There's an avalanche of security tools that are available to help companies protect their assets. Intrusion detection systems. Endpoint security tools. Anti-malware network tools. Authentication, authorization and encryption tools. The list goes on - including emerging technologies such as artificial intelligence and machine learning tools that can identify and act on patterns of malicious behavior. In the end, a CISO has to cost-justify these investments to the CEO and the executive committee and quantify their anticipated impact.
While there is a myriad of technologies that CISOs should at least have on their radar screens, shrewd CISOs also recognize that there are incredibly useful techniques that can also help their security teams to protect the enterprise more effectively.
To examine these issues more closely, HMG Strategy recently caught up with two security leaders who will be participating at HMG Strategy's upcoming 2018 San Francisco CISO Executive Leadership Summit on March 16 at The Fairmont San Francisco: Tim Mather, Chief Security Strategist at PatternEx, a San Jose, CA-based provider of "Analyst in the Loop" artificial intelligence detection software; and Todd Barnum, CISO at GoPro Inc.
At PatternEx, Mather and his team are making use of "inside-out" security techniques which utilize beacons and other technologies to detect security vulnerabilities from both the outside-in and the inside-out of data centers and other high-value areas.
"There's this huge proliferation of tools to try to secure the enterprise, which leads to fragmentation," said Mather. "The question that the CEO and the CFO are going to ask is `I'm spending all this money - how effective is our security program?' For most companies, it's pretty ineffective." By comparison, inside-out technologies and techniques "can help cyber teams to detect vulnerabilities they weren't even aware of," adds Mather.
Two of the attack simulation providers that have caught Mather's attention include SafeBreach, a Sunnyvale, CA-based breach and attack simulation provider whose platform simulates adversary breach methods across the entire kill chain without impacting users or a company's infrastructure.
Another attack simulation company that's caught Mather's interest is CyCognito, whose attack simulation platform requires no installation or corporate resources.
Meanwhile, an increasingly popular crowdsourcing technique is the use of bug bounty programs which enable CISOs and their cyber teams to have hundreds if not thousands of freelance cyber sleuths test the security and potential vulnerabilities of software and other technologies in return for compensation and/or recognition.
"I believe bug bounty programs are the most revolutionary development that's occurred recently," said Todd Barnum, CISO at GoPro Inc. who will also be speaking at the 2018 San Francisco CISO Executive Leadership Summit. "It has completely replaced our traditional pen test (penetration testing) activities. The researchers working for our bug bounty company run their custom tools against our assets and discover so much more than a couple of pen testers would find. I get hundreds of researchers pen testing my system/app, producing much better results at a fraction of the cost."
For example, let's say your company is planning to roll out a third-party mobile app to its customers. Instead of conducting a barrage of vulnerability tests against the mobile app, a bug bounty program can be used to place the app in the hands of hundreds of app pen testers to inspect the app for vulnerabilities.
Other creative approaches Barnum takes to stay on top of the latest cyber security developments includes a "Free Lunch Friday" program whereby a vendor is invited to come to GoPro's offices and demo their product or service to the IT department.
"We get a free lunch and if we like what they're doing, we look into it. This allows the team to see what's happening in the marketplace and to be part of the discussion on which tools we take to proof-of-concepts."
To learn more about what Tim Mather, Todd Barnum and other security leaders will be sharing in greater depth at the 2018 San Francisco CISO Executive Leadership Summit, click here.