posture.

Continuous Maintenance and Evolution: Security is an ongoing commitment that requires constant maintenance and evolution. Organizations must keep pace with emerging threats and attacks, continuously updating their defenses to mitigate new vulnerabilities. This proactive approach not only enhances security resilience but also reduces the likelihood of costly breaches and disruptions.

Role of Technology Development: Technology plays a pivotal role in shaping the security landscape. Developers have a unique opportunity to integrate security by design, ensuring that code, libraries, and dependencies are free from vulnerabilities. Incorporating security testing and validation throughout the development process is crucial for building robust and secure systems from the ground up.

Cost Reduction through Risk Mitigation: Proactive security measures not only mitigate risks but also reduce costs in the long run. By investing in preventive controls and security protocols, organizations can minimize the impact of potential breaches and operational disruptions. The cost of implementing proactive security measures pales in comparison to the financial and reputational losses incurred from security incidents.

User and Administrator Experience: User experience extends beyond functionality to include security considerations such as multi-factor authentication (MFA). Providing robust authentication options, especially for administrators, is essential for safeguarding sensitive data and infrastructure. Poor engineering practices that overlook fundamental security features undermine the integrity and trustworthiness of products and services.

Shift from Bolt-On to Integrated Security: The traditional approach of bolting on security as an afterthought is no longer sufficient. Integrated security, where security is woven into the fabric of every development stage, is essential for building resilient systems. By embedding security into the development lifecycle, organizations can preemptively address vulnerabilities and mitigate risks more effectively.

As cyber threats become increasingly sophisticated and pervasive, organizations must embrace a proactive and integrated approach to security. Understanding behavioral patterns, continuous maintenance, technology development, cost-effective risk mitigation, user experience enhancements, and integrated security practices are essential components of a robust security strategy. By prioritizing these elements, organizations can strengthen their defenses, mitigate emerging threats, and foster a culture of security excellence. In an era where security is paramount, proactive measures are not just a choice but a necessity for safeguarding digital assets and ensuring business continuity.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

In the ever-evolving landscape of cybersecurity, staying ahead of threats requires more than just reactive measures. Organizations are increasingly adopting proactive strategies, leveraging continuous defense mechanisms to safeguard their digital assets. This approach involves integrating the latest threat intelligence, zero-day vulnerabilities, and attack techniques into automated defense systems. By doing so, companies aim not only to protect their networks but also to demonstrate their commitment to security excellence.

Here is the verbatim discussion:

so it's not just a dumb attack right they're using the capability of chaining things together understanding and integrating the the newest um zero days that are being announced and newest vulnerabilities that are being announced to be able to integrate those in right and to do that in an automated way for the benefit of the organization and that's that is a that's a capability and unfortunately not everybody's doing it but the leading companies and organizations are which again differentiates them from everybody else it makes them less attractive it makes their defensive positions stronger and auditable right and they can show that due diligence if something bad does happen they can show the Auditors they can show the court if it gets dragged into court that yes we are above right even the median average we do more and bad things are going to happen there's no way around that eventually it will but being able to show that have that confidence to to show your stockholders to show the courts to show your customers and clients and your business partners that yes you are Head and Shoulders Above the Rest because you're doing this continuous type of attacks against your system and again auditable you can show the results and when you get results you it's actionable you can go in and close that that firewall hole you can go in and Harden that new server that someone brought up and didn't tell you about right or that new database that got formed and has all this sensitive data in it with that kind of continuous attacking it gives you the Practical intelligence from an operations perspective to go in and resolve those issues again managing your risk hopefully to that Target that you want that's what you kind of covered it so well that even though I'm from this field I have nothing to add let talk about a few things no you need to add how your company does it better so I can pick on you and challenge you I mean are you perfect you know in your organizations what are your strengths what are your customers coming to you and asking as a priority I mean that's something I want to know you know are they saying I really want that red team kind of report or I want to be defensible or I want it as part of my audit or is it the operations guy going I'm really worried about that shadow it I've got dozens of admins and Engineers spinning up servers all the time that I don't know about what are the two or three asks yeah so so you made a great asked a great question so one definitely is Shadow it getting a visibility of what all assets are going up that's one uh continuous testing for for organizations which are kind of moving up in the maturity they're looking for continuous testing it's not just continuous red teaming they're thinking about continuous testing in their uh devops and their building up the application so they're thinking of continuous so you're looking at products as well right so you're we don't do that no we don't we don't do for the internal applications I'm just talking about General Trends we we focus on one are Mak yeah so so that's another interesting thing we're seeing like the more um mature organizations are going Beyond not just like continuous red timming but also continuous um devop security continuous Cloud security Etc so that's a great mindset so I'm a big believer of continuous security whatever be that area so so that's and also purple teaming is another interesting thing which uh is very helpful because one is you kind of go and attack.

In the dynamic realm of cybersecurity, collaboration and innovation are paramount for addressing evolving threats and driving progress. Matthew Rosenquist offers invaluable insights into the challenges and opportunities encountered in fostering collaboration within the cybersecurity community. From the formation of diverse groups to the complexities of stakeholder engagement, Rosenquist's experiences shed light on the importance of effective communication and tangible outcomes. Join us as we explore the nuances of collaboration and innovation in cybersecurity through Rosenquist's perspective.

Here is the verbatim discussion:

You there was a great amount of in interest we saw a whole bunch of different uh groups get formed and staffed and Tech U very very smart people get brought in great discussions papers being written but then many of the the autom automotive manufacturers kind of decided to pull back and they said oh that's a great paper oh glad for for articulating the risk but you know what I've got business issues that I really have to get my market share shrinking or I have to reduce costs I really don't have time for this right now you know thanks for your effort um and you saw a lot of people start to leave those forums because they weren't being listened to or the paper that they had worked so diligently on that outline what needed to happen got shelv and nobody nobody exy Etc over to you bash Matthew the floor is yours thank you Shel and uh great to see you Matthew thanks for joining us absolutely it's having conversations is what it's all about right communication and collaboration absolutely and that's that's the vision of our platform um so so collaboration with the aim of building Community Goods so so as a community we focus more on how can you build something which is tangible so let me ask you uh I know you you you are frequent um speaker at RSA or or multiple other various conferences so when I visit some of these conferences one of the key goals which I have is like to check out what's new happening and based on your last few conferences where you physically visited which I believe is quite some time.

Highlights :

Formation of Collaborative Groups: Rosenquist reflects on the initial surge of interest and enthusiasm that accompanied the formation of various cybersecurity groups. Smart minds, vibrant discussions, and promising papers marked the early stages, showcasing the potential for collaborative endeavors to address pressing security concerns.

Challenges in Stakeholder Engagement: Despite the initial momentum, Rosenquist highlights the challenges encountered when engaging stakeholders, particularly within industries like automotive manufacturing. Business priorities often take precedence, leading to disengagement and a lack of follow-through on cybersecurity initiatives.

The Importance of Tangible Outcomes: Rosenquist emphasizes the need for tangible outcomes in collaborative efforts, where discussions and papers translate into actionable measures. The disillusionment experienced when well-articulated risks are disregarded underscores the necessity of driving tangible progress within the cybersecurity community.

