This piece was originally published on Fortra’s blog.
Infosecurity Europe has closed its doors for another year. The aftermath of these events can be a strange time; still reeling from the chaos of the show floor and nursing feet unaccustomed to such intense use, it’s often difficult to make sense of everything we’ve learned. But, as the old adage goes, “when in doubt, write it out.” So, I thought I’d do just that. Without further ado, here’s the key takeaways from my colleague, Donnie MacColl, and myself.
Changing Approaches in Awareness Training
It’s no secret that the industry has grown tired of one-size-fits-all, check-box security awareness training. When training initiatives such as these were initially worthwhile, the ever-evolving threat landscape has quickly rendered them obsolete. It’s been encouraging to hear more about the desire from organizations to invest in new approaches to security awareness training at this year’s Infosecurity Europe.
While traditional, phishing-focused security awareness training tools are still useful, it’s been great to hear so many discussions about making the shift to more holistic, role-based training. The fact is, everyone in an organization needs to be aware of all cybersecurity best practices; creating complex, unique passwords and implementing multi-factor authentication, for example. Organizations are clearly going to make the effort to gamify training and increase engagement, which is also good to see.
Infrastructure Protection, Resilience, and Regulation
Another key talking point at this year’s Infosecurity Europe was the importance of infrastructure protection and how regulation – like the Digital Operational Resilience Act (DORA) – is driving the conversation around resilience.
We’re seeing organizations focusing more on understanding their environment’s risks and how to direct their resources to the most critical areas. At the Fortra stand this year, many clients and prospects have been asking us how our solutions will help them prioritize their threats, and we’ve been more than happy to oblige.
Similarly, we’re seeing a lot of organizations – particularly financial institutions – seeking to go further than what is required of them. Many people I spoke to expressed a desire to implement in-house penetration testing, continually scanning their environment so they don’t get any nasty surprises when they employ a third party come reporting time.
My colleague, Donnie MacColl, felt the same way:
“The conversation around resilience at this year’s conference is a clear indicator that organizations have accepted that mistakes will happen, and compromises will occur. However, we need to remember that it's easier to prevent an attack than fix it when it occurs. Vendors are showcasing a ton of new data-loss-prevention (DLP), managed detection and response, and automated solutions, suggesting that buyers are putting a lot of stock into solutions that help smaller security teams do more with less.”
On the topic of DLP and data classification, it’s worth noting that there has been a shift in perspectives. When organizations have attempted to classify data in the past, it wouldn't work because staff struggled to access important data. Now, however, the industry is focusing more on identifying the most sensitive data and protecting it accordingly, while less important data is subject to less stringent access controls.
Consolidation and Automation
As part of a panel discussion on digital transformation, David Cartwright, CISO at Santander International made an interesting point: it’s better to use 100% of three security tools, than 10% of ten security tools. Amidst market calls for consolidation, this really hit home.
The problem with the patchwork security stacks so many organizations have is that it’s very easy for vendors to pass the buck. If something goes wrong, instead of trying to fix it, they can simply blame another vendor, who blames another vendor, and on and on ad infinitum.
Similarly, as reporting requirements come thick and fast, security teams will have to spend an unnecessary amount of time consolidating results from across all their solutions; seeking out vendors, like Fortra, who offer multiple solutions all from under one roof, is going to go a long way to easing compliance headaches.
Similarly, automation has been a key topic at this year’s Infosecurity Europe. Security teams are smaller, but the threats they face are greater; automated tools are the only way to fix this problem. Managed detection and response (MDR) solutions are also firmly in the spotlight – few organizations have the resources to continuously monitor their environments and respond to threats; managed solutions are clearly the way forward.
All in all, it’s been a great three days. In an increasingly remote world, I always relish the opportunity to interact with my peers face-to-face, get a sense of where the industry is at, and catch up with old friends. I can’t wait until next year.