Friday, October 21, 2016

Cyber Security Month: Looking for Answers Part II?

NY Metro Joint Cyber Security Conference
I recently attended the Third Annual New York Metro Joint Cyber Security Conference (, held in mid-town Manhattan.  Security conferences are now a dime-a-dozen, but this event is unique in that it is a collaborative effort developed by a consortium of eight leading security, audit, and risk focused, NY metropolitan area, not-for-profit professional associations. Each organization brings its best to the table, creating a rare combination of expertise and diversity of talent.  

There were many informative sessions – some standing room only – but some of the greatest value was in the interaction with the other professionals.  For example, in sessions, we learned that security professionals must adopt the language of Directors to be understood by a Board.  The Internet Security Alliance is even working on metrics for Boards to use in evaluating security risks and controls.  But, after all the talk of security maturity models, cyber risk management frameworks, and “cyber balance sheets,” CISOs (Chief Information Security Officers) will tell you that Boards still “just don’t get it” and don’t seem to be that interested.  Perhaps CISOs as a group aren’t very good at explaining how greater focus on preventing and mitigating cyber threats is in the self-interests of very diverse sets of Directors.  Maybe, despite approaching the problem with the best of business concepts and lingo, CISOs just don’t have influence with Directors.  (As one CISO put it, “formulas don’t work.  Relationships do.”) Or, perhaps it’s because, as one speaker put it, there is not a single instance of a cyber breach that has been demonstrated to have a material impact on a company.  In the end, the surprising takeaway may not be that CISOs are becoming more adept at speaking the language of the Board, but that some Boards are beginning to listen at all.
This sold-out event offered excellent, high-quality presentations with plenty of actionable content.  If you weren't able to attend, you can still benefit from the recordings of many of the sessions.  They are available at  Presentation slides may be found at I would highly recommend reviewing them.
And, don't forget to sign up early for next year's conference.  It's one of the best values in information security education that you'll find anywhere.  Follow and @NYMJCSC for details.

Phil Froehlich is Chief Operating Officer of Integris Security and a member (who listens) of the Executive Board of New York Metro InfraGard.

No comments: