Moderator: Dave Baumgartner, Principal, Advisory, Cyber Security, KPMG in the U.S.
Scott vonFischer, Chief Information Officer, Lyondell Chemical Company
Jed Young, Chief Information Security Officer, Andeavor
Zeeshan Sheikh, Chief Information Officer, Entergy
“What we’ve got here is failure to communicate.”
As moderator Dave Baumgartner, principal, Cyber Security, KPMG in the U.S. said, there’s often a communication gap that exists as an initial barrier in conversations around cyber resiliency. Most directors, C-suite executives and business leaders typically don’t have technology backgrounds. Conversely, information security professionals usually haven’t spent their careers running lines of business.
“There’s a common question of how we get to a place where we can communicate effectively with our leaders,” said Baumgartner. “A big part of the reason that this communication gap exists—and this really gets to the challenge of being resilient in the face of a cyberattack—is the constant change we are all experiencing. We’ve heard over and over that threats are changing, technology is changing, but the big change now is the move from the traditional waterfall development model to an agile development model, which means we have to work to enable security from the beginning.”
An investment today in tomorrow’s cyber resiliency
The panelists suggested that security leaders should invest now to help close some of those gaps and help ensure that their businesses are resilient to cyber threats, and they also highlighted some of the critical success factors. And while there are resource challenges, ultimately what this scenario has created is a prioritization challenge.
“Virtually every company has experienced a cyber event to some degree, which often leads to a discussion-based tabletop scenario in which existing plans are examined and assessed. But that’s not enough,” said Zeeshan Sheikh, chief information officer, Entergy, adding that a cyber response plan should be part of a company’s overall crisis response plan.
“Tabletopping, in my opinion, is great for developing a procedure, but not actually gauging effectiveness of an organization’s response,” he said. “Part of developing that resiliency is putting yourself in an actual cyber response position, rather than a simulation. From experience, you will see how your resources operate under duress and you will quickly find out where you have blind spots. You’ve got to live it.”
For Jed Young, chief information security officer, Andeavor, achieving resiliency is an ongoing, four-pronged effort. “Fundamentally, there is a bit of identification you have to do, a little bit of prevention, and a little bit of detection,” he said. “And then there’s that response—you have to be ready to respond. Resiliency requires some level of investment across all four of those areas. There has to be some level of investment in making sure that we understand that our adversaries are out there gathering information about us. They are identifying our weaknesses.”
What’s keeping you up at night?
While the session focused specifically on cyber resiliency, the topline theme was overall business resiliency.
Industry chatter around resiliency really started to accelerate in the aftermath of last year’s cyber event that affected global shipping giant Maersk and its logistics arm, Damco, which experienced a ransomware attack. The impact was deep and broad: the company had to proactively take about a third of its businesses offline for approximately four weeks to deal with the internal technological disruption.
“We have to continue to have robust resilience controls and security around the digital assets that are controlling physical processes,” said Young, referring to attacks targeting a Saudi refinery’s safety systems announced in late 2017. That attack not only focused on business systems and Internet of Things devices, but on the very system that was controlling the refinery’s physical process. “What keeps me up at night is the level of sophistication that is needed to be able to carry out those attacks.”
“What we have today is a lot of technology that has a higher vulnerability because it’s interconnected with everything across the supply chain and it shouldn’t be,” said Scott vonFischer, chief information officer, Lyondell Chemical Company. “What keeps me up at night is thinking about decisions that were made in a certain context years ago that have not been updated for today’s interconnected world.”
Tips from the pros
The panelists also took a few moments to offer some simple yet powerful cybersecurity tips—not necessarily as business people, but as citizens of the world we now live in.
Dave Baumgartner—“If you have an account with any online retail site or social media platform, you’ve got to think about ATO, which stands for Account Takeover. The advice is to get a password manager app for your phone and use strong passwords and different authentication methods. A single press of a button will take you to any Web site you use that requires logon credentials while keeping your information off the ‘dark web.’”
Scott vonFischer—“I’ve been a strong proponent of multifactor authentication for a really long time. Today it’s so easy that it’s almost embarrassing if you’re not using it. It’s so simple and prevents account takeovers because the hacker needs your phone information as well. That’s something I’m pretty passionate about. Definitely do that on any social service or shopping site.”
Jed Young—“For security and compatibility, update your device’s operating system every time you can. Those user interface changes can be inconvenient, but just update every time. That’s just a global message that anyone can do and it’s really painless.”
Zeeshan Sheikh—“I travel a lot for work. If you’ve ever had your credit card stolen and you’ve also got that card linked to recurring payments, it is a nightmare to have to go back and change it for all those different accounts. So, the card I use to do recurring payments is different than the card that’s in my wallet. Just assume you’re going to have a credit card stolen at some point and protect yourself—and turn those alerts on.”