The Role of Conferences in Fostering Innovation: As a frequent speaker at conferences like RSA, Rosenquist shares his experiences in exploring emerging trends and innovations. Conferences serve as invaluable platforms for networking, knowledge sharing, and staying abreast of the latest developments in cybersecurity.

Matthew Rosenquist's insights into collaboration and innovation in cybersecurity offer a nuanced perspective on the challenges and opportunities inherent in fostering community-driven progress. From the formation of collaborative groups to the role of conferences in driving innovation, Rosenquist underscores the importance of effective communication, tangible outcomes, and stakeholder engagement. As the cybersecurity landscape continues to evolve, his experiences serve as a guiding light for navigating the complexities of collaborative endeavors and driving meaningful change in the pursuit of digital security.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

In the ever-evolving landscape of cybersecurity, Matthew Rosenquist sheds light on emerging trends and persistent challenges. From the prevalence of misconfigurations to the dichotomy between complex and simplistic breaches, Rosenquist's observations offer valuable insights into the evolving threat landscape. Join us as we delve into the nuances of cybersecurity trends and their implications for organizations worldwide.

Here is the verbatim discussion:

Things which we are seeing like for example based on my observations of many of these major breaches I've seen misconfiguration being one of the top reasons now of course the world has gone a lot ahead in terms of security over last two decades but many of these breaches are because of simple misconfigurations many of these breaches are because of a open RDP port and the password being company name one two three okay so so there's a very interesting another kind of trend which I am noticing so so what I have observed is like there are two types of kind of breaches which are happening one is very complex ones like the ones which you mentioned right I mean many of those are very complex and you need really good knowledge of systems um um multi-stage attacks Etc and some are very very simple and many of the reasons why these simple breaches are happening is probably because um all of a sudden huh well they work they're easy but they work if you don't patch your systems and there's 50 known vulnerabilities you're an easy target and unfortunately the attackers haven't had to to get too complex because in general there's a lot of easy victims out there yeah yeah and the other thing which is happening is that sometimes what I have seen is that yes those are easy but a lot of times what what's happening is now yeah yeah did you did you visit RSA last time um I'm trying to think if I was there like seriousness and an investment perspective and unfortunately I've seen many of these industries and many of these companies pull back greatly and go you know what we'll just wait to see what regulation comes about now that's dangerous and now we're talking Life Safety dangerous so you know there there are Pros but we also have to peel back the onion a little bit to see okay at any given moment in time what's the trajectory that we have is it a good trajectory or has it kind of gone down a little bit and it's not really where a good TR trajectory or has it gone down a little bit I'm sorry 

Highlights :

Misconfigurations: A Persistent Challenge: Despite advancements in cybersecurity, misconfigurations continue to rank among the top reasons for breaches. Simple oversights, such as open RDP ports and weak passwords, highlight the critical importance of basic security hygiene in safeguarding against threats.

Complex vs. Simple Breaches: Rosenquist delineates between complex, multi-stage attacks and simplistic breaches driven by unpatched systems and known vulnerabilities. While sophisticated attacks garner attention, the prevalence of easy targets underscores the need for organizations to prioritize patch management and proactive security measures.

Impact of Regulatory Environment: A concerning trend highlighted by Rosenquist is the shift in organizations' attitudes towards cybersecurity investments, driven by regulatory uncertainty. The temptation to adopt a wait-and-see approach risks compromising security posture, particularly in industries where the stakes are high, such as life safety.

Balancing Pros and Cons: While regulatory frameworks offer potential benefits in enhancing cybersecurity standards, Rosenquist cautions against complacency. Organizations must navigate the delicate balance between regulatory compliance and proactive risk management to mitigate threats effectively.

Matthew Rosenquist's insights into cybersecurity trends provide a sobering reminder of the persistent challenges facing organizations in an increasingly digital world. From the prevalence of misconfigurations to the impact of regulatory uncertainty, his observations underscore the need for proactive security measures and strategic investments in cybersecurity. As organizations strive to safeguard their assets and protect against evolving threats, Rosenquist's guidance serves as a valuable compass for navigating the complexities of the modern threat landscape.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

In the ever-evolving landscape of cybersecurity, few voices carry the weight of experience and insight as Matthew Rosenquist and Bkash Parai. With over three decades in the field, their journey reflects the transformation of security from a niche concern to a critical aspect of modern business. From humble beginnings to prestigious roles at industry giants like Intel, their expertise spans investigations, operations, and strategic leadership. In this blog, we delve into the highlights of their careers, extracting valuable lessons and perspectives for navigating the complex world of cybersecurity.

Here is the verbatim discussion:

He is an experienced keynote speaker author and actively collaborates with the industry Partners to tackle pressing problems on a wide range of cyber security issues bkash parai is the co-founder of fire compus earlier he co-founded IIs and idg Ventures founded company which got acquired by digital Inc and synopsis uh I was the first company the let's get started with that um I mean it was kind of covered little bit i' I've been 30 years in security which means actually over 30 years which means I started when security was a deadend field there was no future for it uh but I had a passion for it so I've done everything from investigations operations um I Justified and built Intel's first 24x7 secur Operation Center and I managed it uh I also landed and managed the the C team right the computer information security Response Team uh and I've done a whole bunch of different roles at Intel and and part of the beauty there is I also got to work with developers and engineers and Architects um I owned platform security for all it systems I uh built out the security for uh Intel's AI group and so I got to sit down throughout my career uh and you develop new methodologies understand the landscape figure out what worked and didn't had a lot of frustrating days you know dealing with all the challenges out there in trying to figure out okay how of offensive attack simulation strategies tools and techniques today our speakers are mat Rosen and the gash bar Matthew is the Chief Information Security Officer for Eclipse formerly a cyber security strategist for intop and he benefits from over 30 years in the field of cyber physical and information security uh Mr rqu is a member of multiple advisory boards and consults on best practices and emerging R to academic business and government audiences across the globe he specializes in security strategy measuring value developing best practices for cost effective capabilities and establishing organizations that deliver optimal level of cyber security.

Embark on a journey through the fascinating career trajectory of Matthew Rosenquist, where a passion for mathematics and a chance encounter with a white hat hacker laid the foundation for groundbreaking advancements in cybersecurity. From his formative years as a computer science enthusiast to shaping security strategies at Intel Corporation, Rosenquist's story epitomizes the fusion of technical expertise, innovation, and collaboration. Join us as we explore his insights into building effective security architectures and navigating the ever-evolving threat landscape.

