- Why Bright
-
Product
- Resources
- DAST
- Application Security Testing
- Penetration Testing
- Vulnerability Management
Guide to DAST (Dynamic Application Security Testing)
Your primer for application security testing.
We explain the concept of penetration testing.
Comprehensive overview of vulnerability management.
- DevSecOps
- API Security
- Unit Testing
- Fuzzing
All the necessary knowledge to get started with DevSecOps
We take a deeper look into securing & protecting your APIs!
All you need to know about keys of unit testing & best practices.
We explore fuzzing and evaluate if it's the next big thing in cybersec.
-
Company
- Partners
- Contact
Resource Center > Webinars
Global InfoSec Panel: Securing Your Applications, Business & Tech in 2023 and Beyond
00:00:00
Speaker 1: Hello and apology to everybody for the slight delay that we that we faced. There were some technical issues which we which we have now resolved. Uh. Welcome to Bright panel. If you’ve been living under the rock for a past couple of years, you might not have heard of Bright. Bright is DAST-centric Enterprise Dynamic Application Security Testing tool. It empowers application, security and development teams to find and pixel their abilities at every step in the development lifecycle. If you’d like to find out more about. Visit our website brightsec.com and find a way to boost your application development security together with. Now, tempting as it may be, we are not here to talk about right. Right now we are attending a panel titled Securing Your Application Business and back in 2023 and beyond to back up that lofty title. We are here with prominent infosec leaders from around the globe, and we are going to use these 60 Minutes to discuss the evolving security landscape, emerging threats, risk management strategies to help secure your organization. With us today are the aforementioned prominent leaders. I would kindly ask as to a couple of words about how well we can start with what I have here in my window. Mr. Jasmin Azemović. Would you? Introduce yourself.
00:01:54
Speaker 2: Okay. Thank you very much. Hello, everybody. My name is Jasmin Azemović. Currently, I’m in Bosnia and Herzegovina, working as a CISO in Mistral, as part of the corporation and company. And also, I have academic career behind myself. So also, I have a teaching experience. Last, let’s say, 20 plus years, but ten years in rough temper. I’m dealing with cybersecurity mostly, mostly from the process of creating the software. So basically it’s about that. Thank you.
00:02:30
Speaker 1: Thank you, Richard. Hello. Hey, Loris. How are you? Good to see you again. Thanks, everybody. I’m Rich Moore. I’m the CEO of Cyber Six. I’ve been a Fortune 100 CISO. This is my 30th year in cybersecurity. We currently provide virtual CISO business for companies across the globe who can’t afford a Fortune 100 and CISO, so.
00:03:05
Speaker 2: Hey. Hi. Hi. Good day. So this is a Illyas Kooliyankal. I am based in UAE near Dubai, Abu Dhabi. I hope you guys heard about it. I actually I worked in cybersecurity last 27 years. Almost like maybe when I start. I was CISO of a bank, Abu Dhabi Islamic Bank just recently. Now, last one and a half months, I’ve actually started my own cybersecurity firm, which is called Cyber Shelter. And now I’m driving this initiative in the region and across the globe. So looking forward for this panel and with wonderful panelists here.
00:03:52
Speaker 1: Thank you very much, Troy. Hello and welcome. Hi.
00:03:57
Speaker 2: How y’all doing? I’m Troy Fine. I work at DRATA. We’re a compliance automation platform. We help companies prepare for SOC two, ISO 27,001, PCI, HIPAA. You name it. And we’re doing that through automation and integrating with your tech stack. My role is I’m on the customer success team. I’m a director. I was a former auditor, but now my role is advising our customers from a security and compliance perspective. So helping our customers prepare for their audits, make sure their security controls are meeting industry standards and helping them kind of succeed from from both security and compliance. So that’s that’s what my team’s role is. And I lead that team.
00:04:36
Speaker 1: You know, I’m I’m going to jump in here with with an unforeseen question. Which side is better for you, the auditors side or the client side? Are you?
00:04:48
Speaker 2: Are you the fifth on that one?
00:04:52
Speaker 1: Depends on the day. Okay, that’s. We’ll accept. We’ll accept the fifth. Let’s. Let’s move on. My name is the Voltage. I’m Sister Bright, and I’m using my over decade long experience at various aspects of corporate security to keep our employees and our company secure during the day and safe at night. Like. Like Batman. Really? Only way less cool. So thank you, everybody, for your introductions. Obviously, we have a very, very competent lineup here. I would just like to invite our attendees to feel free and ask ask questions in the in the chat. We will we will make sure to respond to as many as possible and related to our panel. I mean, we may not get to all of them, but we will certainly we will certainly try to address everything that we can. Now as to as to the fate of InfoSec today, whoever is following the news and can find out that a lot of a lot of things that are going on right now. Every every so often we encounter the news about about yet another breach, yet another data leak, yet another security incident. And it’s really hitting everybody from the smallest companies to the large government agencies We have only recently with with the US military case. How, far along and how present is information security in today’s corporate environment? Uh, do companies focus sufficiently on, uh, on everything that’s going on in the information security world? Is there sufficient focus on those, on those important fields? Rich, You have a military background. And recently it was the U.S. military incident that caught the world’s attention. Would you like to make a statement sort of based on your experience or some sort of remark on the current state of infosec? Is anybody safe? Sure. Thanks, Loris. So I like to give the statement that if anybody knows the old SANS top 20, it hasn’t changed in 20 years. So we’re still fighting the same issues with protocols. We still look at different types of industries. Based upon my experience, I think between obviously governmental organizations and I only mean like the intelligence and the defense community, they’re ahead of the game. I think financial services are ahead of the game. But in other industries like manufacturing, health care, retail, we’re still really lacking in the focus that you mentioned. Usually, I hear about the budgetary issues. Usually, I hear about the carelessness of the management board when it comes to treating cybersecurity information security issues. Is that so? Illyas, what’s your take on those particular? Usual suspects?
00:08:57
Speaker 2: Yeah. So as Richard mentioned, some of the sectors have grown up a bit because of the regulations applied on them, you know, and many unregulated sectors are still lacking. Now, if I take in general globally, I would say still cybersecurity or information security did not get the recognition or importance it should be getting. Now, if you consider any organization a CFO or a CMO or a CTO getting a certain space in the executive management or discussion or the prioritization of their initiative, CISOs are still struggling to get that. You know, and basically because if CFO is talking, he’s talking about money, the board and the and the stakeholders will be having more interest and listening. But CISOs talking about security does not. But what the management or the board not recognizing is that if CISO is not doing or getting the job done properly, all the money they are making can be gone in a moment, you know, so current digitally enabled business, I mean, every businesses there is a technology or information dependency. And at this scenario, information security is paramount. You know, and that message until some incident happen until the regulatory body is pushing and the checklists kind of exercise getting done in many places. And effectiveness is not there because of either CISOs or information security doesn’t get the authority to do it. They are accountable, but they’re not getting the authority to do things done to get things done. So that is actually even financial or governmental sector. I can say that, you know, although there are more attention, but still it is not good enough. And if it comes to the region, I’m seeing it in more and more, you know, kind of, you know, less attention to information security. So the key initiative or the key message is, you know, unless there is an I mean, after an incident happened, everyone is panicking and then they put a lot of measures and invest a lot. But till that time, you know, it is not. So how to communicate to the management or the executive or how to get it to the board and how CISOs will or security will be, I think in us. I can I read that, you know, government organizations and all now there is a there’s a security representation in the board, which is not in this part of the world. So at least that will give that space or significance for cybersecurity, you know, going forward. And that is absolutely the need of the hour. And and it has to be happening then only it really will be, you know, kind of taking the right shape.
00:12:15
Speaker 1: Yeah, well, I would also add that I agree that we’re a very reactionary, right when it comes to security. We’re not being proactive with it. And just coming from mainly compliance. I’ll be the first one to say that I think we overindex on compliance over security, right? The business can measure compliance, in my opinion, more than they can security, right? Oh, we got this compliance report. We won this business. Right? So the business. Kind of takes compliance and says, we’re secure, we’re compliant, we got SOC two, we got ISO, and therefore we start over indexing on it because that’s what the business can measure. Oh, we didn’t have any exceptions or we didn’t have any nonconformity. We’re in security. It’s like, Oh, we promoted this code without any vulnerabilities. Is anybody reporting that up and saying how app seq helped us, you know, from that perspective? No, because that’s not really can’t really tie that to money all the time. So I think it’s we need to use compliance in the right format with security. But I just think business executives, they really think in terms of what can I measure and what’s going to win me business to answer these security questionnaires because I don’t win me this work, right. So we really need to navigate away from I think that and get the two to work more together to help with this.
00:13:51
Speaker 1: Yeah, Tony, I would agree. I think folks that are trying toe levate the financial problem from cybersecurity, they’re still presenting technical details. No one’s looking at it from that convergence side of compliance and risk. When we really boil it down, cybersecurity is an operational risk, right? And business owners know how to do operational risk because they do it all day long. And I think that’s really where we probably need to focus our efforts as CISOs and to talking about deprive the values of assets, maybe how do we look at them from, if I cannot function, what’s the issue that I’m going to have from a revenue stream? Those are the type of things that really, in my opinion, focused the business on. Looking at cybersecurity vulnerabilities mean nothing to them but an outage. Absolutely. A regulatory fine. Absolutely. Those types of data money, that’s where they want to. That’s where we should be focusing. So thanks. I really appreciate it.
