Application Security , Events , Infosecurity Europe Conference
ISMG Editors: Infosecurity Europe Conference 2024 Wrap-Up
Panelists Discuss Latest Updates on AI Tech, Cyber Resilience and Regulations Anna Delaney (annamadeline) • June 7, 2024Live from Infosecurity Europe Conference 2024 in London, Information Security Media Group editors and special guest CISO Ian Thornton-Trump close the event by discussing key topics including progress on AI-based cybersecurity solutions, efforts to help organizations boost resilience, and the looming specter of new regulations.
See Also: A Secure-By-Default Strategy for Driving Your Business Success
The panelists - Thornton-Trump, Cyjax CISO and a CyberEdBoard member; Anna Delaney, director of productions, ISMG; and Mathew Schwartz, executive editor, DataBreachToday and Europe, ISMG - discussed:
- The maturity of emerging generative AI tools for cybersecurity and how to manage risks associated with AI;
- The growing adoption of multifactor authentication and the role it can play in defending sensitive data;
- Strategies for preparing for a host of new regulations under consideration by government agencies worldwide.
Check out ISMG's sites for video interviews and articles about news from the conference. Visit the Infosecurity Europe page for details.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel, live on the final day of InfoSec Europe 2024. I'm Anna Delaney. I'm joined by my colleague Mathew Schwartz and Ian Thornton-Trump, special guest, CyberEdBoard member, CISO at Cyjax. Thank you for joining us Ian.
Ian Thornton-Trump: It's my absolute pleasure. I said I was going to be the noneditorial person on the panel of editors.
Delaney: You're always welcome on our panel, and we're so lucky to have you. So how was it? We made it.
Trump: It had a great vibe. I have to say, especially on the first couple of days, the traffic was busy, the show was busy. There's a number of key kind of themes that came out of it. Of course, sort of the one is the tongue in cheek, AI everywhere. But there were some other interesting things going on. I'm seeing a lot of smaller businesses trying to get noticed. We see some of the big players in the industry contributing as well. But the big story is about the £20,000 that was raised for the National Child Protection Agency at the pen test partners over two days, cyber house party and RADs coming together. It was just a great, euphoric moment to have the community sort of put away their grievances, put away the grudges and just celebrate the awesomeness of information security.
Delaney: Fantastic achievement. So how's the generative AI discussion changed since last year? What do you think?
Trump: It’s getting more mature, but it's by no means like I'm going to see it ready. It's baking in the oven right now. I saw some folks that have a good strategy, but maybe they haven't figured out how to put it into the product in a way that makes business value as opposed to security value sense, because the language that we need to speak, and it's sort of universally recognized, is we need to start thinking about business and less about the actual security tool that everybody here is trying to sell us. And that story about how you can go in and say, we're looking at this product that has AI to help us defend the business against threats that we know are like either national critical infrastructure or just their business operations, and there's a potential for loss there.
Delaney: Yeah. Excellent! Mat, you spoke to lots of people, as did I, but any standout today or yesterday?
Mathew Schwartz: Yeah definitely. I had a wonderful discussion with the head of the Cyber Resilience Centre for Wales, with a cybersecurity focus. Great discussion just about the outreach that they're doing, trying to up everybody's game from them, from CISA, from the National Cybersecurity Center, not here at the moment, because we're in the election period. We're hearing about MFA. We did a lot of interviews. You don't need to have MFA everywhere. I mean, eventually, yes, but just get started. That one little bite of the elephant, we'll get there. But just try to do better, because we're still seeing so much in the way of cybercrime, especially ransomware, but also business email compromise, getting the easy stuff opportunistically. I know we've been hearing that for years, but great to hear that get focused on. One other interview that I would highlight as well was with the CISO and CSO of Virgin Media O2 - Stuart Seymour; it was great. He was speaking here at InfoSec Europe about crisis management. And the great Mike Tyson quote, "Everyone's got a plan till they get punched in the face." So he has a military background and was just talking about, anytime you think there's something wrong, stand up your crisis management response. A lot of people don't want to do that. They think they've done something wrong. He said, it's the opposite. Get in there. If it's not a problem, stand down. If it still is a problem, you've responded. And it's good to have that level of psychological readiness being discussed when it comes to cybersecurity, because the quicker you get out there, the better off everything turns out to be.
Trump: I want to go back to MFA for a moment, because the game has changed. Fundamentally, if your product doesn't support MFA, you're going to have a tough time selling that product in the market today given the threat landscape. And it does kind of send the message, we don't care about the customer data. Now, making it optional and making it something that the customer has to turn on, it's debatable as to whose side of the fence that's on, and sure, the customer can make an informed decision maybe, but mandatory MFA after you've sold $1 or have deployed something that is not ephemeral, that is going to be part of the infrastructure. We potentially need the legislation that says, turn it the hell on. After you've taken a dollar, turn it on, because if the customer isn't informed about the threat, maybe you have to act on behalf of that customer to retain the customer.
Schwartz: Yeah, great.
Delaney: And what sort of conversations surface in terms of the geopolitical landscape, the threat landscape there? I know you've got some thoughts on that.