Here is the verbatim discussion:

so my background had been I had been more of a a computer science guy when when when I was in the schools I loved maths Etc then I got acquainted with with my other um kind of uh co-founder for my first Venture who who was a hacker was still a hacker so I kind of observed him on how he does and thought about like how can we have algorithms to automate that so so I love though is was he a white hat hacker black hat hacker gry hat I mean what what kind of hacking were you involved in if you're willing to say yeah he he's a very timid person so he's an absolute white hat hacker so good my favorite kind okay good and and I love kind of deconstructing things whether it's deconstructing happiness as a problem or stress management or I had been Operation Center and I managed it I also landed and managed the CT team right the computer information security Response Team uh and I've done a whole bunch of different roles at Intel and and part of the beauty there is I also got to work with developers and engineers and Architects um I owned platform security for all it systems I uh built out the security for uh Intel's AI group and so I got to sit down throughout my career uh and you develop new methodologies understand the landscape figure out what worked and didn't had a lot of frustrating days you know dealing with all the challenges out there in trying to figure out okay how do we actually make technology trustworthy and I've spent many years advising Academia advising uh companies of all sizes Fortune 100 all the way down to to to very small companies um and governments around the world really around what are the emerging threats what are the opportunities that we can seize um and how is everything going to kind of evolve uh you know what are those risks and what can we do as industry Professionals in regards to best practices and Engineering developer developers coders Architects play such a crucial role not the only role it's all part of a team but it's a very very crucial role because that defines topic right let's should always be part of the discussion top so let's move on to the defense side like imagine if you have to build the security architecture of an organization so in order to build the effective build an effective security architecture how would you approach that and what would be your thinking model and what could be um architecture sample architecture so you can take it in the way you would like to this so again building um you know security for a company or for a technology or for an industry uh it's it's not easy it is I think it's fun myself but you know certain fundamental pieces have to be in place right first off you need Executive support because you're going to need money and things of that sort which means you have to again find that optimal level of security and it's important all the way down the chain all the way down to the developers and the engineers because you have to know there's a there's a balance between managing the risk

The life of a cybersecurity professional is characterized by a constant battle against evolving threats and vulnerabilities. In today's complex and sophisticated landscape, there's no silver bullet solution to fix all our problems. Instead, we must embrace a multifaceted approach, acknowledging that addressing cybersecurity challenges requires time, resources, and expertise. One viable solution for organizations, especially mid-sized ones, is managed services, where specialized providers offer both tools and services to bolster cyber defenses.

Here is the verbatim discussion:

That's the life of a cyber security professional yeah much about it we got to live with it yeah I think unfortunately there's no Silver Bullet there's no one magic tool that would fix all our problems especially in today's world where we just discussed everything has become increasingly complex and sophisticated and our cyber posture needs to respond accordingly so we really need to take a multipro multifaceted and and and is going to take time money now one solution for this is going for manage service so somebody who has the tools and also can offer a layer of service on top of it and if you are a midsized organization and that's a great um solution because you may not need a full-time person for running that and also manage services folks they know the tools um and and and they also are trained on that they have probably a better license uh price maybe they can pass on some benefit to you so that could be a good um kind of solution in fact um interestingly um when we launched this as a product we got some feedback from various folks like especially from the midm market that can you offer this as a manag service so we also have a small manage services team who does this as a manage service for uh um I I think um Dave mentioned um like some very critical element few things like it's a big thing like um it's not a vendor risk management becomes a big part of the program few things which um which you might consider would be um like knowing your vendors like that's also again another very hard problem lot of times people don't know the list of all the vendors and somebody goes and starts working with another vendor without the knowledge of the security team so just the policy is not enough also doing some Discovery like we have seen sometimes exposure management or external attex surface Discovery is able to go and figure things out like here is a database which exposes your data on this specific it we found that for one of the banks and um they came back and said you know what that's not any IP address of our bank but the data looks like ours then it turned out we figured out that belongs to a specific organization um which was AI company doing certain things really think this is going to make us happy after we get that we don't feel happy and it's a difficult problem to solve right so risk management is something very similar but one very interesting thing like which is very similar to the happiness problem is that you have some generally happy folks and the happy folks whatever bad thing happens they come back to the Happy State and then you have generally unhappy folks whatever good thing happens in their life they generally come back to that negative state right so when it comes to risk management I think it's very important that we build a program where we come back to the safe State as a business so bad things can happen risks are there but can we come back to the safety State as a business so the organizations which can kind of um and and this CSF is very close to that.

Highlights:

The Reality of Cybersecurity Challenges: Cybersecurity professionals must grapple with the reality that there's no one-size-fits-all solution. As threats become increasingly complex, our cyber posture must adapt accordingly. This necessitates a comprehensive, multifaceted approach to cybersecurity.

Benefits of Managed Services: Managed services offer a compelling solution for organizations seeking to enhance their cyber defenses without the need for a full-time in-house team. By outsourcing to specialized providers, businesses can access expertise, tools, and cost-effective solutions tailored to their needs.

The Significance of Vendor Risk Management: Vendor risk management emerges as a critical element of any cybersecurity program. Knowing your vendors, conducting thorough assessments, and monitoring for potential exposures are essential steps in mitigating risks associated with third-party relationships.

Importance of Discovery and Exposure Management: Asset discovery and exposure management are indispensable components of effective risk management. Proactively identifying vulnerabilities, such as exposed databases or sensitive data, enables organizations to address potential risks before they escalate into breaches.

Striving for Resilience: Ultimately, the goal of risk management is to build resilience within the organization. Like the pursuit of happiness, where individuals naturally gravitate back to a baseline state, businesses must aim to return to a safe state despite encountering risks. This involves establishing robust cybersecurity frameworks, fostering a culture of security awareness, and implementing strategies to mitigate risks effectively.

As cybersecurity professionals navigate the ever-evolving threat landscape, it's imperative to adopt a proactive and holistic approach to risk management. By leveraging managed services, prioritizing vendor risk management, and embracing proactive discovery and exposure management practices, organizations can strengthen their cyber defenses and build resilience against emerging threats. In striving for resilience, businesses aim not to eliminate risks entirely but to mitigate their impact and swiftly return to a secure state. In this ongoing battle against cyber threats, the key lies in continuous vigilance, adaptability, and a commitment to cybersecurity best practices.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue

Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

In the realm of IT risk management, tagging applications in a consistent and standardized manner serves as a crucial foundation for effective asset classification. However, this process poses challenges, especially in terms of understanding the various perspectives from which tagging can occur. Additionally, managing internal and external vendor risks within the broader IT risk management strategy presents complex challenges that require meticulous attention. Let's delve into these topics further.

Here is the verbatim discussion:

I don't either way be cash I don't mind okay so um I can go for the um first take huh T after that please go ahead so tagging our applications in a consistent standardized manner so uh one thing which i' would like to understand like what what you mean as tagging so is the tagging more from the perspective of um like tagging it based on the organization it belongs to or the business unit the criticality of that the ownership so you can do tagging based on multiple perspectives so let me just consider that you want to tag it from all the perspectives and try to answer so this is a very very um um challenging problem from the perspective of like knowing all the assets and then classifying those if you mean tagging as the classification tags then probably what I'm going to answer yeah that that's a great point Thank You bash our our next question is from Ernest how are you managing the internal and external vendor risks as part of the overall it risk management strategy would you like to take that Dave sure that's a that's also a pretty big question there so obviously there is if I was to simplified it's all about the onboarding offboarding of to receivables and This Server had like a lot of data related to um the signature of their corporate customers so um then it turned out like this particular um AI kind of organization Al Lage company they were working with this bank but when the bank went and looked into their inventory of all the or or rather list of all the vendors the name of the vendor was not part of it then they went deeper and tried to figure out why is the vendor name missing and it turned out like business one of the business unit did a proof of concept with these guys and uh they gave certain data to them which was exposed now knowing certain exposures like this is a very hard problem so you got to kind of know your vendors from the process and all those things classify those vendors but also have a process of going and uh scouting the internet figure what do you mean as tagging so is the tagging more from the perspective of um like tagging it based on the organization it belongs to or the business unit the criticality of that the ownership so you can do tagging based on multiple perspectives so let me just consider that you want to tag it from all the perspectives and try to answer so this is a very very um um challenging problem from the perspective of like knowing all the assets and then classifying those if you mean tagging as the classification tags then probably what I'm going to answer will make sense if not I would like to understand your question better so one is like the discovery part becomes very very critical uh because if we don't have the discovery we can't do the rest of it so asset Discovery you can do it based on two perspectives one is from outside in perspective which tools like esm.

