>> Welcome, thank you for coming.
I know it's a busy time of the semester,
so we appreciate you making an effort for some pizza,
and hearing what I'm sure is going to be a fantastic speaker,
and a great discussion to follow.
For you guys, if this is your first time, this is our second,
now, Cyber Security from the C- Suite Series.
We kick the series off in the spring with Brad Wheeler, IUCIO,
VP for IT, Kelley professor, the one holder
of the true ring of power by all the [inaudible,
laughing] he did a great job,
talking about a huge range of issues.
Got a bit of feedback there.
Today, though, we are going to be focused on health care.
Health care and cyber security, a bit on IOT,
but moving forward, we are going to continue the series,
so we'd love to hear your thoughts
of this particular sectors, hot topics,
whether it's block [inaudible], Active Defense, you name it,
we can bring in people really at the forefront of those debates.
So we want to have this be a back and forth
and useful for everybody.
It's a big tip, right?
Also just so happens that we have, if you're interested,
some brochures for IU Cyber Security,
Risk Management Master's Program up here as well so if any
of you guys have questions about that,
we can talk about it more afterward too.
But we are honored to be co-sponsoring this,
with the cyber security program and CACR.
So without further adieu, I think that Von, Von Welch,
Director of CACR, is going
to be introducing our distinguished guest speaker
today and we will be around,
though to help facilitate the Q&A and afterward,
so Von, thank you again.
>> Thank you Scott.
And thanks for co-hosting.
It's always exciting to be back over here in Kelley
This is, by the way, the last CACR seminar talk
of this semester.
We will reconvene in January, January 11,
what looks to be a really exciting talk.
We are going to have Rob Templemen
the Chief Cyber Security Engineer from Crane
to talk, so that is on January 11.
So take a look for that in emails coming up.
Now, without any adieu,
let me turn to our guest of honor today.
It's my pleasure to introduce Mitch Parker,
who is the Executive Director for IU Health, in Information,
Security and Compliance.
So I know since he's joined there it has been what,
a little over two years now?
>> Little bit over a year.
>> Little bit over a year.
He has done at least two years of wear though,
in that little bit over a year,
redeveloping their cyber security program,
and Mitch is also a very prolific speaker on a number
of different events, HIMS, Itripoli Tech Night,
and so he has Bachelor's in Computer Science
from Bloomsburg University, and MS and IT leadership
from LaSalle, and MBA from Temple.
So with that, I'm looking forward to hearing from Mitch
on this, and ask you to please join me in welcoming him.
[ Applause ]
>> Thank you very much everybody.
So the purpose of today's presentation is
to illustrate what we can do to protect ourselves,
and stop the illusion of technology
and its supporting people and processes are enough
to mitigate the current threats.
A little bit of background, before I was in health care,
I've been at IU Health a little bit over a year, before that,
I was at Temple Health as their Chief Information Security
Officer for 8 years, and before that, I spent 6 years
as a defense contractor.
So, I actually come to this from the DOD world,
and a lot of the practices I use, I learned in DOD.
So again, that is why I talk about stopping the illusion
that technology is enough, because that is what a lot
of people are pushing these days.
And so the areas we are going to cover and learn from is,
first of all, cyber security is a business problem.
Second part what we're going to talk
about is what the DOD has been saying and doing all along.
And why this is different than what industry normally does.
We are going to then talk
about destructive technologies enabling competition
as I call it, the two biggest I'm going to talk
about are block chain and cloud, because like it or not,
block chain is everywhere these days, and we really have
to get our handle on it, and how it is going to disrupt business
and how it is going to make sharing part of its death
and destruction, and technology for technology sake,
so I put Facebook and Uber up there, because again,
people have put technology out there, and they've done
so without fully recognizing social consequences,
and it has led to some large scale cyops operations.
Many of which you've read about in the news lately,
and the other thing I'm going to put in there,
AI may not be fully ready.
And then we're going to talk about the current situation
in the government, and how it has already forced sharing
and co-competition for cyber security, and we are also going
to bring up the supply chain.
Now, more than ever, this really matters,
and this is an area people really haven't focused on,
unless you're some of the larger companies, and how we need
to structure our companies to execute on our mission
and protect it from outside threats.
So cyber security is a business problem.
I put some statistics up here for everybody.
So [inaudible] and petchis [phonetic spelling] slash
not-petchis showed that this year.
So Mayer, the big international shipping company, has recorded
over a $300 million dollar loss because of
that ransomware attack.
Merck has reported $310 million dollars in losses so far.
Nuance gave advanced warning to the stock market
that their quarter three and quarter four were going
to be significantly lower due to this attack.
And of course we bring up Equifax.
That company may end up going out of business.
The current bet among myself and a number of my peers is
that they're going to go the way of Enron and get broken
up for parts, and Yahoo, due to their series of breaches
that weren't caught, had a $350 million dollar impairment
charge, due to their breach, not to mention a complete loss
of credibility, I mean, who uses Yahoo Mail anymore?
Who wants to use it?
Who knows?
Who has your Yahoo mail information?
And the thing we're looking at is we're looking
at future write-offs from Verizon due
to further revelations as Verizon continues
to absorb that infrastructure.
They're going to find more,
as if everything wasn't enough already.
And so it's a business problem.
Both Equifax and Yahoo have management issues and both
of them didn't listen to their security officers,
and put systems in with no regard to privacy and security.
So personal example, I actually know Yahoo's former Chief
Security Officer, Justin Somaini.
He resigns, because Marisa Mayer basically handicapped him,
told him he was going to get no funding for what he needed,
even when he presented her
with direct evidence of security breaches.
He resigned rather than have
that be a black mark on his career.
And the nickname she gave him and his team, The Paranoids.
That's not a good sign of good management.
And while yesterday's, yesterday's testimony in front
of the Senate was an act of contrition,
she did not address the root cause,
which is she didn't fund security.
She blew security off, and because of it, a lot of people
that trusted Yahoo, don't.
And she pretty much single-handedly killed the brand
by not listing security.
And Equifax, when their former CEO testified,
what ended up happening?
He threw a single employee under the bus, even though,
and I'll be very blunt about this,
when we did our initial analysis of this,
and like to thank the people at Renaisac [phonetic spelling]
for some of the great discussions they had,
because I had to do a 48-hour turnaround of a presentation
to our leadership team of what happened with Equifax.
I pulled more information from the Renaisac mailing list
than anywhere else, and literally put
up there this is what happened, this is why it happened,
all the evidence pointed to a gigantic systematic failure
that if one person could do it, could cause that fail to happen,
they would be Superman.
Superman couldn't even pull that one off.
And every other brief we've discussed, and I'll tell you,
I talk about breaches with the leadership
at IU Health on a regular basis.
We talk about the biggest thing that always comes
up with a cyber security breach is do care.
Biggest example we've given was OKIEM,
the Office of Personnel Managements,
where approximately what, 26 million records,
including the records of everyone
who has ever held a security clearance
in the United States ended up in the hands
of an unknown foreign adversary why?
Because the system was running
on something called Oracle Forms.