Speaker 2: Money talks then in cyber security and info security as everywhere else. Professor, what’s your take on this? Jasmin, can we hear each other?
00:15:15
Speaker 1: Yes, yes, yes. Thank you. Thank you. My five cents on this is also on the same track. I have the fortune that the management of the company have an understanding for cybersecurity. And also, actually, in the beginning, they gave me an opportunity to start in the right way. So open hand, the budget planning, decision making. So without any extra layers about me to actually lose myself in the communication. So basically it was a good trust, good start. But there is a many examples around me and also around the world where the CISO is, especially CISO and head of security, head of the OPS, I don’t know, have the many layers above them to actually bring communication the right way. Also, I like the famous meme about the budget before the breach and after the breach. So basically it’s about that. So when something goes wrong, there is the money, there’s everything, and there’s time. Also, the example about Uber breach, actually two days after the breach, there is an added of 20 or 30 open job vacancies on LinkedIn about cyber security position. So now there’s the time, there is the money, there’s everything for that. So so yes, it is a constant struggle of service professionals to actually hear their voices in the wild, especially in their companies. I’m in IT sector, but it will be surprising that even in IT especially in the company where actually within the software there is sometimes, there is no understanding about cybersecurity. So it takes time to explain. For example, just to to to, to force simple to fail. It takes time or wow, it is a blocker. It will take time. It’s hard to ask so you know so, so basically we need to, we need to focus, as my colleague says, compliance regulatory. So when it comes about the money and the penalty, everything happens. So the metrics are there.
00:17:18
Speaker 2: I’ll just to ask one question about money, and I’m going to start with the question will be addressed to Jasmin. It related to the question received over the chat. You were obviously one of the lucky ones when it comes to the management board. How or have you been asked about Roy about return on investment and if, if yes, how did you go about it? That’s the question for everybody. Where is the return on investment when it comes to information security?
00:17:59
Speaker 1: Okay. Let let me try it a couple of sentences. I don’t know. There’s there’s are wrong opinions about security, especially in IT They call us nonbillable. What it means not billable. Non-billable means so we don’t create the money. But if we fail, there is no money for all of us. So I must say that without cybersecurity in a proper way, risk management, risk analysis, correct numbers, and precise points. You know, if we fail on this, it will fail all, all chain in the command, all processes will fail. So the company will lose that. The money, the customer’s reputation. So it falls apart. So just as I say, risk management, risk analysis, don’t call us non-billable. Try, to explain, try to explain on a simple term why is important. So again, it will back to the money, but the money that we need to pay to others, to customers, to regulatory agencies, to court. So to actually defend ourselves. There are many, many examples in my practice about this. But my colleagues also have, I believe some say in this.
00:19:19
Speaker 2: I mean, I would add. I think ransomware is a perfect example, right? Just because there’s money tied to it, Right. So you can actually put dollars $0.02 in terms of risk, like, you know, even from a recovery standpoint. Right. You might have paid. You know, the ransom might be 3 million, but if you don’t pay the ransom, you know, you might cost you 20 million to recover your systems. I mean, there was that county in New York. I think they’re been recovering since September, and they’re already at about 20 million. They didn’t pay the ransom, but they’re already out of around 20 million. Right. So there are actual numbers now and statistics out there that you can actually leverage and say, oh, here’s our risk, here’s our controls that we’re missing. Our backups are we are not taking backups on a regular basis. We can’t restore it from them. That’s a high risk for ransomware. Here’s the dollar value that organizations of our similar size are saying it’s taking to recover business. We should implement these controls to reduce that risk. Otherwise, this is our potential financial risk if this occurs for us. So I think ransomware is just an easier example for whole for businesses to understand. It’s an easy concept in terms of cybersecurity. So.
00:20:29
Speaker 1: I would add in, one of the ways in which again, we talked about operational risk in that language that’s used at the business level. There are nine consequences of loss basically in the ISO 3900. That is a global standard and people can understand that. And you could basically again, I wouldn’t tie ROI I totally agree with you. I mean, here there is no such thing as ROI on cybersecurity. There is no such thing as single loss expectancy. So all of those formulas that you learn to get your CISSP, they don’t actually exist in the real world. What we can look at is exactly what Troy was saying, which is that deprived value for an asset. So if I know this asset brings in X number of revenue dollars and I can tie that to a particular security tool and look at how much I’ve got a cost to that, you can actually begin to have those conversations to say, The reason why I implemented this tool are the reasons why I need this additional cost is for X, whether that’s the control ransomware, especially if it’s against a major revenue generating asset. I think you’ve got a pretty good tie in to say this is the reasons why we’re fixing this control or this is the reasons why we need additional budgets to do this. So to me it comes down to a deprived value, running off of the nine consequences of loss. And if we can adjust those and we’re pretty good to go.