In an era marked by Shadow IT, hybrid working models, and rapid digitization, the landscape of cybersecurity is constantly evolving. With countless potential attack surfaces and vulnerabilities, organizations must prioritize understanding the unknowns to fortify their security operations. Additionally, meeting the intricate demands of regulatory reporting adds another layer of complexity. As we reflect on the insights shared today, the need for proactive measures to mitigate risks and ensure security preparedness becomes abundantly clear.

Here is the verbatim discussion:

Dave for their insights today thanks to everyone who listened in for your time investment and engagement I hope you find the session useful I also wanted to thank ciso platform fire compass and Quantum smart for having me lastly do take advantage of the complimentary scam from fire compass and the Consulting offering from Quantum smart to help you build a path forward for a more secure digital Journey until next time have a great control are gone now with Shadow it hybrid working rapid digitization there's really so many uh potential attack surfaces and vulnerabilities that are unknown to us wouldn't it be nice to get to know the unknowns have a clear handle on your security operations preparedness and in the same time meet the ever complex regul atory reporting demands that is a key piece of takeaway for for me before we wrap is there a call to action for the audience to help them explore the next steps uh Dave what about you any call to action to offer definitely we're at quto smart we're highlighting how we can help companies with their digital Journey so we're or you know reach out to why is the vendor name missing and it turned out like business one of the business unit did a proof of concept with these guys and they gave certain data to them which was exposed now knowing certain exposures like this is a very hard problem so you got to kind of know your vendors from the process and all those things classify those vendors but also have a process of going and uh scouting the internet figuring things out is there something else is there something more which is out there on the internet so uh some of those age cases is also something which organizations typically don't think about but could also be part of your vendor risk yeah good point and and sometimes when we're trying to tackle a huge topic um you know I guess the more practical strategy is just pick one or two things that are tangible and and start doing them so to our audience members if you have any strategies to manage both internal and external thirdparty risks do share with us.

Highlights :

Unveiling the Unknowns: Amidst the proliferation of potential attack surfaces, it's essential to gain insight into the unknowns. By comprehensively assessing security operations and identifying vulnerabilities, organizations can proactively address potential threats before they manifest into breaches.

Meeting Regulatory Reporting Demands: The evolving regulatory landscape necessitates meticulous compliance efforts. Organizations must not only fortify their security posture but also ensure adherence to complex regulatory requirements. This entails robust reporting mechanisms to demonstrate compliance and mitigate regulatory risks effectively.

Leveraging External Partnerships: Collaborating with external partners such as CISO platforms, Fire Compass, and Quantum Smart can provide valuable resources and expertise in navigating security challenges. These partnerships offer insights, tools, and consulting services to bolster organizations' security operations and enhance overall resilience.

Embracing Tangible Strategies: Amidst the enormity of the task at hand, it's crucial to adopt practical strategies that yield tangible results. Organizations can start by focusing on a few key areas, such as vendor risk management or internal security protocols, and gradually expand their efforts.

Sharing Best Practices: Encouraging dialogue and knowledge-sharing within the cybersecurity community is paramount. Organizations can benefit from sharing strategies, challenges, and successes with peers, fostering a collaborative approach to risk management.

As we conclude today's discussion, the imperative for robust third-party risk management and security preparedness remains paramount. By embracing proactive measures, leveraging external partnerships, and prioritizing regulatory compliance, organizations can navigate the complexities of the digital landscape with confidence. Let us heed the call to action, embracing tangible strategies and fostering collaboration within the cybersecurity community to fortify our defenses and safeguard against emerging threats. Together, we can embark on a secure digital journey, equipped with the knowledge and tools to confront the challenges ahead.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue

Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

As organizations grapple with escalating risks in the digital realm, the imperative for robust risk management has never been more pressing. In this era of increased scrutiny from regulators and stakeholders, businesses are compelled to demonstrate airtight security postures and transparency in their operations. The emergence of Chief Risk Officers, Privacy Officers, and Third-Party Risk Management programs reflects a paradigm shift in how companies approach risk mitigation.

Here is the verbatim discussion:

Similar to what bees is mentioning the tools that he has in place that reduces the burden on the it organizations it allows them to provide that information to the third- party risk management programs and what I've been seeing across the industry customers vendors are going through a lot more scrutiny so the the the customers have have to show to their uh their the customers have to show that that um sorry the vendors have to have to show to their customers the different uh the different measures that they put in place you can't just do business with other companies nowadays without providing some of that evidence that you have the right security posture in place so anything that can automate that anything that can show that hey we we have continuous uh security scanning on our environment here's our exposure here's our external threat uh threat ATT or to surface and that we've scanned it and we've we've put the appropriate measures in place so that that uh it's one of the big drivers that you're seeing in addition to Regulators is that customer vendor relationship that vendor management uh relationship so onboarding offboarding customers working with other vendors uh that is you need to provide some kind of security before it was a MSA you sign you do business with someone now it's show me that you have a good security posture we can connect to your environment and providing that evidence to all your your your vendors or your customers depending on the relationship is a challenge so I would definitely leverage this ass solution to provide me with that evidence that that we've continuously have that program in place uh risk management so that's the other part I know I stayed at a very philosophical level but it's very hard to go tactical it would probably need days or weeks to build a program for risk management now back to nashin the other thing which you mentioned like uh one thing we would be very happy to uh for anybody in the audience um if you would like we would be happy to offer you a kind of uh free discovery of your attex surface and how does the hackers view of your attack surface look like what kind of exposure you have we would be happy to conduct an assessment and provide you with the results so you will have a kind of good view of how does the attack surface look like are there some unknown unknowns any any surprises if you are on Sand and if you don't go enough depth and figure out a really solid structure whatever you build on top of it it really doesn't matter that might look very strong the um the walls and doors and windows but if the fundamentals are not strong it's going to just collapse and that is something which happens a lot with this kind of risk management models the fundamental assumptions and the fundamental models are not strong enough so unless you really have a very mature process I would say like doing some kind of risk quantification like that is very hard so mature not just process very mature organization where you have really tested out those models and there are a lot of organizations who does it decently well like any any underwriter for insurance they have to build a very strong model otherwise their companies at stake right like they have built certain things but even they know that their assumptions has to be tested over a period of time when you do insurance for people's life life insurance they have data for like 50 60 years or even more for this it's new so but they know the RIS they adequate time so if you do not have very high maturity going that route is not very helpful so that's one thing which I wanted to mention then what is the other way to solve this I think a better way or a easier way in certain ways which could also be more practical and more useful is to look at it from the perspective of adversity go and look at Verizon DB and see what kind of attacks the bad guys are doing which are causing Brees look at from that perspective look at the various threat intelligence data and use that information like my adversary or our adversary are XYZ and they use these kind of techniques and they use this kind of attacks so let me prioritize based on that so definitely you can prioritize your assets that's very that's much easier if you know the assets you can prioritize you know which has got high value.

