The 2nd Annual DePaul Cyber-Risk Conference was held Dec. 1, 2015 at the DePaul University downtown campus. The conference is jointly sponsored by the DePaul Driehaus College of Business, the DePaul College of Computing and Digital Media and the DePaul College of Law. Approximately 100 attended.
The first panel included a computer information security officer, a cyber attorney and a cyber insurance underwriter discussing the cybersecurity landscape. Despite different points of view, several matters were agreed upon by all. Cybersecurity is constantly evolving and the threat from within an organization presents the greatest risk. Unfortunately, smart people do silly things, and the only hope for prevention is training and experience.
Included in the threat from within is the manner in which a firm handles its third-party service providers. It is estimated that two thirds of all security breaches are accomplished through a firm’s service providers. It is critical to vet these third parties and make sure that they share your values where security is concerned. You should include in your contracts with third parties provisions for monitoring, testing and notification when a breach occurs.
The keynote speech was delivered by Brett Williams, Major General USAF (retired). General Williams began his military career as an F-15 pilot and ended as director of Operations, U.S. Cyber Command. General Williams made reference to Prussian General Clausewitz who believed that war was enduring and techniques evolve. Warfare hasn’t changed and cyber is just a new technique to project power.
As in most compliance and risk matters, developing a proper culture begins in the C-Suite. The CEO and Board need to become educated, so that they can make the same informed decisions in that they make in all other areas of their business. General Williams pointed out four key areas that an organization’s leadership must concentrate on: 1) Staying current with industry best practices. 2) Driving the enterprise’s culture of awareness from the top. 3) Clearly defining what critical data is and who can access it. 4) Educating your employees and giving them experience through training exercises.
The third panel of the day focused on public/private collaboration and, in particular, who should be notified when there is a cyber event. It was suggested that after notifying counsel, notifying the FBI or Secret Service can provide you with some credibility as the event unfolds. It also can provide some breathing room before you are required to notify your customers. It was noted that ongoing breaches should not be disclosed on industry information sharing sites in order to preserve legal privilege.
The final panel of the day discussed the future of public/private collaboration and cyber security. It is clear that at the moment information sharing is a one way street from industry to government and it’s unclear if or when that will change. As computing evolves maintaining security will become even more tenuous. Quantum computing may be 5-10 years away and will change everything. Biometric security will become more prevalent and passwords less important.