On Trust: Stories from the Front Lines

Conference:  BlackHat USA 2019



The importance of organizational culture in cybersecurity and the need for action rather than just talk
  • Organizational culture plays a critical role in cybersecurity
  • Security is everyone's responsibility, not just the security team
  • The head of security should have the authority to influence the entire enterprise
  • Regular communication with the board of directors is essential
  • Economic incentives should be tied to security performance
  • Taking action is more important than just talking about security
  • The environment is becoming more challenging with increasing reliance on technology and data, and growing privacy concerns
  • An anecdote about a cyber attack on a nuclear weapons laboratory illustrates the need for proactive measures
The speaker shares a story about a cyber attack on a nuclear weapons laboratory where the adversary penetrated the perimeter. The organization was able to monitor the attackers and learn from them, but eventually had to kick them out due to too much risk. Later, the speaker's peer at a different laboratory called for help after they were also attacked at the exact same time. The attackers had diverted resources from the first attack to amplify the second one. This illustrates the need for proactive measures in cybersecurity.


Time and again, we as consumers read about the latest significant data breach, and we feel a familiar disappointment. Disempowered, helpless, without recourse. Angry for being treated like a commodity. Frustrated that nothing's likely to change.On the other side of the coin, as security practitioners and businesspeople, we have lost sight of our stakeholders' perspectives -- our customers, investors, regulators, and others affected by the success or failure of our work. We focus on specific items like strengthening controls and obtaining compliance certifications, but what we miss is that the single most damaging thing to many companies has been a loss of TRUST.I’ll share my experiences leading the security programs of some of the world’s preeminent companies through times of great change – situations where their response to adversity or a growth opportunity colors their long-term reputation. We’ll explore how companies, like people, develop a character, and that a key determinant of that character is their approach to security and privacy. And we’ll see how this character can lead to, or away from, earning trust. Finally, we’ll consider several major industry happenings over the past few years as examples of companies who have successfully (and unsuccessfully) navigated times of transformative change.It's clear that the pendulum is swinging toward giving consumers more control over their relationships with firms, with watershed changes like the so-called "right to be forgotten", the EU GDPR, and most recently the California Consumer Privacy Act. Firms have to act quickly and decisively to build trust with their stakeholders, or else face lost customer preference, strict regulation, and other business-leveling outcomes.Security practitioners have a uniquely valuable role to play in leading and supporting a company’s ability to maintain trust. Come learn about the next evolution of security’s role in business and society, and practices you can take back to champion trust within your organization.



Post a comment

Related work

Conference:  RSA Conference 2023
Authors: Jason Garbis, Jerry Chapman, Megha Kalsi, Chris Steffen

Authors: Liz Rice, Kelsey Hightower, Guillermo Rauch, Sheng Liang, Tom Manville

Conference:  Defcon 31
Authors: Michael Stepankin Security Researcher at GitHub