In today's interconnected digital landscape, organizations face heightened risks that demand robust risk management strategies. With the proliferation of data breaches and regulatory scrutiny, the role of Chief Risk Officers, Privacy Officers, and Third-Party Risk Management programs has expanded significantly. As businesses strive to meet compliance requirements and safeguard sensitive information, the need for structured approaches to data management becomes increasingly apparent.

Here is the verbatim discussion:

I have unmuted uh David if you can hear me questions I can see your hand raised so you'll just have to unmute yourself to start talking if there's anybody else who has a question just raise your hand what's happened in because of the increased risk that organizations have you start seeing Chief risk officers privacy officers third party risk management programs expand and you start seeing the demand to provide repeatable predictable output similar to what we were saying it's a program it has to be built in so when you start looking at some of the SAS Solutions or automation or continuous uh Improvement and continuous scanning Security Solutions similar to what bees is mentioning the tools that he has in place that reduces the burden on the it organizations it allows them to provide that information to the thirdparty risk management programs and what I've been seeing across the industry customers vendors are going through a lot more scrutiny so the the the customers have have to show to their uh their the customers have to show that that um sorry the vendors have to have to show to their customers the different uh the different measures that they' put in place you can't just do business with other companies nowadays without providing some of that evidence that you have the right understand more of the question but if you if I was to try and interpret in a a path forward the structured data versus unstructured data and how you would look at that obviously with the like G Sues and the Microsoft they have labeling and different pieces so you need to have your labeling standard you know be it three four labels that you put together um for data categorization when you start looking at the corporate assets and the office documents that's quite easy and anything you save or open you put in a policy DLP that's that's much more straightforward uh but from a categorization tagging perspective of unstructured structured data for commercial system servicing your business uh the best way I I would approach it is that the pieces that you need to classify that are the most critical address those first put those understand your digital crown jewels understand which uh data is critical put that into the appropriate areas be it you know the encryption or the buckets that would then tag them.

Highlights:

Rising Demand for Repeatable and Predictable Outputs: Organizations are under pressure to provide repeatable and predictable risk management outputs, akin to structured programs. This necessitates the adoption of solutions that streamline processes and reduce the burden on IT departments.

Integration of Automation and Continuous Improvement: Solutions such as SAS (Software as a Service) and automation tools facilitate continuous scanning and improvement in security measures. These technologies not only enhance efficiency but also enable organizations to meet the rigorous demands of third-party risk management programs.

Elevated Scrutiny from Customers and Vendors: Both customers and vendors are subject to heightened scrutiny in their business relationships. Vendors must demonstrate their adherence to security standards and provide evidence of robust risk management practices to earn the trust of their clients.

Structured vs. Unstructured Data Management: Classifying and managing data, whether structured or unstructured, poses significant challenges. While tools like G Suite and Microsoft offer labeling features for structured data, a comprehensive approach is required to tackle unstructured data effectively.

Prioritizing Critical Data Assets: Organizations should prioritize the classification and protection of their most critical data assets, often referred to as digital crown jewels. By understanding the value and sensitivity of data, businesses can implement appropriate encryption and access controls to mitigate risks effectively.

In an era where data breaches and regulatory compliance are top concerns, organizations must adapt their risk management strategies to navigate the complexities of the digital landscape. By embracing automation, continuous improvement, and structured data management practices, businesses can enhance their resilience against emerging threats while building trust with customers and partners. Effective risk management is no longer a choice but a necessity for survival and growth in today's dynamic business environment.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue

Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

In both the US and Canada, financial institutions face heightened regulatory demands, with regulators emphasizing the need for standardized cybersecurity practices and enhanced digital resilience. This blog explores the evolving regulatory landscape and the key expectations outlined by regulators to ensure cybersecurity maturity across the financial sector.

Here is the verbatim discussion:

now Gentlemen let's dive in in both the US and Canada The Regulators are really stepping up and demanding a higher level of sophistication and cyber security maturity from financial institutions so my first question is to you um if you could Dave if you could uh kick it off for us here how are the regulatory demands changing and at a high level what are The Regulators asking for well that's a great question nen uh what we're seeing is more standardization so across the board US and Canada they've stepped up their game similar to many companies where they had to enhance their digital footprint so does The Regulators have to make sure that those digital Footprints are standardized so there's less tolerance for Poe hygiene uh there are better questions better uh maturity matrixes that are going out to evaluate the environments and to make sure that they here to proper standards so that's that's something that's that's uh really helped uh helped provide direction for financial institutions across like very very frequently that's something which is super important another very interesting story this is from my kind of um school days during the school days I remember like um every time Patch Tuesday was out there some new patches came up there was a group of hackers uh who used to immediately go and uh reverse engineer that find out which are the vulnerabilities which has been patched then go and try to write an exploit for that and the goal was going and how quickly can somebody own the university Network so those days it was more like people were doing things at the University Centric manner but fast forward if you look at today I mean the same thing is happening but that is being done by the Bad actors and they're doing it on the entire internet the moment something new comes up they are trying to kind of exploit the entire internet so here is the second kind of realization the first was like we don't know our attack surface we don't

Highlights:

Standardization and Compliance: Regulators in the US and Canada are prioritizing standardization in cybersecurity practices, leaving little room for poor hygiene. Financial institutions are expected to comply with established standards and frameworks, demonstrating a commitment to robust cybersecurity measures.

Enhanced Maturity Assessment: Regulatory bodies are employing more sophisticated maturity matrices to evaluate the cybersecurity posture of financial institutions. These assessments go beyond surface-level evaluations, delving into the intricacies of cybersecurity programs to ensure adherence to industry best practices.

Patch Management and Vulnerability Response: The evolution of cyber threats necessitates proactive patch management and vulnerability response strategies. Regulators emphasize the importance of timely patching and proactive vulnerability assessments to mitigate the risk of exploitation by malicious actors.

Continuous Monitoring and Incident Response: Financial institutions are expected to implement continuous monitoring mechanisms to identify and respond to cyber threats in real-time. Regulators stress the importance of robust incident response plans, ensuring swift and effective responses to security incidents to minimize their impact.

Shift in Threat Landscape: The emergence of sophisticated cyber threats, coupled with the increasing prevalence of exploit automation, underscores the need for heightened vigilance. Regulators urge financial institutions to stay abreast of evolving threat landscapes and adopt proactive measures to protect their digital assets.

