Since our dedicated IT Risk Advisory and Cybersecurity professionals are so heavily involved with ISACA, I jumped at the opportunity to attend the annual ISACA Pittsburgh Information Security Awareness Day to learn more about their world.
Though I came to the conference as an infosec newbie, 2023 happened to be a great year to get my feet wet. There are several reasons this is a fascinating time to be paying attention to the world of information security.
“Era of Transparency”
The day kicked off with a keynote address from Facebook whistleblower Frances Haugen. She talked us through some recent legislation and litigation and explained how they are transforming the expectations of transparency from organizations moving forward.
Legislation
Both the European Union (EU) and United Kingdom (UK) have recently passed standard-setting legislation. For Haugen, the silver bullet of both the EU’s Digital Services Act and the UK’s Online Safety Act, is that they alter the incentive structure for social media companies. By requiring regular disclosures, both pieces of legislation effectively build transparency and accountability into an organization’s governance structure, which gives companies the freedom to take the short-term loss of, say, a teenager’s social media click, for the more long-term gain of maintaining compliance.
Litigation
Haugen also cited the recent suits 41 states brought against Meta for knowingly endangering children and teenagers, as well as the recent ouster of Sam Altman from OpenAI, as the beginning of a new “era of transparency.” Expectations of companies are changing and, according to Haugen, we can expect more whistleblowers and regulations going forward as the “black box” mentality becomes less and less acceptable.
My main takeaway from her talk was that organizations must proactively develop stronger audit processes and internal controls to prepare for the world Haugen envisions—where “lies are liabilities.”
Opportunities for Women
Another exciting development in the information security world is the increasing number of women seizing opportunities to get involved. Later in the program, the conference audience heard a panel of women from One in Tech, an ISACA foundation whose mission is to increase awareness of barriers and foster opportunities for underrepresented groups to join the tech world.
The panel discussed how mentorship, sponsorship and allyship—from both men and women—were critical to shaping and enabling their impressive careers. They explained how, since more women have entered the field, there are more opportunities for female mentorship. And, in the wake of COVID and as conversations are changing around DEI, there is more opportunity to find flexible and supportive leaders who prioritize keeping their top talent.
Threat Actors are Adapting
Schneider Downs’ own Stephen Bish gave a talk on the current state of the cyber world and shared some insights into the tactics he’s seeing threat actors gravitate towards in 2023. A takeaway I found particularly surprising is that cyber criminals are responding to the increasing sophistication of cyber defenses by becoming…less sophisticated.
Stephen explained that he’s beginning to see threat actors dipping into more manual hacking tactics and relying less on automated approaches that are more likely to be detected and prevented as companies become more aware of cyber risk.
In the same vein, Stephen noted that while “switching off” defenses may have been a go-to tactic for the threat actors of the past, this is more often a technique of last resort for today’s cyber criminals, who know that it would likely blow their cover in a more cyber-savvy world.
Innovative Approaches to Best Practices
As Stephen emphasized in his talk, every organization, of any size and within any industry, is a potential target for cybercrime. To help organizations shore up their defenses therefore, several speakers at the conference focused on some best practices.
Training
Since an organization’s people or “wetware” (a term I had never heard before) are its greatest vulnerability, several speakers justifiably spent a lot of time talking about training.
- Dr. Bob Hausman, of ProofPoint, explained how to harness neurological insights into learning, motivation, and retention to structure internal information security programs.
- Gregory Toulhill, current lecturer at Carnegie Mellon University and former first Federal CISO for the U.S. Government, emphasized the importance of investing in hardening the workforce over hardening tech, and he and described a creative twist on phishing simulations he used in the military.
Governance
As several lectures stressed, good information security policy starts at the top. Some speakers, like Frances Haugen, highlighted the importance of building transparency into governance. Others, like Gregory Toulhill, underlined the necessity of frequent and regular communications between technical teams and leadership. And Jon Zeolla of Seiso, outlined some innovative strategies for how to write good policy and avoid some of the common policy pitfalls that might lead a company to fail an audit.
Artificial Intelligence
Best practices surrounding artificial intelligence (AI) were, of course, on everyone’s mind at the conference. The One In Tech panel detailed some safety considerations organizations must keep in mind when deciding to adopt or prohibit the use of AI. And, on the topic of AI safety, Sanjay Chopra, of Cognistx talked about the limitations of LLM’s like Open AI’s Chat GPT and Google’s Bard and explained how truly safe organizational AI tools can be transformative, but subject to a slow implementation.
It seems that true deployment of AI tools will march to a beat much slower than the one I’ve come to expect after the rapid explosion of interest following the release of Chat GPT.
I feel incredibly fortunate to have attended the ISACA Pittsburgh Information Security Awareness Day. Though I certainly was no help to my team in “InfoSec Jeopardy,” at the end of the conference, I do think I learned quite a bit about the exciting and changing world of information security. I can’t wait to learn more.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
To learn more, visit our dedicated Cybersecurity page.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.