00:22:00
Speaker 2: So from my point of view and what I have done in my past case is that again, communicating to the board or to the top management is, so I have actually identified what is board’s interest, you know, what is there really. They don’t like to hear about how many vulnerabilities or how many control, what firewall they are looking at, the revenue, what the business is generating, what are the profit they’re making? Is it going to have any kind of operational losses that can have an impact on the bottom line? How is their shares performing? Is a shared value can have an impact due to whatever reasons. So all those aspects, what the board is interested was put down in a paper. And I say, okay, now what are the security risks that can have an impact to these, you know, objectives of the organization? So what risk now if a ransomware attack or if there is a cyber or a DDoS attack or is there a kind of an intrusion happen, there could be a service interruption, there could be a loss of revenue, there could be a regulatory fine or regulatory issue. So all of these were connected. You know what, information security, now they know that these are my interests. Oh, there is an unknown threat or risk, which they don’t know which I’m pointing out. This can have an impact on your the primary objectives of the business. Then I say, okay, now, so these are the risk and this is our level of risk at this point of time. I need to bring it down if you want to have peace of mind so that you make money, you get profit. So then I have actually connected my security initiative or strategic objective of security to that. So these are the things I’m doing to bring down this risk to an acceptable level based on the risk appetite of the organization. That is what when Richard mentioned operational risk, I mean, as an organization, especially on financial organization banking, there will be an operational risk management framework and enterprise risk management framework, and the risk appetite of the organization will be there, which is even financial values will be there. You know, all of those bottom line figures will be there. So I connected my cybersecurity or information security risk to that operational risk management framework so that anything I’m talking is actually talking in the same language business. Understand and the management understand. It is not like, you know, gibberish or Chinese for the board because when I’m talking high they are not talking about high. It is maybe low for them. It has to be integrated and it has to be talking the same language. So I integrated my security risk management framework, the operational risk management framework. So whatever I’m communicating, it is actually going to the management at the right impact. They know that this is something serious. They understand that. So that’s how I was able to convey the message. I was able to get the budget. But that is not the case in all, all, all CISOs or all organization. It’s not easy to communicate that in the language. What board understand? We normally see those have that echnical jargons and technical language. But I think CISOs have to understand business. CISOs have to understand risk. CISOs have to understand technology. These three combinations only can help us to make sure that we communicate the right message to the board.
00:25:40
Speaker 1: So, received loud and clear. We, CISOs have to understand everything in order to get the funding. Thank you, Elias. It’s really encouraging. Me, is there is it the same situation with people often have differing views on infosec and abstract and have stacked all the stack. Could you shed more light on whether there is a return on investment Rich? That is not really a proper way to perceive information security. What about the AppSec and DevSec? Is there is there any financial metrics there? And how does it reflect in on the risk in real life? The question the question was for Jasmin.
00:26:59
Speaker 2: So generally, generally from the from the company’s point of view that security is all the same for them, but it’s not safe for us. So it’s up to us to have actually made clear distinction about Infosec, Devsecops, red teaming, blue teaming, etc..So from my point of view, the the key formula of success is to actually to get a good team. CISO, without a good team is nothing. So I can create any kind of risk analysis. But if there is no personnel to actually on the operational level to carry all these tasks and defend the company or actually do something of security. So So it will be it will be useless. So, yes, the correct distinction between information, security elements, cybersecurity, DevSecOps, and so on. It’s important. But again, it’s up to us. We can’t simply assume that anyone besides cyber security will understand, for example, the difference between Devsecops and DevOps. So it will take time to explain to them difference between these two terms.
00:28:24
Speaker 1: How can we make sure that Infosec professionals and AppSec professionals in development companies support each other properly? And where is this synchronization there? Where is the synergy?