As regulatory demands for cybersecurity maturity intensify in the US and Canada, financial institutions must prioritize standardized practices, compliance with established frameworks, and robust cybersecurity measures. By enhancing patch management, vulnerability response, continuous monitoring, and incident response capabilities, organizations can navigate the evolving threat landscape effectively. Moreover, a proactive approach to cybersecurity, informed by a deep understanding of emerging threats, is essential to safeguarding the integrity of financial systems and maintaining regulatory compliance. Through collaboration with regulatory bodies and industry peers, financial institutions can strengthen their cybersecurity posture and uphold the trust of stakeholders in an increasingly digital world.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue

Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

The cybersecurity landscape is marred by challenges, compounded by a severe shortage of skilled professionals. As organizations strive to adhere to higher standards, combat increasing complexity, and defend against relentless cyber threats, the scarcity of cyber talent emerges as a critical impediment. In this blog, we explore the implications of the cyber talent shortage for financial institutions and strategies to mitigate its impact, including the pivotal role of cyber insurance in bolstering organizational resilience.

Here is the verbatim discussion:

You look at security it's even even worse in terms of the shortage of of staff so it's it's a real challenge to look you know you we've talked about in this discussion how much companies now need to adhere to higher standards uh there are there's more complexity in the environment and then you layer on top of it the the the war on talent and the Cyber Talent Trend where there there are shortage there's been a shortage because cyber Al over the years has been you know has that funnel has not been as strong there hasn't been as many people if you go back 10 20 years ago most of the folks were infrastructur uh half infrastructure half security a lot of people it's a challenge to find Talent so the these the people coming out of the universities there are less of them and the demand is higher than anything hello everyone I welcome you all on behalf of C platform to this today's webinar ceso platform is world's first online community it's Solly dedicated information senior security Executives like C CIO csos cdos directors with 40,000 plus that's why the price is going up as well from cyber insurance and so definitely something to to have to protect yourself uh you need to have the right uh you know putting cyber insurance in place gets you the right teams right right measures in place when you do have those if that does happen and it's it's in many cases you look at the insurers and based on the trends and the information they're providing it's not a matter of if it's a matter of when and how severe so this is one of those mitigating controls.

Highlights:

Escalating Demand vs. Limited Supply: The demand for cybersecurity professionals has skyrocketed in recent years, fueled by regulatory requirements, escalating cyber threats, and growing organizational complexity. However, the supply of skilled professionals has failed to keep pace, resulting in a severe talent shortage across the industry.

Impact on Cybersecurity Posture: The shortage of cyber talent poses significant challenges for financial institutions, hindering their ability to maintain robust cybersecurity postures. With fewer skilled professionals available, organizations struggle to implement effective security measures, conduct timely threat assessments, and respond swiftly to cyber incidents.

Addressing the Talent Gap: Financial institutions adopt various strategies to address the cyber talent gap, including talent development initiatives, strategic partnerships with educational institutions, and recruitment efforts targeting diverse talent pools. Moreover, organizations invest in upskilling existing staff and fostering a culture of continuous learning to enhance their cybersecurity capabilities.

Role of Cyber Insurance: Cyber insurance emerges as a critical risk mitigation strategy for financial institutions grappling with the cyber talent shortage. By providing financial protection against cyber incidents, including data breaches and ransomware attacks, cyber insurance helps organizations offset the impact of security breaches and navigate the aftermath effectively.

Proactive Risk Management: Recognizing the inevitability of cyber incidents, financial institutions prioritize proactive risk management strategies, including comprehensive incident response plans, robust security protocols, and regular cybersecurity assessments. Cyber insurance serves as a crucial component of this risk management framework, complementing proactive security measures with financial protection.

The cyber talent shortage presents formidable challenges for financial institutions, threatening their ability to maintain effective cybersecurity postures in an increasingly hostile digital landscape. To mitigate the impact of the talent gap, organizations must adopt proactive strategies, including talent development initiatives, upskilling efforts, and strategic partnerships. Moreover, cyber insurance plays a pivotal role in bolstering organizational resilience, providing financial protection against cyber risks and enabling institutions to navigate the challenges posed by the talent shortage effectively. By embracing these strategies and leveraging cyber insurance as a risk mitigation tool, financial institutions can enhance their cybersecurity resilience and safeguard their operations against evolving threats.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue

Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

The cybersecurity landscape is undergoing profound shifts, marked by the recognition that complete protection is unattainable. Instead, the focus has shifted towards detection, response, and remediation, epitomized by the XDR movement. In this blog, we delve into the strategies adopted by financial institutions to provide continuous assurance of their cyber posture in response to these transformative trends, including the pivotal role of cyber insurance in mitigating risks.

Here is the verbatim discussion:

thank you bash I I really love your analogy and then the two trends that you've outlined are really bang on and at this point I also wanted to remind our audience please do chime in and comment in the chat window what are some of the trends that you have observed but more importantly what are some of the tactics you're implementing to provide continuous Assurance of your cyber posture and Dave you know speaking of risk mitigation cyber insurance is another strategy many FIS leverage with mitigating risk is cyber Insurance really that important given what BH just talked about and how does it best serve a organization and I generally kind of look for what are those kind of future directional changes so if I think from that perspective there are two major kind of fundamental shifts which are happening in the cyber security industry which is going to be very important for us um to kind of take us towards the moon now one um interesting change is that as as a industry we realize that we will not be able to protect ourselves whatever we do and that is the reason why came up this drive for detection response and Remediation right and nist came up with that and uh um then the entire set of Technologies also moved into that direction so that is if you look at the xdr movement it's part of that fundamental movement which is happening in the industry which is this realization we cannot protect ourselves always there'll be moments when US and Canada and so it's very clear what they have to follow what they need to do and they have steps to do that with with clear direction from from The Regulators both osie and US Regulators that's a really good uh high level overview Dave and Bash based on what Dave just said how have the financial institutions responded to these asks what are some of the ways financial institutions provide for continuous Assurance of their cyber posture you're on mute.

The cybersecurity landscape has undergone fundamental shifts, with attackers targeting organizations of all sizes and deploying continuous, sophisticated tactics. In response, the industry is witnessing a movement towards continuous defense strategies, exemplified by the rise of XDR (Extended Detection and Response) and the paradigm shift embodied by concepts like zero trust. This blog explores these transformative trends, emphasizing the imperative for organizations, particularly financial institutions, to embrace continuous security measures to mitigate evolving threats effectively.

