We'll remember Dublin Tech Summit 2023 as a celebration of technology, innovation, and game-changing approaches to business activities. Among the plenty of insights, the cybersecurity ones are probably the most crucial now.
During the panel discussion "Cybersecurity, resilience & the latest trends in bad bot activity," top opinion leaders including Ronan Murphy, Founder & Executive Chairman at Smarttech247, Jenni Perry, Associate Director of Cyber Risk at Aon, Yevgen Kotukh, Chief Application Security Engineer at JEVERA, Paulo Rodriguez, Head of International at Vanta, and others have discussed the emerging issues in cybersecurity and how to withstand them.
In this Q&A article, you'll find a summary of the above panel discussion and learn:
You may also like: Dublin Tech Summit: business & tech insights to know
What's the starting point for developing a security product
Each company chose the appropriate starting point based on its requirements and the cybersecurity challenges it faces. Meanwhile, business leaders are not 100% aware of this field's peculiarities, making it difficult to make the right decisions. For companies, the long response term might cost everything they have. Therefore, businesses prefer to find a reliable contractor to set up and control the processes.
Organizations can be divided into three categories:
Those who are at the early stage of implementation. They only start their way and need to build a robust action plan to cover obstacles they feel.
Those who are at the early stage but do their best to develop high-quality cybersecurity processes. They have a clear action plan, keep it up-to-date and follow it.
Those who are 100% in motion and seek best practices to make their cybersecurity system even better.
The priority task for businesses is to define the stage of their cybersecurity journey. It's key to set up priorities and act following them.
What compulsory minimum should businesses implement for cybersecurity, and what metrics do they have to use?
Cybersecurity is crucial for each business regardless of its scale and niche, while fast-growing companies demand it more. The pace of their development usually makes them constantly change their cybersecurity strategy since it's hard to predict what will be next. They seek solutions immediately, and at once, new circumstances arise.
Regarding metrics, companies should pay attention to tolerance and appetite to ensure timely responses.
"Two words that jumped into my head are tolerance and then appetite. Your risk appetite needs to align with your actual strategic objectives; they need to reflect back on the business. You have to tune in to give a good, clear message. It helps get enough time to respond if you see something: a blip or a trend. And, again, just to align it back to the appetite because the risk landscape is constantly changing. There are new tools, new threats coming on."
Associate Director of Cyber Risk at Aon
Does certification guarantee 100% security?
Certification is crucial in terms of compliance and supporting a highly-secured brand's reputation. But for most companies, it's just a way to show stakeholders the ability to protect data. Therefore, compliance and security are not necessarily aligned. Meanwhile, strict regulations are the methods to keep them aligned since the absence of compliance may lead to many risks, from sky-high penalties to reputation damage.
"In many cases, you achieve compliance to tick a box, to keep an auditor happy, to potentially win a deal, and I would argue that there's often a disconnect between actual security and compliance. I believe they're becoming more aligned due to the regulatory mandates we're seeing and the punitive implications of the breaches that companies are experiencing, specifically around data theft and data exfiltration. It started off with GDPR from a European context, which was quickly followed by the California Consumer Privacy Act in the US."
Founder & Executive Chairman at Smarttech247
You may also like: What The CCPA Is: General View
Regardless of the confusion, businesses should decouple compliance and actual readiness for cybersecurity challenges. They should clearly understand why governments set up new regulations and try to prefer real actions instead of demonstrations. In some cases, companies are compliant but don't have a robust solution capable of covering issues. Therefore it's essential to move from implementing efficient cybersecurity products to demonstrating results (getting another certification, etc.)
"I think we need to separate the fact that you're building a security program from the fact that you're demonstrating something to that compliance rate. We all know many laws that we can follow and check the box, but we are not fulfilling the purpose that the law is telling us to fulfill. Going from "I have a good security program built, now I need to demonstrate it," that's super easy. Going from "Oh, I want to demonstrate something that I haven't built yet," that's much more complicated."
Head of International at Vanta
How Ukrainian companies withstand russian cyber attacks
In recent 1.5 years, Ukraine experienced hundreds of russian cyber attacks aimed at using existing vulnerabilities against public and private sectors. But Ukrainian businesses and governmental agencies have been responding as a single unit, making it harder for the enemy to achieve goals. The war and extremely complex circumstances allowed us to achieve transparency and appropriate distribution of responsibility in this field.
"The reality is showing us state, public, and private cooperation regarding how we can mitigate such risk. This cooperation also helps private sectors, commercial companies, and our clients cover risks, showing the right responses to incidents and flagging them to society. Transparency allows guys responsible for implementation to react in the very right way, ensuring responsibility to the management on the things that are going on with such incidents. It may also help management understand very clearly that it's not the responsibility of only cybersecurity officers anymore. Organizational, technical, and other ground changes are required for the company to respond to such incidents. It's an equal responsibility of every involved specialist."
Chief Application Security Engineer at JEVERA
How to ensure cybersecurity with legacy software at hand
Of course, it's a tricky task to achieve a high level of cybersecurity without modern solutions. Still, often businesses can't get rid of legacy software because of significant risks, complexity, and monolithic architecture - there are plenty of reasons. Meantime, it doesn't mean businesses shouldn't build strategies and seek solutions capable of covering their vulnerabilities. It's a must-have for all companies aiming to protect data and feel safe.
"We also need to prepare ourselves for a post-quantum era. It is a matter of all legacy systems, standards, data, and privacy practices we will use after it happens. There'll be many breaches and stories about how the data which is now confident enough will not be confident anymore. The suggestion here is starting to think about this because the companies which just operate with their public data and think they are secure enough - are not going to be secure anymore."
Chief Application Security Engineer at JEVERA
You may also like: Approaches To Legacy System Modernization
Looking for a way to migrate from out-of-date software to robust cybersecurity products? Let us know about your idea to get a free consultation on modernizing infrastructure and mitigating possible risks simultaneously.