Something Oracle hasn't supported for probably
about six years now, and when they requested money
from Congress, they said, because the system was old,
not because the system was teeming with vulnerabilities
and anyone could have broken into that system,
and it was well-known for a number of years
that foreign hackers have been targeting the United States,
specifically Oracle Forms,
because it's easy to break into it.
So do care is the cause of most of the data breaches
that we've actually seen.
So the business problem is, this is right under people's noses.
Companies need to continually assess,
score and address their risks.
And the perception has been that business and IT are separate,
and they don't interact much.
And to be honest, we do IT risk assessment,
most of us don't roll up to the Enterprise Risk Management
program most large companies have.
Now, speaking of someone
that recently got their MBA two years ago and did
so after working in the business world for a number of years.
Enterprise Risk Management is actually now covered
in most MBA curriculums, and I suspect
that it's covered here at Kelly.
I mean, it's here.
So, cyber risk is not covered.
It's not covered that much in an ERM class.
They talk about all other types of risk but Cyber, it's there,
but the people running the programs don't understand how
cyber rolls up, other than to say data breach.
So that is something we really have to work on.
And the way I've done it is I've actually done
that in my program.
I went to the ERM people, I said what's your scoring system?
I will turn in risk assessment CU
that uses your scoring system.
Because one of our executives, the one in charge
of enterprise risk, went to an entire room
of IU Health top executives, and came right out and said
if you do not use my scoring system,
I'm going to ignore what you say.
So we use our scoring system, because we want them
to understand what we do.
So comes back to IT hasn't come out of the computer room
that much since the 1970s.
Back in the 1970s, computers used to be in separate rooms,
or separate buildings, with climate control,
and you pretty much had to be vetted
to work in those buildings.
I worked with a lot of those people back
when I was a defense contractor.
And it really hasn't changed that much.
Even though IT sits in nicer areas.
And awareness training focuses on scenarios,
not the business itself.
And with the latest attacks,
there is no denying there is a business impact.
It can't be buried as a one-time earnings charge.
I always give the example of J.P. Morgan.
J.P. Morgan, a few years ago, talked about--
after their major hack, which was caused
by somebody having a Windows server 2003 unpacked server
up for the purposes of employee morale, welfare and recreation,
and it wasn't patched, they said oh,
we're going to spend all this money on cyber security.
And the first question I had when a security exec
from a major antivirus company brought it up was,
shouldn't you have been spending that money in the first place?
And the second thing I thought was, I just finished accounting.
I know what a one-time earnings charge is
and I know it doesn't count against net income,
and I know that means they're going to spend that money
and not worry about affecting their share price.
So the attack was used as a convenient excuse
to fund their cyber security budget they should have been
funding all along.
One-time earning charges only work once,
and I think the market is getting a lot smarter,
especially the SEC and their 10K forms.
And what else contributes to this?
IT has been thought of as a cost center, and not strategic.
Not strategic.
It has led to a project based mentality
that discouraged what we called post-go live work
and risk assessments.
So, to give you an example, you have somebody from IT do work
on a project after go-live, upper management will go
to them, why are you doing that?
The project is live.
Don't work on it.
Even though you're supposed to continually assess risk.
And this mentality has led to the further division of IS
in the business, because it means IS is only brought
in when needed for projects, and they go away when it goes live.
But the expectation of numerous federal, state,
and international laws, specifically HIPAA in high tech
and health care, [inaudible] for any publicly traded company,
GEPR, coming May 25, 2018, be prepared.
Then this standard, and in finance, the FFIEC standards,
the standards we have to follow up
and continually assess risk as, so not only ourselves,
but as partners to people in our core business.
And because of that, we're not doing that.
There is little communication on day to day expectations
of actually managing these systems on what to do.
So, again, bringing it back to the days of the computer room.
Even though those days are over, and the computers are
in the cloud, the division is still there.
You might as well still have that floor
of your building dedicated to the mainframe.
So what did DOD get?
Why is the Department of Defense better at security than we are?
They've been open about it, let's be clear.
They've been very open.
Ten years ago, I could have gone on Google,
and basically sent DOD security plans to Google,
and Google said oh, here is ISC.dissa.mil
[phonetic spelling].
Here is how to secure every Windows workstation
to DOD standards.
Out there in the open.
You could download everything.
You wanted to complete-- secure and configure a Cisco router,
or Microsoft Active directory, they had everything available
for you, U.S. Citizens.
Granted, it wasn't for people in Poyang Yang,
but you don't want them doing that anyway.
And the NSA has actually been incredibly good
about publishing security documentation
and contributing to Linux.
I can't think of a major Linux [inaudible]
that doesn't use SE Linux these days,
and that came from the NSA.
And they've been working with their vendors
about integrating security
into their business via certification
accreditation frameworks.
They were using a number of frameworks for a number of years
across the services, but they finally standardized on this,
which is pretty much the one true standard
across to governments.
And the advantages that they incorporated everything
into their business structure.
We're going to get into that.
They're not perfect.
Certification and accreditation
when I was a defense contractor took over a year.
It was an arduous task.
Mainly because I'd have to sit there, as a contractor,
educating billion dollar companies,
this is how you get software
through the certification process and DOD.
This is how you get it so you actually pass,
and a general signs off and says yes you can use this.
Which was your authority to operate.
But, however, even though CNA took a long time,
they set the expectations for all team members correctly.
The standards got applied to cross agencies and services,
so if you went and had something that was DLA, you could go
to Army, you could go to Air Force, you could go
to Marine Corps and say this is what we did.
They review it and say yes, you pass muster.
And the deviations, this I think was another big item.
They had to be approved by upper management.
Usually it meant a general.
So if you had a network security deviation, it went to a general.
So another example I can give it is when I was at Temple Health,
I worked for a surgeon who had just come off a couple of tours
as Lieutenant Colonel, running military hospitals
in Iraq and Afghanistan.
He did an honorable job for our country.
One of the things he did was he was doing telemedicine projects,
where they were trying to get telemedicine, so that doctors
and specialists could virtually see patients in Iraq
and Afghanistan, and the first words out of my mouth
to him were, because it was such a deviation, is, Dr. Guy,
what general, because you probably have
to have a three-star sign off on this one.
Just because the deviation from standards for doing that was
so high, and the assumed risk was so high,
it would have taken a three-star to do so.
But the other thing DOD did, they assigned people to roles.
You had a project manager that went through certification
or accreditation, it didn't go for certification
or accreditation without a list of who was responsible,
and who was going to be doing the day to day work.
And for that work, there was a standard education plan behind
the roles and responsibilities for the security officers
and everyone else on the project.
So it was called DOD instruction 8570.1, which is why the number
of CISSPs over the past 15 years has gone through the roof.
Simply because DOD made it a requirement
that if you had a security role on a project,
you had to either have your CISSP, your security plus,
or your sans GIAC [phonetic spelling]
and they were literally, I'm from the Philadelphia area,
anyway a major CISSP training center in Bushkill Falls,
Pennsylvania, they were busing 30 people at a time up there
for a week for CISSP boot camps, because they had
to meet DODI 8570.1 standards.
That is how big it was.
This was about 2004 they did this.
So it was incredible, they did that, and it has led
to a pretty well trained work force, and why it was different,
because there were standards, because there was education.
It was easier to communicate the security requirements,
because everyone was at the same required education level.
You wanted to be on this project,
you had to be a level 2 [inaudible], what do you need
for a level 2 [inaudible], oh, you need your CISSP,
you need these trading courses.
Literally it was almost like school, and the standards fit
in the common criteria, nest in other national
and international standards.
The two biggest we used in DOD were common criteria
and NIST [assumed spelling].
And the current, the only [inaudible] really follows a
similar model is finance.
I would actually venture to say health care, in terms of medical
and professional education with nurses, but even then
that is state by state.
Give you an example, state of Pennsylvania requires nurses
to take 30 hours a year continuing education credits.
Indiana does not have that requirement.
Finance, to be a financial auditor, you actually have
to undergo federal training very similar to the DOD
to be certified to be a financial systems auditor
for FFIEC.
And the big issue, however, is that the only federal agency
that was really enforcing this was DOD, and a number
of other government agencies, they really didn't do that.
This led to having systems to support DOD,
biggest one being OPM, being compromised.
So DOD proves one thing.
It proves you're able to do security well,
but of your supporting agencies,
your collaborators don't do it well, you're going
to have some serious issues, and you might
as well have been compromised yourself.
So how can you make this better?
Number one, collaboration.
You expand the work at FFIEC and financial services,
and the FSI sec have done, across multiple industries,
and also venture to say DOD as well,
although not as regimented.
And expand that work, get other industries doing it.
And there is another thing finance has done, and learned,
doing some research for my MBA.
Finance, most big financial services companies have a Chief
Risk Officer that is a direct report of the CEO.
Which is a recommendation that the federal government has made.
That way, risk always has a seat at the table with the CEO.
And because of that, you can assess and address risk as part
of the business, because when it goes up to your CEO
and more importantly, it goes to your board, you address it.
And the other thing you can do, share information and risk.
And you really have to share, you have to collaborate.
The days of security being done in isolation, they've been done
for years, most people just don't realize it yet.
When we talk about collaboration and sharing,
biggest example I'm going to give that is going
to enable that is Blockchain.
And the reason why,
it's basically a distributed [inaudible], that's what it is,
it has got cryptographic validation and verification
of all the entries by all participants in the pool.
And it is very useful for ensuring the integrity
of transactions and that they're valid,
and that they're not altered.
And it solves a very, very useful problem
with distributed general ledgers, and verification
and validation of transactions across organizations.
This is a gigantic issue businesses have.
How do you ensure the integrity of your general ledger?
That is one of the biggest accounting problems out there,
because right now, you pretty much have to assume
that the organization hasn't done anything nefarious.
This is a way to cryptographically prove
that you haven't done anything nefarious, and show [inaudible].
And it is not the transformational system
that people think of yet.
So I'll give you an example.
You get people out there saying Blockchain
and Bit Quit are going to replace BEGS [assumed spelling].
Biggest challenge you have with BEGS is that the entire banking
and finance system in the world is based
on a little something called fractional reserve banking,
which basically means your money exists in two places
or more, up to 10 at once.
I learned that in economics class in my MBA.
So Blockchain is based, and Bitcoin,
are based on the assumption that money exists in any one place
at any one given time.
So those little satoshi's [assumed spelling] you have only
exist once.
So there is no provision in Bitcoin right now
for fractional reserve banking, which means that it's unsuitable
for replacing our current financial system,
and replacing banks, and quite frankly to people that are
on tech [inaudible] talking about this,
they need to take economics
at their local business school before they go spout off
about Bitcoin replacing banks.
It's not that, but it is an excellent starting point
for the future.
However, there are three key trends to make it succeed.
To make it work.
First of all, you've got to make sure you have multiple entities
participating in your Blockchain pool,
because no one entity should be controlling more than 50%
of your computer power.
Bitcoin has had a lot of problems.
I think it led to that last fork they had a few months ago,
because there were miners in China that had 51% control
of the pool at any given time.
The issue with that is when you control 51%
of the computers doing the mining,
you can control the entries in the Blockchain.
You can make them say whatever you want.
And you can corrupt the ledger.
That is dangerous.
And the other thing is, you have to have good collaboration
and good business partners to show that you've got less
than 50% of the pool to show that you can validate and verify
that your entries are valid.
You don't want to be in 51% control,
because that basically means you control it,
and we're back to square one.
You have got a general ledger that you control.
But the problem is, you're back to the old assumption
that you are in full control of it, not anybody else.
That is something a lot
of people really haven't thought about.
And the other thing, system security.
The way the Blockchain systems have been hacked is
through poor security and system implementation.
So the example I always give is Mount Gox,
which was on the first Bitcoin exchanges out there.
Big challenge with Mt. Gox was that the guy
that put it together thought he could write everything possible
in the programming language PHP.
One of the things he wrote in the programming language PHP,
which originally stands for Personal Home Page, by the way,
which was written so somebody could write web pages back
in the late 1990s, he decided
to write something called a secure shell server,
which is used for secure mode administration
of computers in PHP.
Now, the way the secure shell protocol works is it's very
timing dependence.
PHP is not what is called a timing-dependent language,
the C-programming language is, so the problem is
that very basic attacks could have been used
to attack Mt. Gox, and basically take out,
just take out his servers, because there was no security,
because the security had a secure shell protocol,
just wasn't there, because of how he implemented secure shell,
and why is this important?
All systems that participate in Blockchain need to be
at a reasonable and appropriate level of security,
or else the entire trust bails.
Everyone has to make sure
that the other participants have good,
full lifecycle vulnerability management
and defense in depth, period.
You can't just assume everyone's got it.
You've got to make sure they do, because again, you're going
to have Mt. Gox again.
You're going to have Coinbase again, because someone is going
to do something without doing due care, and what's going
to happen is you're going
to have somebody making a crazy error, and $300 million dollars
in crypto currency goes invalid in an instant.
Just like happened yesterday with [inaudible].
And of course the other part
that really hasn't been addressed, and yes,
I've been through the Blockchain block format, identity
and access management.
Because right now, Bitcoin is very good for one thing,
sending anonymous transactions to people
so they can't be tracked.
Now in the Silk Road case that happened a few years ago,
the FBI had to do a lot of forensics work, basically go
through to Blockchain, identify all the transactions that went
to Silk Road, and associate them with people.
And they were actually able to do so very successfully.
However, it took them years to be able to do that,
to be able to build that case against Mr. Olbrick and put him
in jail for three life terms.
So that's all well and good, and if you want
to pay off ransomware or buy drugs online.
However, if you want to do real transactions that will stand
up to a Big Four auditor, you have to verify
who made the transactions.
To do that, you need strong identity and access managements.
You need to have the final process
to show how identity was provisioned,
how it was assigned, how they were assigned digital
certificates and encryption keys to make the actual transactions
on the block chain, and show good key management processes.
Because all of that, and I will take this back
to the American Institute for Certified Public Accountants,
their cyber security guidance directly references cyber
security key management.
You need to be able to have that.
And you need to have strong identity management,
because that is a basic tenet
of any regulated transactional environment.
I don't care if it's HIPAA in health care,
because HIPAA says it, high-tech says it, FFIEC says it.
