Are organizations moving beyond the IT department and software solutions to achieve a higher level of cyber maturity? It’s a topic that will be explored at threatLAB 2016, Feb 1-3, by Jason Tugman, Enterprise Security Assessment Program Manager at TSC Advantage. threatLAB asked Tugman for a preview.
threatLAB: What is your presentation “Trending Vulnerability and Resilience Data – Findings from the Field” about?
Jason Tugman: This year will be threatLAB’s third iteration and I think it will be really exciting to dig into the enormous amounts of data we’ve been able to collect over the course of the last two years performing holistic cyber assessment on customers within the U.S. critical infrastructure segment and Fortune 1000. This is especially true because now we can start to trend that data year over year, as well as share with our attendees what our data is telling us. For example, in 2014, cyber breaches in the news began to really capture the attention of the c-suite and boards of directors. In 2015, we’ve seen an expansion of IT budgets and a demand for controls against these emerging threat actors.
threatLAB: That sounds like a positive trend. Would you agree?
Tugman: Yes and no, because a lot of organizations purchase new hardware to solve network security issues, however what we’re finding is that these are not necessarily network security issues but instead are asset security issues. That difference is incredibly important and is something we will spend a good amount of time on at threatLAB 2016. With that said, what we’re seeing in the data we’ve collected and from the community of people we’ve been talking to the past year, shows a change in voice. Three years ago the conversation was about cybersecurity. It’s been fascinating to witness a transition from cybersecurity — network security — to cyber resiliency.
threatLAB: What is the difference between the two?
Tugman: Cybersecurity is the piece parts, the IT functions that make up the security of your organization. They’re like the “guards, gates and guns” of physical security. Cyber resiliency is really understanding how cyber fits within the risk structure of your enterprise. It’s a change in tone, a transition of thinking. Identifying cyber vulnerabilities is plugging holes in a dam. Cyber resiliency is more akin to building the dam itself.
Think of it this way – cybersecurity is predicated on keeping all external threats out through fortifications and controls. Cyber resiliency is predicated on the fact that no controls are perfect and could fail. So in addition to fortifications, what resilient functions are you putting in place to detect, correct and recover with the least amount of damage in the event that a breach does occur.
threatLAB: Why is it so important to approach cyber threats this way?
Our data shows there is a clear correlation between an organization’s effort to adopt a wider cyber governance framework and its ability to recognize and mitigate risk. threatLAB attendees have been asking us to speak more in-depth on the philosophy that helps guide TSC Advantage and its assessments. The absolute difference between cybersecurity and resiliency is that cybersecurity is a big circle function and cyber resiliency is a small circle function. You will ask, “What is the difference?” To really understand what that means, I will see you in Florida!
Attend threatLAB 2016, Cyber Risk 360° to accelerate your cybersecurity strategy and learn more from a cross-section of cyber experts. Feb. 1-3 at the Streamsong Golf Resort & Spa in central Florida.