00:28:43
Speaker 2: Question for me? OK, yes, Synchronization. Okay, now, now it’s tricky one. Sometimes it’s OK, it goes smooth. But sometimes it’s hard. Okay, here’s one operational example from my point of view. For example, IT team sometimes doesn’t understand or they don’t want to understand some security feature that they actually want to push. And actually, they defending sometimes their attitude with OC, it will, it will be a blocker to developers. So they will, they’ll maybe write some emails to company boards, they will try to actually do something, but they simply are pushing hard. So again, the key point is to have security on the company level top. So everything below that, it would be really hard to actually to communicate all, all, all this stuff because if you are stuck somewhere in the middle on the same level with IT security and so on, sometimes it is hard, it’s a pushing, it’s a push and actually everyone else defend their positions and sometimes doesn’t make sense. So yes, it is is crucial to have synchronization.
00:30:06
Speaker 1: Thank you. Thank you, Jasmin. Troy, where do we place application security and development? Security and in the whole InfoSec universe. And when it comes to compliance, is it a footnote or is there actually a larger focus there?
00:30:30
Speaker 2: You mean in terms of compliance? Yeah, well, I would say that compliance is a little weak on this, on this part in general. When you think about the compliance standards, like very few of them, like maybe FedRAMP or PCI, even like really go into like if you’re developing a custom web application check for these vulnerabilities, right? Or that’s like as close as you’re going to get from a compliance perspective. When you look at like some of these other frameworks like SOC 2, ISO 27001, HIPAA, people don’t realize because there’s a lot of focus on cloud security with these frameworks, right? But these frameworks were not built for cloud companies. They were built for any company of any type, Whether you’re a manufacturing plant to a SaaS new tech startup, you’re supposed to be able to take these frameworks and implement your own security, right? So when they’re building these things, they’re not thinking devsecops and app security and information security. They’re just thinking like risk, right? And you it’s your job to figure out what the risk is at your particular organization and build them into it. So I think compliance falls short in this area. To be honest. Compliance isn’t going to tell you what to do here. You really have to have the right people at your company that build a culture for this. Right. And I think one of the ways you can bridge the gap is you have to implement security and shift left as part of the development process, right? You have to have it as a step in the process. You have to give people time to fix security issues. Developers, they don’t want to fix things as it slows them down because they’re trying to get something out the door because they’re getting measured on that. Right? But when the culture comes in and says no, security is also going to be on measurement that we’re measuring our team on and we’re going to give you guys time to fix these things and we’re going to plan this out accordingly. There’ll be more synergies. It’s just now it’s just developments trying to push as fast as they can. Security is coming in at the last minute saying you can’t do this. I don’t like each other because I’m not going to get my bonus or whatever the case may be. Right. So there’s that going on where they really need to build it in from the beginning and plan for it. And I think that would help. But I just think there’s a lot of move as fast as we can and security is always going to be that blocker unless the culture changes.
00:32:45
Speaker 1: It’s there is a lot of truth to what you’re saying from my perspective. But you have made the point to mention with mentioning the cloud companies in particularly today, software, as a service companies are very they’re on the rise and a lot of them, are tied with cloud operations as opposed to the standard on-premise operations, that have been more the trademark of the past. Richard and Illyas, you both have extensive experience with various companies. What’s your take on the company transitioning more towards the cloud and leaving on premise? Does it increase the risk, decrease the risks? Or is there some third option that stimulates the companies in that direction? Maybe Rich and Illyas.
00:34:00
Speaker 2: Yeah. So I think the movement to cloud and cloud technologies is a lot less riskier for organizations. And I mean that because this technology, quote-unquote, that we call the cloud was mostly built upon security initiatives before we even started. I think where the fear has derived from was from our regulatory agencies and regulatory bodies that really didn’t have a deep understanding of the differences between on prem and cloud type services. So I see organizations, even on the government side moving to cloud operations because of the very nature in which now you can build software developers into this, you can get software building materials. Many of the platforms, as Troy had already mentioned, are SOC 2, type two certified or FedRAMP certified, depending on where they are. So I think from that perspective, organizations that have made the decision to move the cloud or finding efficiencies, they’re finding cost-effective measures and they’re able to get better talent than what they’ve had for on premise. So that’s my 2 cents on why they should move to the cloud.