American Certified Public Accountants, they all say it.
And DOD, you don't get access to one of their systems
without strong identity management, period.
So if you don't have it,
Blockchain is not going to succeed.
And the other way we have to structure it is with the cloud
and open compute projects.
There are two completely disruptive technologies
that show how co-competition works.
There is a large number of great technologies out there.
The two biggest I can think of are Open Stack,
originally developed by NASA, and now Champion Byte,
companies such as Microsoft, Cisco, and Rex Base.
The Open Compute project, where you have companies like Google,
Facebook, and Microsoft, all coming together
to share server designs, and the big impact this had,
the open compute projects, several quarters ago,
Hewlett-Packard enterprise reported a major drop
in earnings, that affected their share price,
and caused thousands of layoffs.
You want to know why?
Because their largest customer was Microsoft,
who started building their own servers,
using the Open Compute project, and stopped buying truckloads
of Proliance servers for your data centers.
That is what happens.
That is disruptive.
People don't buy servers that much anymore.
If they do, they buy it from Dell or another company.
IBM sold their server business off.
Why? Because products like Open Compute Project got rid
of the need to actually have servers,
and people now share server designs.
The biggest beneficiary now is Intel,
who now sells directly to Facebook.
I think Facebook is actually--
Facebook or Google is Intel's single largest customer.
And I know Microsoft basically validated arm on server
because they came right out and said, oh yeah, we're testing ads
on our data centers, on arm chips.
With a version of Windows.
Which meant that probably 50,000 servers running it right now.
And there's a number of shared libraries
and projects supporting resilient computing.
Facebook has done a lot of that work.
Uber has done a lot of work,
because they published almost everything as open source,
so you can go out there
and build your own resilient solutions, whereas 15,
20 years ago, when I got started with the dot com 1.0 revolution,
you had to spend hundreds of thousands of dollars
on [inaudible] hardware, F5s, load balancers,
clustered Microsoft environments.
Now, I can literally spin up on a couple of raspberry pies,
something 10 times more powerful and resilient,
because companies have made this open source,
and you can literally put it together in an afternoon.
Like downloading a VM.
So what does this mean?
Business before was inward focused.
It was focused on individual corporate performance.
This is no longer the case.
Data is now a shared risk,
and that is what you should be thinking
of with the word Blockchain.
Companies can now work together to increase the resiliency
and provide verifiable transactions across enterprises,
which is in everybody's benefit,
especially for audit and compliance.
And that means you open things up when it comes
to security standards, and you prevent single points
of failure.
So security now is becoming more open, whether we think it is,
don't think it is or not, it's open,
it's out there, it's happening.
And the future of security is collaboration using Blockchain,
using cloud technologies, strong vulnerability management
and strong identity management.
I'll make it very clear, when I first started at IU health,
the first pronouncement I made is we are going
to look cloud first for security.
I got to meet somebody very great
at Itripoli Tech Night back in March in California,
a guy by the name of Danny Lang.
Danny Lang is the former Director of AI for Uber.
The former Director of AI for Amazon.
And if any of you play any games
of Unity 3D, he runs AI for Unity.
First comment he made to me about security, he goes,
"When it comes to security don't run your own stuff.
Amazon does it better.
Amazon has 1,000 people doing security.
They're going to do it better than you."
I took that advice to heart.
Long before I had to have Danny Lang verify
and validate that for me.
The cloud provided to do it better.
Google does it better.
Microsoft does it better.
Apple does it better.
You don't hear about many big data breaches outside
of people misconfiguring what has already been provided
by the cloud providers.
You follow what they tell you to do, you're probably going
to be pretty resilient and secure, and I can tell you
with AWS, it's pretty hard to deviate.
You've got to seriously screw up and not follow best practices,
to screw up an AWS, since the way that happened
with the breach just a few weeks ago.
So why is this becoming part of business?
Because Co-competition helps solve verification
and validation problems that have existed since the dawn
of accounting with cryptography.
That is just-- that's it.
You now have a verifiable process behind the general
ledger, and the focus on these issues, plus the focus
on shared accountability, Equifax brought that to light.
You know how many companies trust Equifax
with their information?
They bought a company called a Work Number.
The purpose of the Work Number?
Because companies didn't want to pay somebody to sit there
and take those phone calls whenever somebody applied
for a home loan, or applied for a mortgage,
to say that they worked there, and they made the salary.
Equifax made a billion dollar business out of it,
that they recently acquired.
When we presented this to leadership,
that was the first question?
What about the work number?
Same question a major pharmaceutical company had.
What about the work number?
So shared accountability is key.
And if your company doesn't have legal contracts already in place
to handle this, shame on them.
And because of that, you have to keep systems up to date.
You have to continually assess and address for risk.
And because now it affects your transactions.
It affects your business.
It is a core business issue now, and I think the events
of the past year, if the Board
of Directors now can call security an IT problem,
they need to replace them.
So talk about replacing, and talk about a big C change,
big change I've seen over the past couple
of years has been the content of the internet.
It's gone from curated content,
originally when the internet started,
everything was like: duck, duck, go.
I remember the first time I submitted my website to Yahoo
to have it included in the search index,
and somebody actually hit this, this was 22 years ago.
So now, everything is highly automated and delivered
with little human intervention.
The problem is, it allows memes and messaging
to be delivered very, very quickly,
and I will tell you a big example.
That is major newspapers.
I go onto any major newspaper's website,
whether it be Indianapolis Star, USA Today, even though I call
that "McNewspaper," the Washington Post,
photo off the Inquirer, New York Times, New York Daily News,
or NewJersey.com, yes I moved here from New Jersey.
And you take a look at any of these websites,
you have content there, but most
of the web page is not content provided by the newspapers.
It is pretty much scanning content provided by a lot
of non-US based companies, that show a bunch of scamettes,
and I actually clicked through the explanations on two of them,
which were Tabouleh and Outbrain
and they basically said we've run automated systems,
and it takes someone flagging-- see this is a fake ad or a scan,
before we'll remove it.
Which basically gives you about, if you're a good scam artist,
you're good at intelligence, you've got 30 seconds
to a minute before, and I could literally having a bot doing
this, putting up these scam ads, putting up these deceptive ads.
And I'm going to tell you something, even CNN has this.
I mean, I literally was reading through a CNN ad a couple
of days ago when I was preparing this presentation
and the first thing I saw there was, as I scrolled through,
there was all this stuff about CNN Money,
and then there is like,
Bill Gates doesn't want this to happen.
Dentists are furious when you do this.
A bunch of scam ads, and a bunch of scam content,
right below a picture of Anderson Cooper.
So basically we are at a point right now where because
of the fact that, well first of all, newspapers
and news media are losing a lot of money, thanks to Craig's List
and other sites like that, these are money-losing enterprises,
they prop themselves up by basically hosting scam ads.
And what ends up happening is, you have these systems
that have been exploited by people either looking
to make a quick buck, or create divisiveness
and cyops operations.
So, in other words, everything we talk
about that requires a lot of intelligence,
no it doesn't require a lot of intelligence.
I could be sitting in an apartment in Brooklyn right now,
and pretty much put all this stuff up there, and the fact
that it took Facebook several months to determine it,
110 million plus people saw these fake news ads,
shows how big the issue is.
