One of CEO Joe Payne’s big themes in his opening keynote yesterday was storytelling. We’re dealing with an incredible pace of change in the IT and InfoSecurity worlds. While it’s easy to get lost in the “tech-speak” of change and risk, it can be incredibly helpful to focus on telling simple stories. Fittingly, Day Two of Evolution17 featured captivating keynote talks from two renowned storytellers: Jad Abumrad of Radiolab and Brian Krebs of KrebsOnSecurity.com. The two talks were perfect bookends to a fast-paced final day of Evolution17.
Jad Abumrad makes sense of uncertain times
Jad Abumrad, co-creator, host, and producer of Radiolab, Peabody Award winner, MacArthur “Genius Grant” recipient and one of the most widely acclaimed storytellers in our world today, kicked off Day Two. Jad’s overarching theme hit home for everyone here at Evolution17: How do you navigate risk and uncertainty? How do you keep moving forward, pushing through toward breakthroughs?
Jad began by relating the tumultuous media world to the constant change in the IT and InfoSecurity sector. “What used to be controlled now just feels like one, long, anxiety-inducing stream of improvisation,” he said. This ever-present uncertainty is actually what drives the unique structure of Radiolab. “We’ve created a story structure that mirrors life, that mirrors getting lost,” he explained, “When you’re in the middle of one of those “What?” moments, how do you keep moving and not get stuck?” Jad then dove into his own approach to handling uncertainty, offering several insights we can all use in our daily work:
- Chasing the antelope—playing the odds Jad gave two personal mantras that help him navigate uncertainty. First, “Chase the antelope.” Commit to the cause—not to finding the answer, but to asking the right questions. Come to terms with living in what fellow radio host Ira Glass calls “the Gap.” Know that you’re in good company: A Stanford study showed the most productivity people constantly cycle between grand ambition and confidence and disappointment and self-doubt. Second, find a kind of Zen in following the odds. It’s important to know when to play it safe. But it’s also critical to find your opportunities to take big chances. Breakthroughs don’t come from business as usual.
- Understanding the Adjacent Possible To help deal with the overwhelming choices we now have in our world, Jad brought up the Adjacent Possible, a term borrowed from evolutionary biology to describe the change possible at any given moment. “What move can I make that will open up something new?” he said, “It’s a way of dreaming big dreams but also acknowledging limits.” Jad stressed that it’s often difficult circumstances that force you to expand your sense of possibility—to find that new door to open. He urged that fear is often the driver of change.
- You’re not alone “It is a hell of a lot easier [to handle risk and uncertainty] when you’re doing it with someone,” Jad concluded. This sentiment perfectly sums up the power and potential of an event like Evolution17. We’ve come together to share our experiences of risk and uncertainty. We’re asking big questions and finding our way through “the Gap” of our rapidly changing world. Most importantly, as we share and absorb others experiences, strategies and best practices, we’re gaining a greater understanding of our own Adjacent Possible—so we can keep moving forward, no matter what.
Brian Krebs: to stop the breaches, companies need to change their thinking
Who better to close Evolution17 than perhaps the foremost expert on enterprise data security breaches and cyberattacks? Brian Krebs first gained notoriety as a cybercrime reporter for the Washington Post, before starting KrebsOnSecurity.com, his blog that has an incredibly devoted worldwide following in the data security world and beyond. Brian started by sharing his personal approach to investigating breaches—one which shares a lot in common with Code42’s own approach: Working backwards from the data; letting the data tell the story of risk, threats and security incidents. A few great takeaways to share with everyone who missed this amazing talk:
- Our personal data isn’t secret—it shouldn’t be the key to our assets “We tend to think of our static personal data as secret,” Brian said. In reality, this information is easily available for any adult in America. “We have no business using these static identifiers as credentials” that protect our personal or work assets. Yet, overwhelmingly, we do.
- Ransomware has made backup a hot topic—but they’re doing it all wrong It’s taken a while, but the ransomware epidemic is finally getting companies to pay attention to their backup. However, Krebs pointed out that many companies are going about it all wrong. They’re using outdated backup mediums or trying to substitute file sync and share products like Google Drive to protect their most valuable corporate data. Prioritizing backup is great, but backing up to an insecure location arguably makes it easier for hackers to steal all your data.
- Most organizations don’t take security seriously because they’re afraid of what they’ll find Brian did a great Morpheus impression as he likened serious data security to the red pill/blue pill scene from The Matrix. Most organizations “aren’t that curious because they’re afraid what they’re going to find,” he said. Instead, they take a check-the-box approach to data security, putting traditional tools in place that give the appearance of security, but leave far too many gaps. “If people were held as accountable for their data as they are for their kids,” he concluded, “a lot of executive would probably be in jail and their companies would be in protective custody.”
- Don’t forget about your partner networks Brian’s answer to the question, “What’s the one thing we can do to improve security?”: Map your partner networks. He listed off several high-profile breaches, including Oracle and Target, where the cybercriminals got in through the “side door” of a partner network. Comprehensive partner network mapping is time-consuming and painful—but worth it.
- Fighting insider threat starts with understanding what “normal” looks like Touching on one of the most popular security themes of Evolution17, Brian said he believes the biggest key to fighting insider threat is profiling your users. “You need to understand what’s normal and what’s a deviation from normal,” and you need the right tools to help you set that baseline and spot those anomalies.
Kreb’s 5 tips for a modern approach to data security
- Expect to be breached. Focus on rapid response. “Defending the perimeter is nice, but responding to breaches is the most important thing.”
- InfoSecurity shouldn’t report to IT. IT is focused on enabling and growing the business. InfoSec teams are the “no” people. If security reports to IT, warnings often go unheeded.
- It’s not “trust no one,” it’s “watch everyone.” “Profile your users and watch your partners.”
- Get rid of the data you don’t need and secure your backups. Backup is critically important, but insecure backups are a huge risk.
- Get the easy wins—secure what you have. Most organizations can eliminate most attacks “just by doing the daily blocking and tackling of maintaining your systems.” It’s not sexy, but it works.
Thank YOU for making Evolution17 a success
We ended Evolution17 with a great Q&A session with Brian and Joe Payne. It was a fitting close to a great event: We came, we shared, we learned and we leave a little more confident navigating our own world of risk and uncertainty—and pursuing our own big questions. A tremendous thank you to all those who attended. Your engagement, ideas and contributions made Evolution17 a great success.
3 Steps to Mitigating Insider Threat Without Slowing Down Users