00:35:15
Speaker 2: So from my perspective, I want to connect your previous question to this also. So all those jargons and terminologies of different names of DevOps or DevSecOps, or API security, all of that are relevant. But at the end, you know, the biggest problem I have seen in organization around security is there’s no single accountability and authority. You know, whatever it is now, maybe the execution is done by IT or developers or infrastructure team or information security team, but there has to be one person in charge of the whole end to end, you know, information security, because the security is about the protection of information and services. That’s the ultimate objective. You know, it’s not about the protection of the server or the PC or the mobile or any system. It is about what we are trying to protect is the information that is lying there or the services, that we are offering. So at that objective that has the key objective, anything around that, what our development happening, what our infrastructure is there, what our people are there, the information security pieces should be come down. I mean, it has to be kind of what you call cascaded to the bottom. Now, coming to the cloud also, is the same thing applicable now, although I agree with Richard on certain things, but there may be a little bit of difference. What I feel is that cloud is good if the cloud provider and the organization has a proper security mechanism in place. Because unless you have a proper cloud strategy and cloud security strategy, if you don’t have that, then you’re moving to the cloud could be disaster. You know, you don’t know what is going to be wrong. Their configuration mistakes or, you know, one of the biggest reasons for a lot of cloud compromises. API security, for example, if APIs are not protected properly, that could be a disaster because you don’t have any visibility or at least in your eyes, maybe, you know, you lock the door and then you have some kind of protection, but you are putting something out and you don’t have visibility and the cloud provider is not serious on security. And they may be having the technical solution, but they don’t have the right process. If they don’t have the right trained people, then you are going for disaster that is applicable on premise or on cloud. So what I say is that the security strategy has to be very comprehensive, very tight, covering people, process technology, and it has to be applied if it is on premise or on cloud or when you’re moving to cloud. Because many times what I see is it is like complete shift and lift approach, you know, lifting the whole servers to the cloud, then you are having cost benefit also would be, you know, kind of nullified and you are not getting the benefit of cloud, but you are for the say you are on cloud. You know, it is it is what I have seen many places but yes, now cloud-native application moving to cloud with the right security environment that is something which is which is good for faster service delivery and also having better security control because you can have a lot of native security services in the cloud which can be enabled quickly rather than you buy and install in your on-premise environment. So there are a lot of pluses, but you need to do it the right way to get the best out of cloud and cloud security.
00:38:46
Speaker 1: Thank you. With those trends that we’re seeing in moving from traditional towards more modern solutions, we also have to take into account not just the technology, but also the health of the people and the way they are formed, particularly the young people, the way they are formed to take on the mantle of security champions. We have, we actually have questions here that I believe would be interesting to you. There are two questions, but they are related. Will security champion program help security team, and development team. And the other is, I’m just an observation student, but I’m interested in how we scale the concept of security champions beyond the abstract to include GRP and cloud. I share the question, and I am interested in exploring ways to expand the reach of security champions in this way. Do you have any ideas for best practices that you have seen work in your experience as a CISO? Rich, how do we create a cybersec or Infosec terminator capable of adapting to any situation and tackling everything from A to Z?
00:40:15
Speaker 2: Yeah. Great, great questions. And Jasmin, I apologize for jumping in on your previously. In my opinion, you know what we’ve done at many of the larger Fortune 100 companies that we’ve had, development groups, etc. Security champion is very valuable. It also requires the CISO or the security organization to think about how they do training from a corporate event for developers to help them understand why the things that we’re asking them to do. I think with some of the new concepts for compliance coming out of the government, having software bill of materials is going to begin to help transition that point from security to development. I think best practices would be taking our regular scanning activities and vulnerability assessments and identifying which groups or which programmers continue to have those same trends. So I think from a trending perspective with a champion begins to create that sort of confluence that you’re looking for.
00:41:30
Speaker 1: Thank you. YJsmin, you’re raising basically as as a professor in your capacity, you’re raising an entire new generation of youngsters who are going to replace the geezers. So could you could you know, could you give us your perspective on this, on this question and the rise of the Infosec in general?
00:41:56
Speaker 2: Um, thank you. No pressure on me now. Just. Just my 5 cents on this security champion It’s a great concept. Security awareness trainings. Security, phishing trainings to actually to see how the company stands on line or the defense are a good example to identify the persons or many of them to actually to give them some kind of the medal or security medal, to actually show them on the company and say, these are the boys and girls actually right in this part. Now, from the angle of the teaching I’m teaching last 20 years, the course is about cybersecurity, infosec, database system, privacy and so on, compliance. But I’m always fascinated how young people actually are willing to learn. But the there’s an issue there where these young people from the universities and different training programs actually came on the real-life examples, real life jobs they actually they poison them with the deadlines with all this stuff, actually. And they have to put cyber security on the side. So now let’s back let’s take my company the through app test pen test on the product, actually. And then we try to identify the teams with the lowest score or the vulnerabilities, especially the critical high one to actually give them some extra bonuses, maybe something on the salary. So something from the client side. So actually we yes, we recognize the champions with best practices, with correct mindset, with the awareness perspective to actually push the forward security inside the company. Not just like not just to department, but on all companies. So because we are one team, we don’t want to be cybersecurity on one side and all the company on other side. So we are enemies now. We don’t want enemies. We want to be together on this train. So that’s the point, my opinion.