Because these automated too much without good human intervention
and curation and we've created our own monster.
And what has this done?
What is the effect?
We've rolled back 100 years to the early days of journalism.
So give people a little bit of background.
The Spanish American War of 1898 was basically caused
by William Randolph Hearst,
who apparently made a quotation along the lines
of "I'll make the war happen,"
and I'll give you the news, and give you the war.
What happened was there was a bunch
of fake news stories circulated in 1898 around the imprisonment
of somebody in Havana, Cuba.
This incensed populations so much, it incensed the people
so much, there was literally a clamoring to go to war.
Culminating in a staged event called the Explosion of a ship
in Havana harbor, which led to a full-scale invasion of Cuba,
Dominican Republic, Puerto Rico, and the Philippines
by the United States Army.
We literally caused a war
with fake news 120-- over 125 years ago.
And it was given a name.
When historians wrote it, it was called yellow journalism.
The Hearst family made billions and billions
of dollars off of yellow journalism.
And right now, history repeats itself.
We're getting a prime lesson in it.
And we've attempted to replace, it's because we're attempting
to replace humanizing judgment
with automation it has been taken advantage
of to deliver negative messaging.
It really has been.
This isn't the days of 2008 when Barack Obama used social media
to basically win the presidency.
Now it's being used to deliver dark and divisive messages,
it's being done completely automated,
and the out that these companies have
to deliver these messages is,
"if we see something, we get rid of it."
It's not an out.
It's not an excuse.
It means that they're doing a really poor job
of due care and judgments.
So what has this done?
How does this affect the security community?
Why do I care?
Because it has made it very hard for people like me
to communicate meaningful messages, because we now have
to educate on the legitimacy of our sources,
and due to the cross top with computer security messages,
there's a lot more falsehoods and stink being promulgated,
especially about computer security.
Those scam ads they talk about, those have been chunked in there
for scam entity, by scam [inaudible] malware solutions.
What do you think they do?
They install malware, they install malware and viruses.
And that alone makes it easy to spread phishing, falsehoods,
scam software, even malware,
because if I use all these channels
to deliver a fake malware package,
or a fake anti-virus package, the next thing you know,
I can deliver malware, I have a bunch of PCs I can control,
and I have a whole drone network I can use to do more scams,
more negative messaging, and more fake accounts.
And the other reason why I care?
Because these ads include a lot
of computer security ads, and superstitions.
And we have to work against that.
How do you combat it?
We send people to-- instead of sending people to websites,
instead of telling people to go to a website, I tell people,
I give them breadcrumbs.
I tell them in plain English to go to a certain spot
on the entry, and this is where to go, click on this,
click on that to do their job.
And we don't want to make assumptions
that people know what we're talking about.
The other reason why?
I type in certain things.
I'll give you an example.
A few years ago when we had the Microsoft Windows tech support
issues, where people were calling up, the scammers
in India figured out really quickly that if they bought ads
on Google, for Microsoft Tech Support,
they could take advantage of the Google ad words algorithm,
and what they could do, when you Google
for Microsoft tech support, the first answer that will come
up will be sponsored ad for a scam shop, located somewhere
in Bangalore, that would be willing to take $250
to install malware on your computer.
This really happens.
So you can't make any assumptions out there.
You can't make assumptions you can trust anybody,
let alone a search engine.
The other case I can give is To Core My Eyes.
This was a case where a Russian immigrant in Brooklyn, New York,
sold fake glasses online.
And the reason why he was able to sell millions of dollars
in fake glasses, and basically threaten and harass people--
this guy did federal prison time for this, by the way,
was because he figured out a hole in Google's algorithm,
where he basically keyword loaded all of his websites
for glasses brands, then
when anybody complained, he threatened them.
So this, again, really happens.
So what do we have to do?
We have to barnstorm.
You have to be out there, and constantly talking
to your customers with your message.
So in other words, it's not enough to send out emails,
and say oh, I put something up in the entry,
I've done my job for the day.
No. You have to be out there, shaking hands,
talking to everybody, telling them what you're doing.
And you keep the messages small, and you keep them digestible.
I learned that lesson from my MBA program as well.
No more than 12-word sentences.
Keep the personal touch.
Let people know who you are, and you win with the action,
you win by being accessible, and you win by engaging.
Every company out there is an employee engagement program,
you need to be part of it, because you contribute
to positive employee engagement.
And you want people to ask you questions.
And they're only going to ask you questions
if you're personable, and being part of the business.
That is what does it.
If you're somebody that sits there and gives the impression
that you're Uber security guy and you know what you're talking
about and you're going to look at people with disdain,
they're going to ignore you.
They're not going to engage.
They're not going to call you.
They're not going to--
people are not going to feel comfortable with you
if you're an idiot, it's what it comes down to.
If you're not engaging.
If you're not a comfortable voice on the other end
that is going to assure people that you're going
to do whatever it takes to resolve their issues,
they're going to ignore you.
And that has been a big problem computer security has.
Too many people act that way.
And I'd actually made it very clear with my company.
We will not do business with companies that act like that.
Period. We have made it very clear to them,
you will either act professionally,
you will be personable, you will meet our standards for ethics.
You'll meet our standards for employee engagement,
where we will not even consider it.
I know there is at least one company.
We will not engage the company because the CEO posts messages
on LinkedIn that are disdainful of people.
Anyone does that.
I see that on social media?
We just won't do business.
Because it's not the right message.
I had a talk at 11:00 last night with the CEO
at IU Health about this.
I have run a referral-based business for computer security.
Half my business, my security team,
comes from customers calling us up
and saying they have an issue.
If I act, or my team acts,
in any way unprofessional we don't have business.
People don't report security issues,
and issues like major malware incidents happen
because of that.
The next thing you know, you're back to square one,
and as a [inaudible], probably looking for a new job.
So speaking of jobs, current government situation.
There are a number of pieces of legislation out there
where you're protecting our critical infrastructure.
However, there is Congressional gridlock.
Nothing is getting done in Washington.
However, President Trump's Executive Order
on Cyber Security is very comprehensive.
It addresses the key drivers
as to why cyber security events occur.
I've read through this Executive Order with the presentation,
and I thought it was incredibly well-written,
and if Congress could actually execute on it,
it would be incredible.
It would be great.
However, there's a few factors to keep in mind.
First of all, it's the first year of a new administration.
Democrat, Republican, doesn't matter.
Because of the sheer number of appointees
and senior government executive positions, for the first year
of administration, it is chaos.
The reason why?
Because there's a lot of key appointments to be filled.
Again, this is not a political issue.
It's the way Washington works.
And a lot of the current government executive staff,
they're interim positions,
I'd say 70 to 80% are still interim positions right now.
The current government staff,
the current senior executive service, or GS people
that are filling in for these roles,
they're doing two or three jobs.
They're overwhelmed and there is a lot
of uncertainty over other issues.
Very specifically, the budget.
So what's happened?
The information sharing advisory councils
and infra guard have been effective at getting a lot
of information to people, and they've stepped in.
However, due to the lack
of guidance outside the [inaudible] membership,
people have been self-organizing to group security.
