May 14, 2024

RSA ‘24 Security Roundup

by Brinqa Security Team
RSA 2024 ciso event summary



Spotlight on Exposure Management and Proactive Security Fundamentals

As we wrap up another hectic RSA Conference, it’s time to extract actionable lessons from the noise in order to shape our strategies and investments in the year ahead. As the saying goes, when you’re a hammer, everything looks like a nail. So, to the Brinqa team, the topic on everyone’s minds this year was how to take a practical approach to proactive security during another year of extreme efficiency measures. In particular, how can security leaders understand their exposures, communicate that risk to responsible parties, and uphold accountability for reducing exposures? After all, leaders are under increasing pressure to keep up with the steep rise in new vulnerabilities and growing complexity of the attack surface.

CISOs Speak About Proactive Security

One of the highlights at RSA 2024 was the Brinqa CISO panel held at The Box SF. We took a deliberate approach this year, aiming the spotlight on practitioners and customers, rather than our own marketing messages. Although the Breach Fighter glow-in-the-dark t-shirts were still a big hit!

We wanted to give the stage to the CISOs shaping the future of vulnerability management, encouraging them to share the benefits of their experience and best practices they’ve honed. In these discussions, practical experiences took precedence over buzzwords, as Colin Anderson of Dayforce, Jim Desmond from Asurion, Laura Whitt Winyard from Hummingbird, and Timothy Youngblood, formerly at T-mobile got candid with attendees. In rapid fire succession, each shared tales of wins, losses, and lessons learned pursuing the grail of proactive security. 

Here are just a few highlights of the advice they shared: 

Move From “No” to “Know” with Proactive Risk Management 

Jim Desmond kicked off the discussion with some bold advice for all CISOs: “The ‘Department of No’ must evolve into a proactive ‘Department of Know.’ As risk managers, our priority is preserving the bottom line. This requires leveraging technology, understanding risk contexts, and fostering interdepartmental collaboration to effectively mitigate threats.”

As a trailblazer in the world of proactive security at Asurion, Jim is charting the course for understanding his organization’s risk and knowing exactly what should be prioritized to mitigate risks. He went on to say, “at startups, executives, founders, or decision-makers face a different risk dynamic compared to established institutions like banks or Fortune 1000 companies. They must assess and address risks for competitiveness. Clear documentation of risks and potential outcomes empowers informed decision-making.” 

Harness the Power of Technology

As an investor and long-time CISO, Timothy Youngblood was the first to chime in on the role of technology in helping modernize security practices. He focused on the role of artificial intelligence (AI) systems in both creating new risks and controlling them, sharing “technology, particularly AI and machine learning, offers valuable tools for managing risks, improving efficiency through automation, and securing data. Most agree we wouldn’t be able to keep up with the steep rise in threats without purpose-built tools designed to track and report on what matters to their business.” 

Laura Whitt Winyard agreed and shared practical resources with the crowd, advocating that security pros familiarize themselves with the MITRE ATLAS framework to learn more about modeling AI specific threats. ATLAS is a knowledge base of adversary tactics, techniques, and case studies that can be used to detect threats to AI systems before they can be exploited by attackers. By identifying vulnerabilities and weaknesses in the system, organizations can take appropriate measures to protect against attacks.

Laura also stressed the need for robust security measures to safeguard AI models and data, as this is a risky new landscape with lots of unknowns. She advised, “in the AI race, it’s crucial to closely examine every aspect, from generating AI to uploading data into platforms like ChatGPT. Collaboration between security and data teams is essential to fortify models against threats and ensure they’re protected from vulnerabilities and backdoors.”

Managing Risk Requires Context

As Colin moved the conversation to the topic of risk management, Jim Desmond provided more valuable insights into techniques for assessing and managing risk amid today’s complex environment. He emphasized the importance of ‘context’ in risk management, noting that individual risk profiles can vary based on factors such as risk tolerance and program maturity. When evaluating risk, he stressed the significance of understanding the context surrounding vulnerabilities, such as whether they pertain to systems still in use, their exploitability, and prevalence in the wider landscape. 

Jim wrapped up by highlighting the need to contextualize risks to determine their true threat level, advocating for a shift towards a more threat-centric approach in reporting to the board. He noted, “I’ve seen so many systems say I have this many vulnerabilities or 1400 types of vulnerabilities. But what does that mean? Is this a system that we even use any more? Is it an internal or an external system?” Rather than focusing solely on providing a sense of security, Jim suggested presenting risks in terms of the potential threats to data and the effectiveness of existing controls. Learn more about how he does this in this video on building a Risk Operations Center

Be Prepared and Resilient

Later in the presentation, Timothy Youngblood spoke about cyber resiliency and business continuity. “Cyber resiliency is about keeping business operations intact even during an attack. How do you keep business going amidst an attack? By conducting crisis management exercises, such as simulating cyber incidents like ransomware attacks, you can fortify preparedness and sustain operations even in the face of adversity.” 

Tim encouraged security leaders to play out scenarios to grasp their essence, asking “how many of you have participated in your company’s crisis management exercises? If not, advocate for a ransomware attack simulation to involve key stakeholders and truly grasp its impact.”  He added that security leaders should “adopt a proactive mindset by comprehensively managing assets, conducting red team exercises, and embracing a Zero Trust framework for identity and infrastructure management. Understanding the business context is key to proactive decision-making.”

Navigate Legal Compliance Through Collaboration

It’s well understood that understanding legal compliance and disclosure decisions is crucial in cybersecurity risk management. But how do you navigate what is material and how do you maintain ethical transparency with leadership and stakeholders? Jim advised “when faced with significant events requiring CEO or board-level notification, you must engage legal expertise to assess materiality. Collaboration between security, legal, and executive teams is vital in determining the gravity of the situation, especially regarding financial implications. By aligning with legal definitions and material thresholds, organizations ensure ethical transparency and effective decision-making.” 

This collaborative approach underscores the importance of integrating business operations understanding into cybersecurity programs, providing a foundation for assessing materiality accurately. Ultimately, seeking legal guidance helps affirm the significance of events and guides appropriate disclosure and response actions.

Bringing it All Together to Proactively Manage Risk   

Frankly, there were way too many valuable lessons from this panel to cover in a single post, so we’ll be diving deeper into specific advice in the coming weeks. The common thread among our panelists and their stories, however, was the role of visibility, context, collaboration, and readiness in reducing risks for their business. These leaders have moved on from chasing every vulnerability and perpetual crisis management, to a more calculated approach. 

Bookmark this blog to keep up as we publish best practices, actionable frameworks, and practical advice on how to make the shift to a more calculated, proactive exposure management model like the Risk Operations Centers (ROC) Nestle built. And, as always, if you’d like to see the new version of Brinqa’s platform, take a look at our Product Demo Video or book a demo.

Read Next

< Prev

meet cisos at RSA 2024

Meet CISOs in RSA 2024

Next >

nestle vulncon

Vulncon: Nestlé’s Recipe for Unified Vulnerability Management