00:44:19
Speaker 1: Thank you, Jasmin. Roy, we’re told with all the focus on young people, education and comprehension of the standards and understanding of how things work in relation with the international standard. Where is the greatest benefit for the young people and for the new practitioners? Are we talking about the emphasis on practice which may be trumping standards, or are we talking about stricter adherence to standards which are then channelled through the practice? Um.
00:45:07
Speaker 2: Yeah, I mean, I think that’s a hard question, but I think there’s always going to be this if I understand the question correctly, there’s always going to be this kind of balance between regulators requiring more strict controls versus business. There’s always this weird thing, right? Businesses, no matter what the framework is, they’re going to say, I’m not they’re not going to be enough, Right? Like, I don’t know what to do. This isn’t specific enough or it’s going to be too specific. And then they’re going to complain that, why do I have to do this? I don’t understand how this is helping my business. So there’s always like this catch-22 with all the different frameworks and standards out there. So it’s it’s really hard to find that balance, right, between compliance and versus what should they be told to do. Right. When you get into the government like, for example, if you look at nest 80171 and CMC, in the Government’s opinion it’s their data, right, that you’re receiving, it’s controlled, unclassified information. This is a national security risk. You are going to do what we tell you to do with that data, right? We are going to be strict about it and if something doesn’t make sense, tough. This is how we identified the risk for you and told you the controls you need to put in place. Right. But when you look at these…
00:46:27
Speaker 1: So that’s where that’s where the compliance trumps standards, trumps practice.
00:46:34
Speaker 2: Well, in that case, like if I’m a business owner, right, and I work with the government, the Department of Defense is 80% of my revenue. Well, yeah, like we’re going to do whatever they tell us to do. If it’s only 10% of my revenue, that’s going to be a different discussion internally, right? Because now I got 90% of my revenue doesn’t care about 871. They care about SOC two and ISO. So now I’ve got to figure out how am I going to get these two together because those are very high level and these ones are not in this and everyone may cost me more to implement, but it’s only 10% of my revenue, right? So this is where like the business discussion and compliance discussion comes in and you really have to have the right people that understand what the frameworks require and can speak. It’s similar to security, right? When you’re talking about what we were talking about earlier from security presenting, we need the compliance. People need to understand business risk to and be able to speak with the business in the terms they understand as well. You can’t just say SOC 2, type two. We need to do that. They’re going to be like, What’s what do you even talking about? I don’t know what that stands for, right? So you really need to speak from both sides of your mouth and know kind of how to have those intelligent discussions. And sometimes compliance will trump it because you need to win the work and you need to keep doing your business and it’s your revenue. It’s unfortunate that sometimes that compliance won’t lower your security risk. That’s a different discussion. We could talk all day about it, but you know, if you’re a startup and you’re trying to win work SOC two an ISO, your big customer says you need to do it. Guess what we’re going to focus on as a business? What do I need to do to get that done right now? Right. Well, worry about what actual security is later on. We need to survive and thrive here. So that’s what we’re going to focus on. So.
00:48:09
Speaker 1: Oh, now as a CISO, I take umbrage to the idea that we startups and developing companies are placing compliance before security. But then again maybe that’s your general experience.
00:48:35
Speaker 2: No, no, it’s not. It’s not all Yeah it’s not all startups. It’s I’m speaking generalizations, right. So it’s not.
00:48:39
Speaker 1: Every generalization is dangerous even this one. So let’s see, I’d like to take the opportunity while having you here and while having the backstage warning me about time to ask each of you a question because who better to answer some of those? I’ll start with Illyas. Illyas, where is the future? And they’re all going to be about the future, really. So to prepare your crystal balls, Illyas, where’s the future of InfoSec?
00:49:23
Speaker 2: See, when my daughter wanted to pursue her higher education, she was confused which field. And she doesn’t want medicine and she wanted to explore. So I said, like, you choose the right one, but I will suggest you, I will put you. And I took her to my office and put her with my different teams. And I told her, you know, whatever the technology development happened, whatever the world change, blockchain or metaverse or anything comes the one field which will be there and which will have a lot of demand and a lot of opportunity and a lot of passion you can have is information security and cybersecurity. Because anything comes, there is a security element. Now if you have cloud or you have blockchain or you have crypto, you have anything that is information security and every organization, every individual will have a dependency on the right, information security controls. So what I would say is that it is maturing, but the the pace at which technology changing, even after COVID, the way it the organization adopt technology is again exponentially increase. And there are so much of adoption to cloud and other latest areas. So the risk is increasing again, because again, no more kind of new users are coming into the field, new organizations coming, so they are actually less aware people. So risk will increase. But you know, the the the technology adoption is increasing. Similarly, information security is also maturing more and more. And the regulation and the privacy and security regulations are tightening up in many areas. Many countries there are more regulations coming, so the requirement to have the right security will increase. And this is like a cat and mouse game. Always those who are putting the best effort and who’s having a bit more thoughtful approach, they will be able to survive. And you cannot avoid incidents. You cannot avoid security breaches. It’s about how you manage, you know, before and after. Now, if you do the best and then something happened, how do you manage systematically and professionally on a timely manner So the impact is less So, you know, the risk and the impact of the business is less by managing it well. So I think the approach has to be in that way and that is the best approach and that is, I think we call building resiliency in everything. What we do that is I think the the, the going forward, I think that should be the best, best approach to adopt.
