This week I've had the opportunity to head off to the National Information Security Conference 2017 or NISC for short. This is a great conference held annually at the same location just outside Scotland to discuss Cyber/Information Security, it's definitely one I would recommend to colleagues. What I like about this conference is that there is a good balance between guest speakers and vendors, but there is no hard sell as with other conferences.
This year, for me, some of the key discussions were around how different companies approach implementing information security culture within their businesses. Needless to say there has much discussion about GDPR and what we as custodians of employee and customer information should be doing to protect it.
Sure, there's been plenty of talk about the latest shiny black box and how it will help defend against attacks, however fundamentally security really is about a mindset. This mindset isn't something that should just applies to me, or Tech, or Counsel, but it's something we all need to consider.
One of the most amusing presentations discussed why a cyber crime against a business, ends up with the victim being investigated, fined and blamed. If you think of the Hatton Garden Heist, this isn't something that would have happened with conventional crime. Would an insurance company really ask why their defences were only so good, and why they hadn't installed the latest technology to defend against some old men and some drill equipment?
Another talk went through the history of cyber defence from antivirus, to firewalls, to intrusion detection to machine learning. Again, as with many of the other talks it was highlighted that we need to stop worrying that we aren't using the latest technologies, that were not focusing only on the latest breach and vulnerabilities. All of us, need to be looking at the bigger picture i.e. what risks and threats face the business as a whole, and understand how we can mitigate them.
The talk from EuroPol was incredibly insightful, helping me understand as a security professional what they are doing, in conjunction with other authorities around the globe. Understanding what they analyse, who they share information with and how they reacted to the recent Wannacry ransomware attacks and how they worked with both other countries and businesses within those countries goes to show that there is a larger joined up effort in place than I previously realised.