Best two examples I'm going
to give are Red ISAC and [inaudible].
I am now on the Red ISAC mailing list.
When I was in Philadelphia,
about 27 different higher education institutions all work
together and collaborate on information security.
And literally, the biggest message we saw
on the mailing list we had in Philadelphia was, who is going
to EduCause [phonetic spelling].
Because people in that market were all getting together,
all the higher eds were talking about how they could collaborate
to a group security and they were doing this
without university administration knowing most
of the time.
In health care, you have the National Health ISAC,
you have HIMS, High Trust,
and a few other large groups, in health care.
Again, we're self-organizing.
We're already doing the work.
Financing of FS ISAC.
But the difference with FS ISAC, financial services,
has been that the New York and Massachusetts State Departments
of Banking, plus the banks, have pretty much mandated membership
as a condition of doing business.
And this is very big, because where are most major financial
institutions located?
They're located in New York City or Boston.
So, therefore, by default,
if you're a large multi-national bank, you have an office
in Manhattan, you're already a member.
Also the other big thing is that a lot
of the large banks underwrite the cost of FS ISAC,
because it's good business for them.
Biggest example I can give is Bank of America, who came right
out and told me they spend millions a year on FS ISAC.
And it helps the entire ecosystem
because small community bank, they're not going
to have $8 million dollars to plow in like Bank
of America does, but everyone benefits,
because those banks transact Bank of America.
And the medical-- the vice vendors.
I'll be very clear about this.
I've spoken with Merck, I've spoken with Eli Lilly,
I've spoken with numerous other manufacturers.
I can tell you even though it's not published in the news media,
pretty much every major medical device manufacturer is talking.
The reason why is because there are 20 different sets
of legislation in the states about medical device security,
they're all working towards standards,
and the security people from these companies all talk.
The two biggest examples I can give are Merck and Eli Lilly.
They've been talking for a while.
I know both CSOs of both companies very well,
and I can tell you they are not unique.
And the other thing, the lack of a comprehensive legislation
or end in sight to the current situation,
this is what it has come down to.
We're doing it ourselves.
And those IT and security companies you hear about,
you will see groups of security people all talking
at these conferences, sharing information.
That's how it is happening right now, and it happens just
as much as, you know, going to the sessions, or networking,
or even seeing the vendors.
People doing it themselves.
And there is a lot of activity that I alluded to,
especially in eastern Pennsylvania.
And a lot of private round tables financed by the big four,
the [inaudible] by the big four, and a number
of other consulting firms,
they've been sharing info as well.
There is one group, E-Health Initiative in Washington, D.C.,
I would say pretty much every major pharmaceutical company
and most of the top 20 health systems
in the United States are members of that round table.
So you go into that room, you will literally sit there
and talk to 10 different pharmaceutical companies
at the same time, everyone is talking the same language, just,
that's not getting out there.
We're working on it.
And speaking of big challenges, we have supply chain.
Everyone now talks about the internet of things,
and what that really means.
What it really means, what we really should care
about is now we have to really care
about the entire value chain that delivers devices
and information, is reasonably secure.
Instead of worrying about IT, now we've got to worry
about everything, because everything is a network
connection, everything is an end point,
because one weakness can cause a cascading [inaudible].
So I'm going to give an example of that
which is android, and smart phones.
Probably a number of you here have android smart phones.
So one thing you should think of,
if you have an android smart phone, if it has one device
that has, if it has one component
that can't support a newer version of Linux,
or newer version of android because of bad device drivers,
[inaudible] I'm looking at you,
the entire device cannot be updated.
You just can't do it because android is not going
to support it.
And Google, they tried to fix this with a number
of initiatives, but there is-- you're only going to be able
to address [inaudible] level device drivers so much.
You just can't, without seriously breaking
newer functionality.
And right now, because of this, there are a number of phones
that cannot or will not be updated, and we have issues
because one little part of the supply chain,
one little component doesn't have a new device driver
for android.
Doesn't have it.
So you can't update the phone.
So another major issue is sourcing chips and components.
What other component has a hardware, software back door?
How can components be compromised
to break into systems?
Both the NSA and other intelligence agencies are really
good at doing that right now.
And how can weak encryption
or hardware weakness leave you wide open?
Give you an example over the past couple of years,
a lot of hardware implementation
of a [inaudible], they've been broken.
So how do you guard against that?
How can you be sure the trustworthiness
of your components?
What if you have counterfeit components making their way
into your value chain?
So example of that, that happened to Cisco twice.
That has been published in the news media.
So in both those cases, somebody who got themselves permission
to deal with the U.S. government, sold the Navy,
counterfeit Cisco gear, from some dubious source in China.
We don't know what was on those routers.
What was on those routers or components they sold,
we don't know what kind of back doors there were.
But compromised equipment was sold
to the Defense Department at least twice.
There are some people doing some serious prison terms
for this right now.
But that doesn't-- that pales in comparison to the fact
that in the value chain that powers our nation's defenses,
we had counterfeit gear with backdoors.
Cisco. Of all the companies that it happened to,
it happened to the one that is pretty much the five letter word
for networking.
[Inaudible] brought other--
brought one other item into light.
What happens when you have components
of your value chain shut down because of cyber attacks?
So I'll give you three examples.
People had shipments and boxes delayed because of Petscha.
Maersk, big international shipping company.
Fed Ex. And UPS.
All have ton of machines offline because of ransomware attacks.
Merck couldn't produce drugs and medication,
and we're seeing this now in Puerto Rico as well.
Because of the power outages caused,
and the devastation caused by hurricane Maria,
Medtronic has reported
that certain medical devices can't be made
because the main production line for them was in Puerto Rico.
So you have to think about it.
Malware is now just as dangerous as a hurricane.
So what happens?
You have alternate sourcing arrangements in place.
What happens if a cyber attack hits a major supplier?
In one post I had on social media, what happens
of you're a restaurant,
would you have enough breadsticks and pizza?
Cisco actually led the way.
They actually have a dedicated [inaudible]
for their supply chain.
Edna Connolly, she works on these scenarios,
and I think Edna is the first of many great [inaudible]
that are going to be out there working
on the supply chain issue.
So, how do you structure your companies to come back?
There are five major components of our companies
that need to work together.
Info sec, legal, privacy, compliance,
and our Chief Risk Officer, Human Resources, Supply Chain,
and finally our core business.
And we are going to discuss the newer additional roles
in augmenting our corporate structure.
So information security is responsible for assessing,
categorizing and communicating risks throughout the entire
value chain.
And they are the team that defines
and develops the policies and security requirements,
and communicates to the rest of the organization.
And they're also responsible for security portions
of legal contracts and [inaudible].
Yes? And if you're in health care,
you have this [inaudible] agreement,
it has security requirements.
Surprise, you own it, no one else.
And they're an integral part of business responsible
for interfacing with the entire enterprise.
I want you to take a look at that right there.
They are no longer part of IT.
Even though they may report to CIOs,
you're no longer in IT departments.
And they are responsible for developing security plans
in concert with the core business.
Again, I put that there, core business.
Not IT. It's to augment the organization
and move them toward a more secure state.
Because you have to reduce risk at all costs.