00:52:03
Speaker 1: Thank you. Now, I hope that we take good lessons from what you stated, and I hope the business is heeded, and particularly the professionals who are stepping on the scene. Rich, briefly, if because again, we are receiving warnings about time, where is the future of infosec education?
00:52:33
Speaker 2: Great question. I think the future of infosec education is actually a combination of not just an information security program, but the confluence of other programs. How many business students take a cybersecurity course? How many law students take a cybersecurity course? This is how the next generation is going to win this cybersecurity problem, which is through education. And we don’t have that today in any of our academic institutions where we get electives in taking English or taking theology or some other requirement. But yet we haven’t made it an elective to take cybersecurity. And I see Jasmin shaking his head. So I’m going to stop there because I know he’s going to say a lot more For the majority of people, specialization and the infosec practice field is going to make us to that level where today we act like we are, let’s say plumbers, right? So we have apprentices, we have journeymen and we have masters in their own little specialty. We need to move that to exactly what medical doctors, law firms are doing and CPAs where they specialize in a particular field within their industry, but yet they are very board certified or industry certified for those. So that’s where I think from a practitioner perspective, we’ve got to move to. And then from a generalization, So thank you. Where is the future of the compliance Troy? How do we survive the requirement?
00:54:16
Speaker 2: It’s just going to get worse. Like, governments across the world are averaging. I mean, from a regulations standpoint, yeah, I just see it becoming a huge burden, especially for larger companies. I mean, META set aside $2 Billion for privacy violations, 2 billion just for privacy violations to pay those off. It’s an investment in their eyes. We’ve got to invest in this to collect data and use it the way we want to, to make more money. Right. It’s only $2 billion. They’ll make more money on how they use the data. So, I mean, I hate to say it, but yeah, unless you’re those types of companies, you might not be able to, you know, afford the burden, right? Only the bigger companies will. So. Yeah. Governments are not taking this lightly anymore. So I just. You know, just like crypto is going to get regulated because of FDX. That’s going to happen with cybersecurity more and more.
00:55:19
Speaker 1: So thank you. Thank you, Troy. Governments are looming. Let’s go through it as best as we can. Jasmin, what’s the future of AppSec?
00:55:33
Speaker 2: Oh, tough one. The future. Actually, I’d like to see a combination and help from AI. I know all these, ChatGPT hit a couple last month. Last month actually gave me an idea that AI should be a really cool tool in security. Why? For example? There is some actually some risk actually in dealing with let’s say last year, I believe all of us remote working supply chain attacks, staffing issues with your own device, rogue content, these are all the risk actually is kind of hard to to get all of them in one place and analyze them. So it takes time, takes the people, it takes the power. But simply there is no power. There’s no money for this. So in combination, all these cloud tools and logs will actually give me information on the time something is going on in your data. Pay attention. Yes, yes, yes. Right.
00:56:36
Speaker 1: Okay. Thank you. Thank you, everybody, for your extremely valuable input. You were a wonderful set of panelists. Really, I didn’t have any doubt about that. I hope that we have managed to tackle some of the open questions as much as possible within 60 minutes. There is I would like to conclude this with a remark from our chat. It says Because I have a bad habit of fear audits more than actual attacks. They spend many years milking software at low cost and implementing maintenance and security and best efforts today because finally wake up to implement security seriously. And also I think the problem with big corporates is quite complex. There are a lot of rules that bind people and prevent them to form quick reactions to issues. So it’s those remarks that also deserve to be taken into consideration and along with the valuable inputs that we received today, we’ll hopefully form form a good basis for Infosec development in the future. Thank you once again. In the name of our attendees and in the name of Bright, and also thank you attendees for being so attentive and delivering some very, very good questions. We’ll see each other hopefully, hopefully again in similar events and I wish you all the best in further endeavors.
00:58:12
Speaker 2: Thank you so much.
00:58:14
Speaker 1: Thank you, guys. Thank you.