The need to develop “collaborative defense” strategies — by engaging partners, vendors, and internal constituencies in cybersecurity operations — was the core theme of the Advanced Cyber Security Center’s Annual Conference held November 3 at the Boston Federal Reserve.
Noting that there’s a growing urgency around cybersecurity, Ken Montgomery, the first vice president and chief operating officer at the Federal Reserve Bank of Boston, stressed the need for collaboration as well as the economic implications for the region in emerging as a cybersecurity leader.
Keynote speaker Richard Puckett, VP – Cybersecurity, Product & Commercial Security, GE Digital, described GE’s initiatives to engage its cloud vendors to get a grasp of its “shadow IT” – the variety of data storage handled by third parties.
Puckett said GE realized it was too dependent on its cloud services providers and stopped treating them like vendors and more like partners. “We knew they were crucial to our survival,” he said.
Puckett explained that GE met with providers individually at first and then brought them back as a collective. “We asked them how should we sensor your environments?” he said.
By partnering with its vendor Amazon, GE developed “virtualized sensor functionality” for the cloud. GE also swaps operational teams with its cloud providers, finding it works well for both GE and the vendors.
“It’s fascinating the speed of those teams when they began to work together to solve common problems. Because once they had line of sight to it, they had great ideas,” he said.
'We're tied at the hip'
The broader challenges of developing effective collaborative defense approaches were the focus of the conference’s first plenary panel. “More than you think we’re tied at the hip. Because of the business I’m in at any given moment there’s a high probability that a lot of my information is on one of my peer’s networks. And a lot of their information is on one of my networks,” said Mike Papay, Vice President and Chief Information Security Office, Northrop Grumman.
The panel, which also included Michael Darling, Director, Cybersecurity and Privacy at PwC and Puckett of GE, agreed that ISAOs (Information Sharing and Analysis Organizations) and ISACs (Information Sharing and Analysis Centers, which are industry specific) have value, but often vary in the value they provide.
To fulfill the potential of collaborative defense, there’s a need to move beyond threat sharing to more strategic actions. “The immediate often drowns out the important,” said Darling. “The next piece is how do you take joint actions, how can you do things together … where we’re actually having an effect.”
Also, large companies with sophisticated cyber defense operations need to take the lead to develop awareness and compliance with smaller companies and vendors, said Puckett. “There is a social responsibility of the bigger organizations to give back, lending knowledge, experience, or expertise,” he said.
One size fits all for compliance?
The conference’s second plenary session, “Raising the Accountability Bar: Cyber Insurance Standards and Regulatory Initiatives Under a New Administration,” explored the role of regulators and the emergence of cyber insurance products in bringing about new levels of compliance and cyber awareness. The panelists — Phillip Larbey, Head of Sector Cyber, Information Security Division, Bank of England; Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology; Gregory Vernaci, Head of Cyber US and Canada, AIG — discussed the important interplay between government and the private sector in creating meaningful compliance frameworks. Two pressing questions: Does one size fit all in applying compliance standards? And will the insurance industry drive compliance by refusing to insure some companies that haven’t met standards? The panel was moderated by Melissa Hathaway, President, Hathaway Global Strategies and former Acting Senior Director for Cyber Space, National Security Council and Director, Joint Interagency Cyber Task Force.
The conference also featured breakout sessions on talent and training, up and coming startups in the Boston area, and a deeper dive into the challenges of building effective collaborative defense operations.
In the talent and training session, the focus was on creativity and flexibility in hiring and training given the shortage of cybersecurity talent. Click here for highlights of the talent and training session. Six promising Boston-area startups pitched their products and services, offering a variety of security solutions. For details of that session, click here. The collaborative defense session focused on the value of building trust and building on successes in collaborative defense. For an outline of key themes, click here.
Massachusetts’ potential as a cybersecurity hub was explored by ACSC Chairman William Guenther in an outline of an upcoming white paper that makes recommendations to leverage the region’s considerable resources. ACSC's white paper on the potential of the cyber cluster will be posted on the ACSC website soon.
Attendees also were treated to student poster presentations on cybersecurity research initiatives. Larry Wilson, Chief Information Security Officer at the University of Massachusetts President's Office, emceed the presentations from 10 projects. The two winners: How we controlled all smart plugs of a known company! by Chao Gao, a graduate student at UMass Lowell and Raspberry Pi Network for Cybersecurity On-the-go by Andrew Liberatore of MassBay Community College.