Here is the verbatim discussion:

there's some fundamental shifts one is it doesn't matter whether you're big or small ransomware guy can attack you and the second change is that these attacks are continuous unlike five years back today the attackers have gone continuous and the moment a new CV is out they're building scripts and scanning the entire internet today there is showan through which you can go and find out which are those vulnerable assets and then there are this bu Bounty programs which feeds this information to the Bounty Hunter so this information of your exposed assets are being continuously sent to them so attacks are continuous that's the second thing now because attacks are continuous our defense also has to be continuous so there is also a movement which is happening in the industry which is the continuous movement one is the xdr movement and the other is the continuous moving to continuous movement and that is happening in many different shapes and forms like if you look at the zero trust and zero trust I consider is a very bad name because most people misunderstand what zero trust is they consider it's like zero trust you don't trust I mean that's not the idea the idea about zero trust is continuous evaluation of trust so that means that you give the password and I'm trusting you right now but if you behave differently I'm going to remove my trust like your trust is going to change so trust is now evaluated continuously so zero trust a better name could have been continuous trust rather than zero trust so look at zero trust even though zero trust looks like something uh but on underlying theme is I and bs7799 Etc if you all remember just before the audit people used to go and get all these printouts and create all these artifacts and show like yes we have something I'm talking about very early days right but now The Regulators are much more mature and they just don't stop there they would like to see the program do you have it's not like you went to gym once do you have a program that you're going to gym every day that's what they want to see because they they're really kind of looking at the Health uh of the cyber security organization and from that perspective there are a lot of things which are essential so one thing which I would suggest is like of course build the program but then see how that program can be made very repeatable and also how can you continuously improve upon that that is another organization so absolutely a must and I would see in in some regions that this would become mandatory depending on um depending on your business it's already become mandatory in some some areas um so yes definitely a tool that needs to be put in place yeah that makes sense and how can financial institutions best demonstrate their actually adhering to security standards and and compliance Frameworks how are these standards maintained and updated and I know bash you said you're not a standards guy per se but would you like to kick off the answer and then we'll have uh Dave expand on that.

Highlights:

Continuous Threats: The evolution of cyber threats transcends organizational size, with ransomware attacks and continuous scanning becoming ubiquitous. Threat actors leverage automated tools and exploit vulnerabilities promptly, necessitating a paradigm shift in defense strategies.

Continuous Defense: In response to the relentless nature of cyber threats, organizations are adopting continuous defense mechanisms. Concepts like zero trust advocate for the continuous evaluation of trust, reflecting a departure from traditional perimeter-based security models towards dynamic, context-aware approaches.

Compliance and Standards: Regulatory bodies demand more than mere compliance; they seek assurance of robust security programs capable of withstanding continuous threats. Financial institutions must not only adhere to established standards and frameworks but also demonstrate the repeatability and continuous improvement of their security practices.

Maintaining and Updating Standards: While compliance with standards and frameworks is essential, organizations must go beyond checkbox exercises. They must establish processes for maintaining and updating standards, ensuring alignment with evolving threats, regulatory requirements, and industry best practices.

Demonstrating Adherence: Financial institutions face the challenge of demonstrating adherence to security standards and compliance frameworks effectively. Beyond documentation, they must showcase the operationalization of security measures, highlighting a culture of continuous improvement and resilience.

As cyber threats evolve in sophistication and frequency, financial institutions must adapt their cybersecurity practices accordingly. Embracing continuous defense strategies, such as those embodied by concepts like XDR and zero trust, is essential to thwarting relentless attacks. Compliance with security standards and frameworks is necessary but insufficient; organizations must prioritize the repeatability and continuous improvement of their security programs. By demonstrating operational adherence to security standards and fostering a culture of continuous improvement, financial institutions can bolster their resilience against the evolving threat landscape and enhance trust with stakeholders.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue

Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Cybersecurity isn't a one-time activity but a continuous effort that demands integration into every aspect of system design, build, and deployment. In a landscape rife with complexities and evolving threats, manual approaches are unsustainable. Instead, a programmatic approach, embedding security into the fabric of operations, is imperative. This blog explores the necessity of incorporating security from the outset and highlights insights from industry leaders, Bicash and Dave Loi, on the proactive integration of security into organizational processes.

Here is the verbatim discussion:

ree it's a matter of how you design build and deploy your systems and it can't be a one-time activity it's too much effort it's it's too much to manage maintain sustain that in a um in a way that's very manual so it has to be programmatic and that's where from the build process the design process build process sustaining process today we have Dev SEC Ops we have other Buzz terms that are out there but ultimately uh security has to be built into your design security has to be uh running all the time and not put on afterwards we often hear this it's it's put in after the fact it has to be part of the process baked into the process to be to be part of your sustaining uh systems and that complexity to manage be it hundreds of processes Services other things that even a small business today has where before they did not you need to under his name a Fortune Magazine 40 under 40 bicash is well known on the global speaking circuit on cyber security matters appearing at RSA Conference USA Singapore interrup USA tedex just to name a few Dave laui is a senior technology executive and co-founder of quantum smart he is a seasoned Tech leader with over 20 years of experience in highly regulated environments such as insurance banking Pharmaceuticals retail and payments he's also a member of the Gardner research board and an advisor to sure so I love technology and problem problem I me solving the core problem but of course like standards is something which we need to continuously work with and also work on and also been part of developing some of those Frameworks Etc so um if you look at The Regulators now there had been a time when The Regulators used to come and ask you like show this they to look at the policy and they us to look at some artifacts and leave now Regulators are increasingly looking for like is this a program or is it like you are just cooking up the data to show us like very early days of PC c i and bs7799 Etc if you all remember just before the audit people used to go and get all these printouts and create all these artifacts and show like yes we have something I'm talking about very early days right but now The Regulators are much more mature and they just don't stop there they would like to see the program do you have it's not like you went to gym once do you

Highlights:

Programmatic Security: Effective cybersecurity cannot be retrofitted; it must be ingrained from the inception of systems. From the design phase to sustaining processes, security protocols need to be seamlessly integrated, transcending buzz terms like DevSecOps, to ensure continuous protection.

Complexity Management: The modern business landscape is characterized by a myriad of processes and services, even for small enterprises. Managing this complexity requires a strategic approach, where security frameworks are diligently applied to streamline operations and mitigate risks.

Industry Expertise: Leaders like Bicash, renowned for their global contributions to cybersecurity discourse, emphasize the importance of proactive security measures. By advocating for the incorporation of security into the design and build phases, they underscore its intrinsic role in sustaining business resilience.

Regulatory Compliance: Regulatory bodies are increasingly scrutinizing cybersecurity programs, moving beyond surface-level assessments to evaluate the efficacy of security measures. This necessitates a shift towards comprehensive security programs, rather than ad-hoc compliance efforts.

Continuous Improvement: In an ever-evolving threat landscape, adherence to standards and frameworks is paramount. Industry leaders, like Dave Loi, advocate for ongoing refinement of security protocols, ensuring alignment with emerging threats and regulatory requirements.

Integrating security into every phase of system development and deployment is no longer a luxury but a necessity in today's digital landscape. By adopting a programmatic approach, organizations can effectively manage complexities and sustain robust cybersecurity postures. Industry insights from thought leaders like Bicash and Dave Loi underscore the importance of proactive security measures and continuous improvement to navigate evolving threats and regulatory demands. Embracing this ethos of security-by-design is paramount in building cyber resilience and safeguarding against emerging risks.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue

Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

In an era marked by evolving cyber threats and stringent regulatory requirements, financial institutions face a daunting challenge in maintaining robust cybersecurity postures. Amidst talent shortages and escalating complexities, effective risk management becomes paramount. This blog delves into the strategies employed by these institutions to mitigate exposure, emphasizing the significance of cyber insurance in bolstering their resilience.