Trump: It's so nice to hear about it. The big news story is law enforcement that has some fantastic wins, and we started looking at the cyber underground and what effect it has had. It's interesting. We're seeing ransomware groups that are reinventing themselves, reorganizing, clearing out this sort of old, open-source information that we may have regarding those personas and people, and they're coming back at a ferocious level. We've seen some big data breaches. Data breaches that remind me of the early days where millions of records were dumped from Yahoo and some of the biggest you know names in the business. And you know what, in the wake of the Ticketmaster data breach, which is truly horrifying for its potential impact on election disinformation, voter suppression and other things, we're into that paradigm again where we're seeing big data breaches and patient zero - that one was MFA or the lack of it.
Schwartz: Blackout.
Trump: Yeah.
Delaney: I heard a lot about regulation because there's NIST 2.0, there's DORA and how organizations are frantically trying to prepare if they haven't already. And a lot of legal advice here saying we know it's complex but here's how to prioritize. So lovely conversations around that. Loved my conversation with Jonathan Armstrong, who is a lawyer as well. What can we learn from the British Post Office scandal, which of course impacted over 700 people falsely accused of theft and fraud because of a new IT system. Loved his insights on the legal and ethical perspectives there and what can we learn. So brilliant conversations.
Trump: There are three things that come out of this, which is it will come back to haunt you. So once it goes into the legal realm, where there's discovery and where there's the ability of the government to find the documents that they need to refer to in order to figure out what the heck went wrong. That's a big part of the story. The other part of the story is that the vendor-supplier relationship needs to be well defined. You can't have a situation where the vendor is saying x and the consumer is saying y, because that's an area that just falls apart completely. And then finally, as information security professionals, we're going to have to prove the case that the computer could be wrong under certain circumstances. In British law, the big thing was the computer was accepted as being truth. And now we've clearly seen that computers are not always right, and they may do some crazy things, which brings us to the AI story about crazy things and how we're turning loose to technology that we don't know what it's actually going to do. We know it's going to do some things, and we're hoping right now that it does good things, but hope isn't the plan. So going back to the other story that Mathew was following about resiliency. We're going to have to look at what that looks like from when your AI goes bonkers and angers a whole bunch of your customers.
Delaney: Love that you put in bonkers. That's one of my favorite words. What about the feel on the floor this year in terms of other years? You've been here for many.
Schwartz: I'll flashback to the previous Infosecurity Europe. They were held at the Olympia, for example, which would turn into kind of a sweltering environment, agricultural hall, beautiful tour of the Eiffel Tower era, iron and glass, even on a cold London day would get very balmy. So, venue upgrade, here at the ExCeL, I wasn't here last year, but I have to say, compared to my previous years, the buzz is remarkable. Tuesday, hopping. Wednesday, you could hardly move on the show floor, and excellent parties afterwards. Thursday, still a strong buzz. A lot of the halls with the lectures, the presentations, are completely full today. So I would say it's been a very good event.
Trump: Day 3 is usually a hard slag. Everybody has been out the night before, perhaps having one or two beverages, perhaps spending some of the very generous bar tab that pen test partners provided. But I will say you're right about the buzz. You're also right about the engagement. I see a lot of people here that aren't just security people. I've seen CEOs, CFOs, all the C-suites here. This is part of one of the fundamental observations I had in that the color scheme. So it's not the garish kind of like AlienVault, like yellow and black sprayed everywhere.
Schwartz: Hyper green.
Trump: Yeah, or hyper green. It's more business friendly and less scary. And that's important, because, again, who is signing the checks of the CISO? It's the CFO or the CIO. Everybody's got a boss somewhere, and in order to spend your budget, you got to convince them that it's the right business move.
Delaney: What about swag this year? Collect any freebies on the floor?
Trump: I tend to not do that. But I looked at some of the options that they have. I mean, you've got the lovely Government of Canada here hawking their new wares that they want to bring to the market. They've got some great swag over there. I find swag as an excuse to have a conversation, and I never have a problem having a conversation.
Schwartz: I'll step into this swag vacuum that's been created here. There's a great little arcade - Cisco is sponsoring that with some old arcade games. So I had a little turn of the Donkey Kong and the Galaga, which was good fun. There's been some excellent flat whites. I won't name names, but a lot of baristas here this year, which is interesting. There's a crux stand, which I have not had the opportunity to partake in, but the cues have been substantial for that. I've seen your usual bouncy balls, your glowing green swords, that sort of thing. But there's been a real focus on food this year.
Delaney: Yes, got to fuel your punters. So one word to describe the event in essence Mat?
Schwartz: Successful.
Delaney: I'm going to say it's friendly. I love bumping into people and say, “I haven't seen you for a year,” and it's amazing.
Trump: I was meeting people right in the hallway just coming in, and we hadn't seen each other in years, and it was a great catch-up. This is like a community gathering. But of course, part of that community is our vendors. And everybody here is focused on protecting businesses, and that's a great mission that has value. How good they sell it comes down to how skilled the staff is.
Delaney: Well Ian, it's been such a pleasure and a great crack as they say.
Schwartz: Honorary editor on the Editors' Panel.
Trump: Amazing! Thank you! Deeply honored guys. Deeply honored.
Delaney: Thank you Mat.
Schwartz: Thanks Anna.
Delaney: Thank you so much for watching. For ISMG, I am Anna Delaney.