5th Annual Cybersecurity Conference for Executives: The regulatory playing field

April 16, 2019

So does regulation have a downside? Its promised upside is clear enough: an analogue of public health and public safety measures, transposed to cyberspace. The conference held on March 13, 2019, on the Homewood Campus of JHU, was organized by the Johns Hopkins Whiting School of Engineering and Ankura, concentrated on regulatory frameworks and trends, and sometimes surprising impact of national, international, and state regulations on businesses of all sizes. You may not think you’re interested in GDPR (or for that matter HIPAA, or CCPA),  but as several experts explained, they’re interested in you.

In a keynote that opened the proceedings at Johns Hopkins this week, Dr. Phyllis Schneck, Managing Director of the Global Cyber Solutions practice at Promontory Financial Group, began by drawing attention to the well-known principle that compliance isn’t sufficient for security, still less synonymous with it.

She offered regulation of personally identifiable information (PII) as an example of regulatory insufficiency. PII is widely regulated, but there is a wealth of other types of data that aren’t, and which, when aggregated, can be at least as revelatory as what we commonly think of as PII. Information such as location data and buying habits, for example, can be just as valuable to an attacker as it is to the companies that collect the data.

One of the problems with regulation, she said, is that it shows the bad guys what you’re not doing, so they can invest their time and money into targeting areas that are unprotected. Attackers will always be ahead, because defenders have laws that restrict their actions. Attackers can adapt more quickly to new information, and they’re generally more open to sharing information with other attackers. Operational resilience is the only way to address this problem, Schneck argued. Companies need to have their recovery strategies set up in advance. She stressed that rehearsal is a necessary component of resilience. Companies need to ask themselves what they would do “if all the lights went out tomorrow,” so that they’re not dealing with that question when the lights actually do go out.

John Forte, Deputy Executive for Johns Hopkins University Applied Physics Laboratory’s Homeland Protection Mission Area, delivered the closing keynote. He took as his text the proliferation of interconnected devices. transportation, healthcare, buildings and cities, education, public safety are increasingly automated, and CISOs are going to need to deal with trend soon. IoT devices will be used to assist in countless tasks, and all of these devices need to interact with each other. The challenge is getting them to interact securely, and building them so they can’t be hacked.

Forte said that the traditional consideration for a CISO is aligning the risk to the mission; in the future, however, CISOs will increasingly need to become business strategists. What CISOs need to start doing today is designing open, resilient, zero-trust architectures, mastering the supply chain, and enhancing automation and the use of AI. Forte noted that we’re currently in the very beginning stages of artificial intelligence.

For additional conference coverage, click on the following links:

ISI media partner, The Cyberwire provided the all of the media coverage. Visit The Cyberwire for more information.

JHU Information Security Institute