ISC West 2016 Conference Wrap – Connected Death

Last week I had the opportunity to attend ISC West billed at the “largest security industry trade show in the U.S.” Held annually at the Sands Expo in Las Vegas the show features over 1000 exhibitors and is attended by over 28000 security professionals.

IoT Vendors at Connected Security 2016

IoT Vendors at Connected Security 2016

Make no mistake ISC West is largely a physical security conference.  The sheer number of cameras, access control solutions, retractable electronic bollards, electrified fencing and oddly skin care vendors was staggering.

For the first time the show included the Connected Security Expo a cybersecurity conference within the larger conference.  A recognition that many of the aforementioned vendors now manufacture internet connected devices that need to be secured (with the probable exception of the skin care vendors).

I was pleasantly surprised at both the execution and content of the expo.  A successful conference for me is largely defined by what I learned.  My thoughts about the conference based on my multiple personalities, err personas…

As a Technologist – Very Cool. As a corporation you can actually buy a drone fleet and patrol your perimeter, then deploy a robot to investigate and intercept violators.  All remotely controlled and monitored.

As a CISO – Abject Fear.  Very few of these IoT device manufacturers appear to have any expertise in cybersecurity.  I’ve probably spent more time thinking about their supply chain and secure software practices than they have.

As a Security Entrepreneur  – Unlimited business opportunities abound.  See CISO thoughts above.

We can expect 200 billion new devices to come online by 2020 according to Matthew Rosenquist of Intel.  Many of these devices will impact life and safety.  Vehicle control systems and medical devices are examples.  The bad news is that a significant amount of blood will be spilled in the next few years.  Innovation has always outpaced cybersecurity but now the consequences of failure include the likelihood that people will die.

Are we ready for this connected future?  We had better be.  There is no other choice.

Security Program Hacks – Using Security Liaisons as Force Multipliers for your Security Program. (Part 2)

Part 1 introduced the concept of transforming a paper “security contact” into a security liaison for your organization.  

My experience working with organizations is that while most have a security contact attached to an asset or functional area many of the designated contacts when asked are surprised to learn of their role.  This is a sure indication of checkbox compliance and missed opportunity.

Creating a security liaison program is an exercise in taking a latent asset tied to a compliance objective and activating them to become an active participate in the overall security of the organization.

How can this be accomplished?

  • Policy – Authorize the security liaison program by writing it into your overall security policy.  Define the role and overall responsibilities of the liaison.  I’ve found that the liaison program tends to map closely to the security steering committee so placing this section immediately following the steering committee makes sense.
  • Process  –  Make it real.  Make it auditable.  Meet regularly with your security liaisons and document much as you would for the security committee.  A functioning security liaison program can be used as a control at audit time to show the maturity of security within your organization.  
  • Empower/Enable – Assign real responsibilities.  Enable your security liaisons to participate in your risk management program and other key areas.  Empower them to drive improvements to the security of the organization by encouraging them to ask hard questions that may not have easy answers.  Empower your liaisons by allowing them to communicate/report issues and progress to the security committee/leadership.

Final Comments

The overall goals of any security program are to reduce risk and increase security.  Adding security liaisons can be a key component of your overall security strategy.  A group created with zero additional headcount, authorized by policy and doing your security bidding?  It is only a dream if you don’t act.