Protiviti Associate Director Vince Dasta and manager Annmarie Rombalski attended the Financial Services Information Exchange and Analysis Center (FS-ISAC) Annual Summit last week in Orlando. In this podcast, they share some of the trends and takeaways they gathered from the event.
Kevin Donahue: Hello, this is Kevin Donahue, a senior director with the Protiviti Marketing Group. I’m pleased to be talking today with Vince Dasta and Annmarie Rombalski from Protiviti. Both of them are attending the Financial Services – Information Exchange and Analysis Center or FS-ISAC Annual Summit this week in Orlando, and I know they’ve been hearing a lot of interesting things from attendees and the sessions they’re attending so I wanted to chat with them for a minute. Vince is an associate director and Annmarie is a manager, both with our Technology Consulting and Security and Privacy Group. Hey Annmarie, it’s great to speak with you today.
Annmarie Rombalski: Thanks, likewise.
Kevin Donahue: Vince, great to speak with you as well. Let me ask you first. We know there is a lot happening in the cyber security space/privacy space right now. What are some of the things you’re hearing from attendees of events, some of the things you’re taking away from the session you’re attending that seem to be standing out for you?
Vince Dasta: Yes, absolutely. This year, I think it’s been a great conference, a lot of good speakers, a lot of good topics. I think this is a great information sharing forum that I know a lot of people really enjoy coming to but a couple of the themes that I’d noticed and something near and dear to my heart. Operational resilience has been a topic that a number people both from the presenters and the attendees have been very interested in.
I think as you look at the way that resilience is viewed in cyber security terms now, there’s a lot of growth and there’s a lot of interest because it’s becoming more and more mature, the day-to-day basics and the typical hygiene-type things are becoming somewhat solid and they’re looking to the recovery and the ability to be resilient to cyber events with the understanding that you can’t prevent everything from happening and that you have to have a solid plan in place to recover and be resilient when those things happen.
I know that it’s covered in the keynotes yesterday as well as a number of speakers focused on the topic, which was really good. Really, I think very refreshing to hear. Also, on the changing attitudes that I see around risk quantification and actually measuring cyber security risk, I think that in years past, this has been somewhat new or potentially taboo and people were very skeptical of hearing it but I attended several sessions focused on this that were standing room only. It came up in the keynote by Michael Roytman from Kenna Security talking about how to quantify cyber risk.
Now I think there’s a huge amount of interest in the topic as the practices and the methodologies and the mechanisms to do that are becoming more mainstream. I know that in conversations that I’ve had with other attendees that people are interested in understanding how this works. If you look at the formation analogy that a lot of companies are in that storming phase right now where they’re trying things or trying to figure things out. They’re sharing that information which is something that two years ago would have been unheard of. You have companies actually sharing the results of their risk analyses and talking about the assessments they’re doing and sharing the results of that which I think is great and it really hits to the mission of the ISACs in general, and I think there’s a lot of openness on the cyber security side that just didn’t used to be there, which is very refreshing.
Kevin Donahue: Thanks, Vince. Those are some great insights. Annmarie, let me ask you – I know you’re probably hearing the same things but what are some of your thoughts on the key challenges some of the organizations are facing today and how they’re being discussed at the event this week.
Annmarie Rombalski: Yes, I would definitely echo some of the comments that Vince made around cyber. It does really sound like that’s something that’s top-of-mind. We attended three separate sessions where that was brought up and like he said, very well-attended and people had a lot of questions about the applicability of bringing that into their organizations, but it also seems like people are very interested in understanding how to make the best estimates when it comes to the different inputs that go into your risk management program, so automating and using source data for the different types of threat actors and the magnitude of those threats and just making sure that that’s not coming from someone on the risk assessment team making some estimates but it’s actually coming from a source that they can trust and it’s more consistent and accurate. So I definitely think that that was top-of-mind.
Also, in almost every session I was in, people had questions around staffing and how the organization handles risk management within their organization structure so people were interested in seeing, “Does this fall under the enterprise risk management group? How does security play into that? How does threat management and security operations participate in the risk management process?” That was a question that came up a lot and everybody had a different answer which just really highlights how cross-functional doing risk management from a cyber perspective really is.
Vince Dasta: Yes. I’d echo on that as well. I think the organizational changes that are driving a lot of this discussion are very interesting and I’ve been seeing this for the last couple of years now that the response that companies initially started with when cyber security became very highly regulated, especially in the financial services side, was to throw bodies at the problem. I think a couple of years in, now organizations are realizing that’s not sustainable. You can’t just keep hiring people and keep growing the team. You have to be more disciplined about it and you have to understand that cyber security is a risk management problem as much as it is a technology problem and you have to understand that and adopt those types of models and methods and things like that from enterprise risk management. It’s not just an IT issue or it’s not just a technical problem, and you have to be smarter if you’re going to be able to sustain the operations like that but you can’t just keep throwing resources at it because boards are getting fatigued.
There was a great conversation in a panel around that very topic that boards are getting fatigued with companies coming just asking for more and more money without being able to show how that’s being applied, and what the strategy is, and how they’re actually going to reduce risk of cyber security events occurring. I think that Annmarie had a great point about the organization and CISOs are trying to figure out how to align their teams to be enablers rather than just resource hogs that are growing without showing results.
Kevin Donahue: Annmarie and Vince, thanks very much for joining me today. I really appreciate your insights into some of the things you’re hearing about this week, and certainly, these are issues that are going to carry through for organizations for likely years to come. For those in our audience interested in additional information, please visit the Protiviti website. You can see our Technology Consulting section. We have a wealth of thought leadership and research around various security and privacy issues, the very ones that are being discussed at this event.