And they work in concert with regulatory affairs.
In healthcare we have to worry about joint commission,
HPAP and a number of our organizations,
and with the business continuity teams because, surprise,
business continuity is a security requirement
to assess all risks to the environment as a whole,
and security risks, they're no longer separate.
You have to work on the tabletop exercises, downtime procedures,
and business impact analysis to assess
and address residual risk.
That is now continual exercise with the business.
Not IT. That saying of backups and restore is not enough.
It's that time between you're down and you're back
that you've got to worry about, and you've got
to maintain your business.
Anyone thinks differently, tell them to call Merck.
Tell them to call Maersk.
Tell them to call Fed Ex, or tell them to call UPS.
And you have to work with asset management
to catalogue your assets, and use that to determine your risk.
Why? Because if you don't know what it is,
how are you going to protect it?
And they're responsible for a data classification policy
and its associated plans and procedures around that.
They're also responsible
for developing an effective communication plan for new,
emerging and existing threats,
and maintaining the education plan,
including job appropriate training,
scenario-based training including your fishing
simulators, and training for regulatory compliance.
Surprise, you're now a training department too.
And they need to understand the environment
and the players better than anybody else.
Because you have to continue to assess risk.
That's your job.
And most importantly, we know two things about companies.
There's work structure.
That's formal on the books.
And there is a real work structure.
Need to learn what the real work structure of a company is.
Be able to secure it.
So that brings us to our friends in legal.
They're responsible for developing the requirements
in concert with info sect for, to store
and share a minimum possible information,
for minimum time possible, with a minimum amount of parties.
Or, as a settlement or [inaudible] we call that rights.
And they are also responsible
for developing this legal contract,
that they assign proper levels of liability,
assurance, and responsibility.
And they are responsible for ultimately making decisions
on acceptable risk levels for the organization.
Because quite frankly, CEOs aren't going
to make that determination.
Usually they're going to defer to their lawyers,
or Chief Risk Officer.
And they're responsible for the insurance policies,
and making sure they are adequate,
and cover what's needed.
I actually sit on our team
that evaluates insurance policies every year.
Every company out there, because it's now a condition
of doing business, has a cyber liability policy.
And most important, they develop, negotiate,
and implement the contracts, agreements and standards
that they need to have reverse standards for.
This includes your data interchange.
Your establishment of security standards.
Vulnerability management, which is now a contract item.
No matter what company you're in,
you don't have vulnerability management in there,
then you're behind the times.
And liability assurance responsibility
in case of a breach.
This is a major sticking point with most companies,
because a lot of companies don't want
to assume that responsibility.
Even if they're cloud-based and hold your data,
they don't want that responsibility.
And of course, incident management,
and cyber insurance requirements.
HR. People don't think of them that much,
but they're very important, because they're supposed to work
with info sect and legal,
and make sure we have the appropriate policies
and procedures in place for human capital management.
This includes your acceptable use policies.
And again, you have a case where you have to terminate somebody
or discipline somebody, you don't have the policies
in place, it's not going to happen.
Which includes your acceptable use policy,
your corrective action policy, especially for cyber actions.
I know there is actually a good bit of discussion
on the Renaisac mailing list earlier, I was reading
about people doing Bitcoin mining on university resources,
so that is something which ironically
when people wrote acceptable use policies about 10 years ago,
most universities already had that covered, thank God.
Training programs are very important, because it has
to be log in training and learning management system
or with all the other job appropriate training,
and surprise, that's required.
Also the employee background checks and recertification
for access to electronic medical record systems,
or certain financial trading systems, that's a requirement.
Also your verification, validation of access rights,
and collaborating on the access review processes.
Surprise: all HR functions.
HR is an integral part of your company.
So that brings us to supply chain.
They work in concert with info sect to assess and address risk
up and down the value chain.
They're responsible for sourcing
and providing alternative sources should an event occur,
or shall I put it, when an event occurs.
They're responsible for building up
and managing the effective distribution supply system
for the organization, which includes redundancies,
and they're integral to the disaster recovery
and BIA portions of any business.
So this is a major change for the core business,
because normally cyber security has been handed off.
They need to do the following.
They need to make sure they assess
and address risk at all levels.
They have to have resources
for their risk management program, definitely.
They need to work to mitigate these risks.
So, instead of saying IT handles it, they are now--
their boards are now saying you've got to do it,
you've got to track it,
you can't just say IT go do it anymore.
Not going to happen.
And you have to make good risk-based decisions,
and budget for maintaining operating systems.
Because you don't want to cut costs to look.
You don't want to do that, because if you cut costs
to meet some mythical ROI standards, you're going
to see bigger costs in the back end.
Why? Because if you cut the maintenance on the system,
you're going to have a breach.
And the breach is going to cost you 10 times more
than the maintenance did in the first place.
So where do you end up?
You end up at a negative spot because you tried
to make a quarterly profit, and that's not good.
And you have to have it be [inaudible] process
for each system access, which a lot
of businesses really don't understand.
You have to have continual risk, and that means looking
at who has access to your systems.
And your contracts and agreements have--
need to protect the organization and its constituents.
Sorry about that.
So security needs to be in a position
where it is most effective.
It can't be buried in IS.
Can be part of IS, but don't bury it
under the director of infrastructure.
It needs at least a dotted line to legal and compliance.
It needs to be empowered to communicate with everyone
without having to ask executive permission.
This is what kills most security programs.
If security is not allowed to talk to the business,
it will never succeed.
More visibility is required.
If you're not editing the board
for a Chief Risk Officer, you're not effective.
And the CISO [phonetic spelling] has to be
in constant communication with the business.
It is no longer an option.
It's no longer a technical position.
You are just as much a part of business as everybody else.
And a large number of my peers all have MBAs now because of it.
And it has to empower across the structure.
So it can't just be doom and gloom.
You have to empower the organization.
Because everyone is responsible for security, and a team needs
to use constant risk assessment
and address risk to provide guidance.
And people, they're aware of these issues.
The responsibility of security is to make sure
that people know what to do, not that the issue is out there,
not to scare people, not to intimidate people.
It is to empower an organization,
not to intimidate it.
And if you see something, you say something.
That little simple thing from Department of Homeland Security,
you have to be able to enable that environment,
empower people, make them feel comfortable
to actually say something, and you have
to build rapport to do it.
This is not an IT position anymore.
It's a business job.
It involves more aspects
of human resources than people realize.
Why? What are our conclusions?
What have we learned?
It's a growing-- cyber security is a growing part to businesses,
and it's no longer a technology issue.
It requires whole business involvement.
New and destructive technologies still need
to be addressed using conventional risk assessment
and addressing processes.
I mean, basic blocking and tackling hasn't got a way,
and I'm sorry, you can't buy a silver bullet
to have good security.
And continual risk assessment is the core
of what the organization needs to do now.
It is the core of the business now.
Along with whatever goods and services your business provides.
And security needs to expand that role,
they need to constantly communicate,
and constantly empower across the organization,
and other business units need to partner with and work together
to expand that role, period.
You are no longer an island, you are no longer part of IT.
Security, you are the business.
And most important it is no longer done in isolation.
You are the business.
And the reason why these new instructive technologies
out there, they require an encouraged collaboration
of community involvement.
I mean, that's just it.
This is where we are at.
This is no longer a case of security being security.
Security is the business.
And with that, thank you all very,
very much for your time today, and I'm willing
to answer any questions.
[ Applause ]
>> Thank you for the comprehensive presentation,
that was really fascinating.
Now, questions, questions from the group here?
>> Maybe while people are gathering their thoughts,
I'll kick us off, which, you know, I liked your discussion
about the organizational changes
in security becoming really comprehensive, in that sort
of environment, how do you see the decision making going
around acceptable risks and when to make--
when exceptions are allowed, and what sort
of the organization's risk tolerance?
>> My personal view of it is I've seen that actually go more
to the legal department than IS.
>> Hmm.
>> The discussions I've had over the past couple of years,
that has actually shifted from C-suite making that decision
to C-suite deferring to a legal team.
To make a determination on what acceptable risk is
for an organization.
>> Luckily a lawyer, so wise in such matters,
we're in good shape [laughter].
>> Well I'll tell you what, I'll tell you what I
like about the lawyers is, they're very good at one thing--
ferreting out where companies try and duck liability.
That is the number one issue I've had on contracts
for the past several years,
at a number of organizations I've worked at.
Companies want to duck liability because they don't want to be
on the hook if a breach occurs.
That is your major challenge right now.
So lawyers are getting a lot smarter when it comes
to cyber security, because they're treating the big issues
as liability issues, and with the cloud,
you're putting your data with Amazon.
You're putting your data with Microsoft, over Google.
And there's a lot of issues with liability.
There's a lot of issues with due care.
So you have to make sure you're on point.
The more importantly,
the vendors that you're doing business with,
that are doing Amazon back end and not telling you,
you've got to make sure you know where your data is going
and GDPR is going to get a big deal for that.
Because a lot of companies out there, give you an example,
several years ago I had mostly client server applications I
dealt with in healthcare.
About a year ago, it shifted to over 50% [inaudible].
>> Hm!
>> And this is, well what was happening is vendors are
realizing we don't want to put servers on site,
we'll just put our stuff on Amazon.
So now it gets to the point that you have
to make sure the company understands liability.
You've got to make sure they understand their process,
as opposed to seeing some box
of [inaudible] you could segment off to the rest of the world,
your stuff is in three different data centers
that Amazon provides.
And Amazon is not liable.
That company is liable
for configuring Amazon the right way.
As Accenture so learned a couple of weeks ago.
So yeah. Legal is now heavily involved
with the decision making process because quite frankly they have
to be, because the risk is just too great.
>> Just really quick, you did bring up GDPR a few times,
can you speak a little bit on how that is going
to change the status quo?
The decision making?
>> The reason why the European Union did general data
protection regulation is going to change is because it's going
to require companies that handle people's data to know
where that data is at at all times,
and know what machines handle it, know what the processes are,
know how it's protected, and know how and when
to remove it if someone asks.
So you're basically asking people
to do everything they should have been doing already.
Especially if you're in health care.
But now you're putting the full force
of European penalties behind it,
and it enforces a corporate form also with the use
of the data protection officer that cannot be the same
as the security officer, and usually in most cases,
as the privacy officer, to enforce GDPR.
So the European Union, I mean, it's a great initiative,
it's forcing companies to be more collaborative.
To understand what their core business is,
and to not segment off parts of a company from each other,
and continually assess and address risk.
Know who has access to what, under the risk
of great financial penalties, and more importantly,
the big black mark is going to be left if you're
under a GDPR violation.
So yes, it's going to change how we do business.
>> Thanks for that.
Excellent.
Other questions, comments?
>> So you're talking about the human resource aspect.
What strategies with it [inaudible] trend their
organization as a whole, is it a large sort
of getting large groups together,
financing budgeting the time and money that it takes
to do that, and communication?
>> I'll be very blunt, I do a guerilla effort.
I wrote all the training myself, so [chuckles] and I,
the only thing we didn't write was the fishing simulator,
but even then we wrote our own communication plan
around our fishing simulator of choice, and more importantly,
we get out there, we talk to people.
We develop training programs that are job specific.
We schedule time with people.
We talk to them.
It's more important for us to meet people,
understand what they're talking about,
understanding their needs, and put a face to the name,
that's the best training program of all that we found.
And it's just-- it's gradual.
You can't do it overnight.
We do awareness training.
We have mandatory training from everything from PCI to HIPAA
to security awareness to fishing,
while all that is great, people click through that training,
and we're not going to sit there
and say they don't, because they do.
People ignore training, they forget it,
but they forget faces a lot less than they forget
that PowerPoint slide they forgot about because they had
to take training three weeks ago.
We want it so they know who we are as people, to ask questions.
We want people to be naturally curious and ask questions,
rather than give them some training program
that they're never going to use, and we're just--
we're being realistic about it, and we'd rather sit there
and have the conversations with people, let the executives know
who to call, let the staff know who to call.
Be the people out there that can talk to.
That is more effective than any training program you will
ever have.
>> We have time for one or one or two more,
if anybody else has ideas they want to dig into?
A lot of [inaudible], budget, management, my gosh [laughter].
>> This, I'll tell you--
you know how many medical billing companies
that are looking at Blockchain right now?
It's actually there is a company
out their former Chief Scientist Detective back in Cali in March,
and yeah, he was talking about a major--
one of the 10 biggest houses in the country trialing Blockchain
for verifying billing transactions.
>> Wow.
>> So yeah, we keep Blockchain on our minds.
>> Mm-hmm.
>> That's fascinating.
>> So thank you all.
>> Oh I want to get you to the one last one here.
>> Go right ahead.
>> Well so with supply chain, and IOT,
previous speaker we had was from Microsoft,
he says dueling IOT devices that could be better trusted,
until that occurs, from a business perspective,
risk management [coughing], you kind of--
sort of keep IOT devices how [inaudible], your facilities?
Are you managing which ones you allow in?
>> We have to manage what we allow
in because there is actually
in health care a significant regulatory issue behind it.
Give you an example.
Joint Commission, which pretty much regulates,
voluntarily regulates all member hospitals has requirements
on temperature monitoring.
So that means pretty much every refrigerator you have
in a hospital now that handles a controlled substance,
or handles something used for patient,
has to be constantly monitored
to make sure temperature is in the right place.
So what we have to do is we have to borrow a little bit
from the nuclear regulatory commission,
so NRC with nuke plants back in the 80s
and 90s developed this whole process by which,
which was actually barred from the military,
because who had nukes first?
They did, of where you have to constantly check, validate
and verify your devices.
Now, that might-- but healthcare is a little bit easier to do
because you have that controlled environment, but you have
to have that level of control now.
Because until Microsoft gets it right,
or other companies get it right, there is still too much risk,
unacceptable risk for organizations like mine.
>> Well Mitch, thank you so much again,
that was really [applause].
>> Thank you, thank you all very much.
For more infomation >> Next On #PumpRules: Is Brittany Pregnant? (Season 6, Episode 14) | Bravo - Duration: 1:02. 
Không có nhận xét nào:
Đăng nhận xét