While cybersecurity spending is expected to hit $124 billion this year, only a small portion of it will go toward identity management. Yet, a disproportionate number of breaches occur because of flaws in access management and dangerous practices such as the sharing of passwords, according to Tariq Shaikh, CISSP, Senior Security Advisor for CVS Health.
Identity management spending accounts for 5% to 10% of total cybersecurity spend. When it comes to privileged access management (PAM), Shaikh said the portion is even smaller -- 1%. It’s time to change that, he argued during a session on PAM at the (ISC)2 Security Congress 2019, taking place in Orlando this week. Considering how many breaches result from access management issues, Shaikh said PAM can substantially reduce the number of security incidents.
Shaikh’s presentation was one of dozens of sessions on the second full day of Security Congress, covering a range of topics, including challenges around cybersecurity protection, how to cope with data privacy and security regulations, and how to find your voice as a professional to make yourself heard.
“Your ability to secure your assets depends on how well you manage privileged access,” Shaikh said. “It’s the critical attack vector.” He added that PAM isn’t a one-and-done situation, but rather an ongoing endeavor that requires updating to keep up with the evolution of the threat landscape.
He shared a list of best practices for PAM implementation, which includes separating user accounts and infrastructures for routine business and privileged activities, using a centralized enterprise authentication solution, removing privileged access from users who don’t need it, and keeping track of who has privileged access and their activities.
To build a business case for PAM, Shaikh recommended communicating the objectives of the PAM program and the changes it will bring, using simple language, and developing informational materials about it such as FAQs and tutorials.
During a session on cyber insurance, Lisa Angelo, Principal at the Angelo Law Firm, and Seth Jaffe, General Counsel and Vice President of Incident Response at LEO Cyber Security, discussed several ongoing court cases involving companies that bought cyber insurance policies. In many cases, insurers have denied claims for a number of reasons.
One claim involving healthcare records, Columbia Casualty Co. v. Cottage Health System, was denied because medical records that were breached had been stored in an unsecured system accessible through the internet.
In another case, Mondelez v. Zurich, the insurer invoked an Act of War exclusion to turn down a claim after a company suffered two NonPetya ransomware attacks that affected 24,000 laptops. At one point, the insurer agreed to pay $10 million but took too long to pay. The customer threatened to sue and later Zurich rescinded the settlement offer.
These legal disputes, Jaffe and Angelo said, deliver important lessons on how to approach negotiations with insurers when taking out a cyber policy. Mondelez, for instance, demonstrates the need for explicitly excluding acts of cyber terrorism from an Act of War clause.
It’s important to understand what the policy covers before signing a contract, Angelo said.
“Pay attention to what you’re signing up for and work with them to see what you can negotiate.”
Finding Your Voice
A late-afternoon panel discussion focused on knowing how to speak up to “sell yourself in your career, business and life. Panelists advised attendees to find ways to communicate effectively, not only through public speaking but also through writing, video and audio recordings. A strong focus was placed on understanding what your audience wants and finding ways to deliver the content effectively.
“It’s more about the audience than it is about me when I give a talk,” said Keri Pearlson, Executive Director and Principal Investigator of Cybersecurity at the MIT Sloan School of Management’s research consortium. It’s important to listen so you can deliver the right message, she added.
Another panelist, Katzcy CEO Jessica Gulick, spoke about timing, giving out content in digestible pieces, and repeating information when necessary. Make the information relevant to your audience, and resist the temptation to make it about you, she said. “If you want it to be sticky, make it relatable. Give them a framework so that they can remember.”