Here is the verbatim discussion:

you have observed but more importantly what are some of the tactics you're implementing to provide continuous Assurance of your cyber posture and Dave you know speaking of risk mitigation cyber insurance is another strategy many FIS leverage with mitigating risk is cyber Insurance really that important given what bicash just talked about and how does it best serve a organization well I'll play on bat's uh analogy sometimes you need many fingers to Point At The Moon And so in this case this would be one of to this today's webinar C platform is world's first online community it's Solly dedicated by information senior security Executives like ceso CIO csos cdos directors more with 40,000 class professionals glob and 5,000 Plus members today's session is on for financial ins he can we just check maybe we'll restart that quick because I think need to go on mute to some of the attendees or some of the other areas I didn't quite get you did oh no it's okay just there was some background noise maybe if you can repeat ah okay sure thank you I'll just restart again thank thank you so much uh hello everyone I welcome you on behalf of ceso platform ceso platform is the world's first online community solely dedicated for information senior security Executives cesos cios csos cdos directors and more with 40,000 plus professionals globally and 5,000 Plus members do join us if you're one of them today's session is on exposure management for financial institutions to overcome resource limitations and Regulatory reporting our speakers today are Dave Loi and this session will be moderated by nashen Le partner at CIO program strategy nine has been in the technology industry and to the audience what are your observations on this Talent topic and do the resource challenges resonate with you and how are you addressing it and do share and use the chat window to um to sh to voice your your opinion as well and let's move on to the next question which is very exciting so given all the challenges that we've discussed what are some of the more effective strategies for managing exposure in the face of talent shortage and increasingly complex regulatory demands uh bash your your view on this sure sure um so there are a couple of things which I would like to maintain uh or I'd like to talk about today but there are many other things which needs to be done but these are like two things which are more.

Highlights:

Continuous Assurance: Financial institutions employ tactics such as regular risk assessments, vulnerability scanning, and penetration testing to ensure ongoing vigilance over their cyber posture. By leveraging automated tools and robust frameworks, they strive for comprehensive threat visibility.

Cyber Insurance: Despite debates surrounding its efficacy, cyber insurance emerges as a critical risk mitigation strategy. By providing financial protection against data breaches, ransomware attacks, and other cyber incidents, it serves as a vital component of an organization's risk management arsenal.

Talent Shortage and Regulatory Compliance: Resource limitations and complex regulatory mandates pose formidable challenges for financial institutions. To navigate these hurdles, they adopt innovative approaches, including talent development initiatives, strategic partnerships, and outsourcing arrangements, to augment their cybersecurity capabilities.

Exposure Management Strategies: In the face of talent shortages and regulatory demands, financial institutions prioritize proactive exposure management. This entails robust incident response plans, comprehensive data protection measures, and strategic investments in emerging technologies such as AI and machine learning.

Collaboration and Knowledge Sharing: Recognizing the collective nature of cyber threats, financial institutions actively participate in industry forums, such as the CISO platform, to exchange insights, best practices, and threat intelligence. This collaborative approach fosters a culture of resilience and adaptability across the sector.

In the dynamic landscape of cybersecurity, financial institutions must adopt a multi-faceted approach to manage exposure effectively. By embracing continuous assurance measures, leveraging cyber insurance, and addressing talent shortages through innovative strategies, they can fortify their defenses against evolving threats. Moreover, fostering collaboration and knowledge sharing within the industry reinforces their ability to adapt to emerging challenges and safeguard the integrity of global financial systems.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ms. Nasheen Liu strong reputation in the Technology community is built upon her proven track record as a leader who practices what she preaches. Results driven, focused, determined and creative, Ms. Liu approaches business management with integrity, sound common-sense principles and unconventional strategy. Ms. Liu’s expertise in technology marketing, C-suite conversations and executive branding in the digital age makes her a well-rounded knowledge expert, a skilled listener and an excellent communicator.

https://ca.linkedin.com/in/nasheenliu
https://twitter.com/CsuiteDialogue

Dave Lawy, based in Toronto, ON, CA, is currently a Managing Director at Quantum Smart Technologies, bringing experience from previous roles at Harvard Business Review and Gartner Research Board. Dave Lawy holds a McGill University. Dave Lawy has 6 emails and 1 mobile phone number on RocketReach.

https://ca.linkedin.com/in/davidlawy

Pritha Aash, managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

The landscape of cybersecurity has undergone significant transformations over the years, reflecting the ever-changing tactics of cybercriminals and the evolving vulnerabilities in digital infrastructure. This blog explores the shifting trends in hacking methodologies, from network-level compromises to the emergence of database security as a critical concern for organizations.

Here is the verbatim discussion:

Completeness and which also helps in the continuity may not be the depth as Ed mentioned esm is more about the bread but for depth you need to go for pentes in probably couple of decades so if I look at the way the hacking landscape has kind of changed over a period of time so it went through a lot of interesting phases so there were times when the hacking used to happen more through compromise of uh the network level vulnerabilities then came a phase where application Level vulnerabilities took over and then a little bit later something very strange happened when the industry went through like two decades of vulnerability assessment penetration testing and all this super cool stuff we started seeing some strange stuff happening in last few years and I'll give you an example one of the strange stu stuff is like one of the topmost names in the financial services companies got compromised because they had a open database without any password.

Highlights :

Historical Phases of Hacking:

• Network-Level Vulnerabilities: In the early stages of hacking, compromises often occurred through exploiting vulnerabilities in network infrastructure, such as unsecured ports or misconfigured firewalls.
• Rise of Application-Level Vulnerabilities: With the proliferation of web applications, hackers shifted their focus to exploiting vulnerabilities in software and web applications, such as SQL injection or cross-site scripting (XSS) attacks.
• Decades of Vulnerability Assessment and Penetration Testing: The cybersecurity industry witnessed a surge in vulnerability assessment and penetration testing, aimed at identifying and remedying security weaknesses in digital systems.

Emerging Trends in Cyber Attacks:

• Database Security: In recent years, the spotlight has shifted towards database security, with incidents of data breaches occurring due to misconfigured or unprotected databases. For example, prominent financial services companies have faced security breaches due to open databases without passwords, highlighting the importance of securing sensitive data at the database level.
• Importance of Depth in Security Measures: While external attack surface management (EASM) provides breadth in identifying digital assets and potential vulnerabilities, depth in security measures is essential to address specific threats, such as database security lapses.

The Need for Comprehensive Security Practices:

• Continuous Assessment and Monitoring: Organizations must adopt a proactive approach to cybersecurity, conducting continuous assessments and monitoring to identify and address vulnerabilities promptly.
• Collaboration with Cybersecurity Experts: Cybersecurity consultants play a crucial role in guiding organizations in implementing comprehensive security practices, including database security measures and vulnerability remediation strategies.

As cyber threats continue to evolve, organizations must adapt their security practices to address emerging vulnerabilities effectively. From network-level compromises to database security lapses, the cybersecurity landscape demands a comprehensive approach to threat mitigation and risk management. By staying vigilant, collaborating with cybersecurity experts, and implementing robust security measures, organizations can enhance their resilience against cyber threats and safeguard their valuable data assets.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff