Data Privacy Thought Leadership at 2024 RSA Conference – Session Recommendations & Companion Research
This week, Privacy Bee will attend the 2024 RSA Conference in San Francisco. There, the team joins cybersecurity leaders in deep-dive explorations of the critical role of data privacy in the ever-changing and rapidly evolving information security industry. This special report contains a curated selection of program presentations most relevant to data privacy and security which we feel are not to be missed if you’re attending RSAC. It also provides links to research materials from our own proprietary library that align with the programs we’ll identify as critical to fielding an effective defense against data breaches. If you can’t be in attendance in person, know that most of the sessions are recorded and will be available to view online. So, this document will be useful event after the event has concluded.
If data privacy is top of mind for your organization – and let’s be honest, it should be top of mind for EVERY organization these days – the following session selections and associated research will be of enormous value both during and following this week’s event.
For those not planning to attend, or unaware of the RSA, here’s what you need to know about it. The RSAC focuses on the entire array of information and cybersecurity best practices developed by the world’s leading thinkers and practitioners. This includes CIOs, CISOs and other InfoSec executives from top enterprise organizations, governmental bodies, academia, and security solution providers. Billed as the premier series of global events and year-round learning for the cybersecurity community, RSAC is where the security industry converges to discuss current and future concerns and have access to the experts, unbiased content, and ideas that help enable individuals and companies advance their cybersecurity posture and build stronger and smarter teams.
RSAC is acknowledged as the ultimate marketplace for the latest technologies and hands-on educational opportunities that help industry professionals discover how to make their companies more secure while showcasing the most enterprising, influential, and thought-provoking thinkers and leaders in cybersecurity today.
Why Focus on External Data Security While at RSA?
The theme of this year’s event is “The Art of Possible” which is especially salient when it comes to the newest frontier of cybersecurity – External Data Privacy (EDP). EDP management is critical to stemming the tsunami of Phishing and Social Engineering attacks which have become the predominant avenue for hackers and threat actors mounting attacks against information systems worldwide. In 2022, Phishing and Social Engineering combined became the leading means of initial, unauthorized access to protected information systems as the graphic from the Palo Alto Networks’ Incident Response Report illustrates. Since then, these two attack vectors have only grown in popularity among hackers and threat actors.
As the threat and the associated security challenges behind it become clear, the scale and scope of the problem reveals the extent of the shortcomings of existing cybersecurity practices at mitigating the risk. Despite all the cost and efforts dedicated to contemporary cyber security disciplines, the ubiquity of unsecured external data makes preventing Phishing and Social Engineering attacks seem all but impossible.
Even as organizations invest heavily into hardening security, systems breaches fueled by unsecured external data continue to occur daily. Even within the most heavily fortified organizations. So, it is unsurprising that most attendees are exceedingly hungry for answers and solutions that fully and demonstrably address EDP challenges. This is perhaps why the “Privacy and Data Protection” track is among the top three or four session tracks at the event which offers no fewer than fifty-eight planned sessions on the subject. More than Cloud Security, Cryptography, DevOps and Application Security, and other important topics, the 2024 RSA Conference offers a panoply of ideas, strategies and perspectives specifically trained on addressing this pressing issue.
As emerging thought leaders in the data privacy management field, Privacy Bee brings deep domain expertise to the event to share with the assembly. While Privacy Bee is not presenting at this year’s event, our team is there to not only absorb the latest and greatest ideas and methodologies, but to also share the benefits of the extraordinary thought leadership this organization demonstrates regarding EDP.
Without further introduction, here are the topics and tracks Privacy Bee recommends all attendees explore, as well as our own research supporting the specific subject matter covered the recommended sessions.
The Evolution of Data Privacy Challenges and Rise of the New Attack Surface
Despite the dauting challenge it poses, managing and mitigating the threat of unsecured external data is not an impossible task. The first step in deploying EPD is recognizing the imperative of exerting controls over unsecured external data. This requires a fulsome awareness of the threat and how EDP truly represents a new front in the war on cyber-crime.
Too many assume EDP is something well-addressed by existing cybersecurity practices. The reality is, Social Engineering, Spear Phishing and other similar variants are entirely novel and existing security processes are not effective at protecting any organization. So, to understand how this new threat category came to be, it is worth studying a little bit of the history of data privacy’s evolution. This first recommended session promises to deliver precisely that.
Privacy Past and Present: A Father-Daughter Look at Data Privacy Evolution features Ronald Sarian, Global CPO for Ingram Micro joined by his daughter Caitlin Sarian, Founder of Cybersecurity Girl. A veteran privacy lawyer and a savvy data privacy consulting director explore today’s trends in privacy norms, strategies, and expectations. This session explores the foundations of compliance and privacy through to today’s complex privacy landscape, discussing the shifts in attitudes and unveiling key strategies for future-proofing privacy practices.
Companion Research from Privacy Bee for Business – White Paper: Where Data Privacy and Cybersecurity Intersect (and Don’t). This research provides a compelling timeline that explains how, when and why data privacy evolved from basic Network Security in the 1970s and 1980s, through Cloud Security in the 90s and 2000s, to become what it is today – external data privacy management.
Once it becomes clear that EDP represents a totally exposed flank, the failure of traditional cybersecurity and other InfoSec practices to defend against Social Engineering, Spear Phishing and similar attacks begins to make sense. The threat has evolved into a brand new attack surface existing beside the physical and digital. Control of External Data Privacy is the key to ensuring security for this new surface as the next piece of research illustrates. Companion Research from Privacy Bee for Business – White Paper: Your Newly Vulnerable Attack Surface and How to Reduce It
How EDP Solutions Strengthen the Overall InfoSec Function of an Organization
If the previous sessions and companion research illustrate the reality of EDP and the emergence of a novel attack surface, then security professionals rightly turn their attention to how they can reduce the risk. Traditional cybersecurity measures don’t adequately address the threat of the Social Engineering Attack Surface and are routinely neutralized by unsecured external data used in Social Engineering, Spear Phishing and other similar attacks. However, when applied as a prophylactic measure, the umbrella of EDP management works remarkably well to restore the efficacy of traditional Information Security and cybersecurity measures.
That’s why the next session recommendation goes to a the presentation by PwC’s manager of Cyber and Privacy, Kim Wuyts. Her session titled, “Shifting Privacy In: How Privacy and Security Can Strengthen Each Other” examines how privacy can be a force multiplier for security. It also explores how privacy can be successfully integrated into security practices, such as threat modeling while strengthening the security posture along the way.
In an era where privacy and data protection are paramount yet frequently overlooked, there’s a pressing need to integrate these considerations from the ground up. Bridging Theory and Practice of Privacy and Data Protection promises discussion of effective privacy and data protection measures and their real-world applications. Attend to learn how to turn theoretical ideals into actionable strategies with facilitator, Elena Elkina, Co-Founder and Board Member of Women in Security & Privacy.
Companion Research from Privacy Bee for Business – White Paper:Cyber Security Isn’t Enough – The Information Security Ecosystem Dies Without External Data Privacy offers a holistic perspective on the information security ecosystem and the imperative to focus on external data privacy, an organization can succeed at deploying a solution that works from end-to-end. The research illustrates how to align all information security functions under one EDP blanket strategy, ensuring that all of the individual facets of security succeed.
The Importance of Supply Chain and Third-Party Vendor Privacy Management
Third-party vendor risk is another “hot topic” on the minds of security professionals in 2024. Spikes in supply chain attacks leading to data breaches have exposed the vulnerability of information systems to exfiltration through the systems or products of third-party vendors. Whether we’re talking about the software supply chain or the physical supply chain, allowing unsecured external data to persist provides an attractive intrusion point for hackers and other threat actors to slip malicious code past hardened defenses.
In an era of application development that frequently relies on open-source code and heavy systems integrations to field powerful enterprise automation tech stacks, the provenance of software elements becomes a security concern. As do the EDP practices (or lack thereof) among the supply chain management partners with which an organization’s data systems are integrated. ERP, procurement and logistics software platforms are among the systems most often integrated with dozens or even hundreds of external suppliers, freight carriers, and other supply chain stakeholders. If these partners have weak or non-existent EDP security, they can be an attractive point of unauthorized entry for hackers and cybercriminals seeking access to protected information.
For these reasons, the industry has coined the term, “Supply Chainpocalypse” referring to the potential for a perfect storm of security failures derived from the supply chain.
Remaining Resilient in the Supply Chainpocalypse is the next session Privacy Bee recommends at RSAC. Security executives Jignesh Joshi of Genentech, Larry Wiggins and Amit Chaudry of Cloudflare explore how threat actors are constantly attempting to find and exploit the least common denominator–often a blip in the software supply chain. While the business impact of a third-party vendor can be transformative, they simultaneously exacerbate the attack surface and pathways for threat actors. This session will explore five steps toward achieving resilience when it comes to assessing third party vendors. It promises to be a great overview of the supply chain threat.
To protect the software supply chain, experts recommend deploying Software Bills of Materials or “SBOMs”. Privacy Bee recommends learning about why and how to employ SBOMs at the following two RSAC sessions.
SBOMs: Navigating the Evolving Landscape of Software Bill of Materials is presented by Manoj Prasad, Security and Risk manager for Aloft Inc. Prasad notes that SBOMs will become a standard requirement for all software, driven by government regulations in the US and the EU. While vendors provide tools for creating SBOMs, his session will shed light on the comprehensive implications that extend beyond creation, affecting both individual companies and the broader software industry. It will also speak about how cross company and dependencies will be managed.
SBOMs for Evil: From Software Supply Chain Documentation to an Attack Path, led by Larry Pesce, Product Security Research and Analysis Director for Finite State discusses SBOM basics, formats (CycloneDX, SPDX), and real-world use cases, such as compromising IoT devices or software applications through analysis of SBOM CVE-linked components.
From the physical supply chain perspective – the actual mechanisms for managing complex global logistics functions, Privacy Bee recommends auditing Logistics in the Crosshairs: What Could Go Wrong? US Air Force Brigadier General Chad Raduege is joined by Gentry Lane, CEO of ANOVA Intelligence to emphasize the enduring priority of supply chain security. This session explores how recent developments provide adversaries with an advantage that can compromise the US’s ability to project power in wartime and force critical companies to shutter operations. It also addresses the vectors of opportunity and cascading effects, that cyber sabotage poses to civil-military logistics and critical supply chains.
Companion Research from Privacy Bee for Business – White Paper: Supply Chain Attacks are On the Rise – A Primer on Supply Chain Privacy Risk provides data on the mushrooming number of supply chain attacks and explains the difference between vendor risk associated with software supply chains and those facing physical supply chain management. The paper provides some recent, real-world examples of supply chain attacks to provide practical examples of how these attacks occur. It also offers some prescriptive advice for how to fortify supply chains using SBOMs and how to extend your organization’s EDP management to cover your third-party vendors.
Companion Research from Privacy Bee for Business – White Paper: The Shortcomings of Third-Party Risk Management and How to Get it Right for Your Organization contains research aimed at assessing the “as-is” state of third-party vendor risk management for cybersecurity. It delivers real-world examples from the last five years wherein successful companies were victimized via attacks originating with their vendors/supply chains. Learn about the correlation between the shortcomings of contemporary approaches to third party risk management and mitigation strategies and the resulting failures and what must be done to successfully mitigate this exigent risk.
Securing Cisco’s Supply Chain – Cyberattacks and Intellectual Property Loss is another interesting session to consider as it focuses on the specific threat inherent in supply chain attacks – the potential for the theft of critical intellectual property. IP theft is one of the motivators of hackers often working for China and other global economic competitors. IP theft, according to the FBI costs the US economy between $225 and $600 billion annually. Hosted by Sr. Information Security Architect for Cisco Systems, Aditya Verma, this session will address the challenge of Safeguarding Cisco’s Supply Chain from Cyberattacks and Intellectual Property (IP) loss. Cisco needs to share its most valuable IP assets with its 3rd party suppliers and contract manufacturers. Loss or exposure of these IP assets may lead to severe damage to Cisco’s revenue, Customer confidence, and brand image, and losing the competitive edge in the marketplace.
Companion Research from Privacy Bee for Business – White Paper: Industrial & Corporate Espionage – New Variants of an Old Problem and How to Protect Your IP examines how External Data Privacy ties into contemporary industrial and corporate espionage threats and explores ways to prevent organizations from being victimized.
Understanding the Enemy – Why Hackers Love Unsecured External Data
Today’s hackers and threat actors are not your father’s variety of bad guy. Many are state sponsored by hostile foreign governments. Others are driven by political or religious ideologies – hacktivists if you will. And of course, the garden variety thieves seeking to steal PII to resell on the dark web or to exact ransoms from victimized organizations. And they’re using unsecured external data to develop and deploy devious and highly effective social engineering attacks at accelerating rates. The application of AI and machine learning to these criminal strategies is making the risk and the challenge of mitigating it, orders of magnitude more difficult.
As in any conflict, it is essential to understand one’s enemy. How and why hackers target any given organization is the key to developing successful defenses against their intrusions.
Hacker’s Perspective on Your Infrastructure: Lessons from the Field is a session Privacy Bee will definitely attend and suggests you do as well. Cybersecurity expert and CEO of CQUIRE Inc., Paula Januszkiewicz details the risks threatening your security infrastructure and shares insight into the current modern attacks, credential theft techniques, and malware persistence methods that need to be confronted. Our colleagues from CrowdStrike, President Michael Sentonas and CEO George Kurtz head up Hacking Exposed: Next-Generation Tactics, Techniques and Procedures. Their 2024 Hacking Exposed session will show attendees how adversaries continue to evolve their trade craft to remain nearly-undetectable in an effort to bypass legacy defensive systems and achieve maximum impact and devastation.
Companion Research from Privacy Bee for Business – White Paper: How any Organization Looks in the Eyes of a Hacker – How to Avoid Being Seen as a Target illustrates what a target organization looks like through the eyes of a hacker or cybercriminal. The paper recounts the most notorious examples from the last year and the last decade and underscores the specific external data privacy vulnerabilities that made each breach successful for the criminal. Learn how Privacy Bee for Business identifies and eliminates those same attack vectors.
Postmortem Reviews and Consequences of Data Breaches
If the definition of insanity is doing the same thing over and over again, expecting different results, then the cybersecurity industry may be losing its collective mind when it comes to EDP and data breaches. Despite the hundreds of billions spent on cybersecurity, data breaches continue to occur daily and without hindrance. Adding to the pain of a breach are the devastating follow-on effects such as reputational damage and legal actions sponsored by those whose data is compromised.
It is only by examining what went wrong in the aftermath of a failure that practitioners can learn how to avoid being victimized again.
Avoiding Legal Landmines: A Review of Recent Cyber Cases promises a fast-paced interactive session on the leading cyber court cases from the past year. The session will identify the most important legal developments and their impact on firms and cyber professionals. Attendees will learn practical steps they can take now to minimize loss or liability in the future.
Another session offering the perspective of a post-breach organization, Ensuring Data Defensibility in an Era of Inevitable Breaches explains why preventing breaches is no longer sufficient and why data must be defensible, even after a compromise. This session explores how to expand your cybersecurity strategy, enabling you to control risk, recover quickly and safely, and ensure your data and business stand resilient against cyberattacks. The ongoing series of cyberattack postmortems each contain a profile on the victimized organization and a recap of key information about how the attacks were committed.
Companion Research from Privacy Bee for Business
Privacy Bee for Business routinely performs detailed postmortem analyses of the largest and most high-profile data breaches, expressly to learn as much as possible about how these breaches happened and how to better protect against future ones. Here are a sampling of these insightful documents.
How Data Privacy Management Aids All Types of Organizations
Cybercrime is an equal opportunity threat. The broad array of motivations compelling different threat actors sufficiently ensures that no matter what the size, composition, or nature of an organization, it is certain to be a target. From the largest Fortune 100 enterprise to the small-to-mid-sized business enterprise or SMB market, no organization is safe from external data privacy risks. The good news is that EDP management solutions from Privacy Bee for Business have all the necessary tools to protect organizations of all sizes. Here are a couple of RSAC sessions aimed toward both the biggest players and the SMB market too!
AI Security & Privacy In the Enterprise, hosted by Hippocratic AI’s Chief Information Security Officer, Puneet Thapliyal drills into how the growing usage of AI services in Enterprise organizations is complicating the challenges already associated with personnel training, awareness, governance and data loss prevention.
Why Enterprise-Level Attacks Happen to SMBs – and How to Stop Them looks at the rising threat through the lens of the SMB. Executive Director of Threat Research, Douglas McKee of SonicWall explains why it’s impossible for CISOs to account for every risk, making prioritization crucial. News of AI, zero-days, and supply-chain dangers dominate the headlines and CISO mind space, but it’s difficult to determine how relevant they are to small businesses. This session will be an open discussion on why threat actors target SMBs and what threats need to be prioritized.
Whether a large enterprise or an SMB, the threats are real and EDP is crucial to development and deployment of successful defenses.
Companion Research from Privacy Bee for Business – White Paper: Facts About Data Breaches and the Mid-Market helps SMB security practitioners gain understanding of the dynamics and challenges facing mid-market companies with respect to data privacy and information security.
Building Successful, “GRC-Ready” External Data Privacy Practices
The last series of session recommendations all shares a common truth – Privacy Practices must no longer be considered an afterthought or something that falls under the aegis of existing cybersecurity principles. The fact is, the threats deriving from unsecured external data are distinct and different from anything the CIO or CISO has had to address previously.
Moreover, the public – both consumers and the investment markets – are growing more attuned to the need for privacy. Government and financial regulations are becoming more important as the consequences for failure exact a grim toll. For this reason, whether it is to comply with emerging state or federal regulations or to meet with the demands of investment capital requirements, organizations must articulate a clear and actionable strategy for Governance, Risk and Compliance as it pertains to data privacy and security. Many large enterprises are even requiring strong privacy GRC as a prerequisite for awarding contracts through the procurement process. This is a trend that will only continue.
However, creating a new, detailed and comprehensive set of business rules to govern the emerging challenges associated with EDP can be daunting. There aren’t many existing archetypes upon which to build these new GRC frameworks. That is why we recommend attending the following sessions at RSAC, which all provide some insight into this process.
For publicly traded organizations the Chief Legal Officer and Sr. Director of Strategic Advisory Services from CrowdStrike are presenting SEC Rules on Cybersecurity: Materiality, Preparedness and Board Oversight. Learn how SEC rules on cybersecurity and risk create new challenges for businesses and how to develop a robust strategy to comply with new disclosure rules should an incident occur. Join this session to increase your SEC cyber preparedness in 2024.
Similarly, Halock Security Labs CEO, Jim Mirochnik leads a session covering how to establish appropriate Risk Governance. Attend Techniques to Evolve Risk Governance and Comply with SEC Cybersecurity Rule to determine if your program legally defensible. Find out how to define a “clear line of acceptable risk”, how to clarify “total known risk” to your organization and how to produce a roadmap that reduces risk to an acceptable level while justifying budget requests in business terms .
Measuring Your Successes (and Failures) to Manage Cybersecurity Risk offers some great information on how to derive the proper metrics and KPIs to effectively measure the effects of your risk-management processes. This is critical to ensuring GRC efforts yield the desired results. Led by Walter Williams, CISO for Monotype, the session helps attendees understand how to know if controls are being effective at managing risk in an information security organization. With few standards offering guidance on how to do this, the session delves into what makes a good metric, and how to use metrics to communicate risk management.
Companion Research from Privacy Bee for Business – White Paper: External Data Privacy Metrics and KPIs – A How to Guide for Strong Compliance argues the imperative for strong metrics and associated KPIs for external data security, distilling widely accepted best practices for developing KPIs and metrics. Read to learn how to develop new (or extend existing) metrics and KPIs to effectively ensure compliance with data privacy and external data security laws as well as the emerging Governance, Risk and Compliance (GRC) requirements being adopted by industry leading organizations.
Epilogue
Privacy Bee for Business is honored to be spending this week with our esteemed colleagues and the leading minds in the industry at RSAC. We hope this special report helps you get the most out of your time, particularly as it relates to the outsized role played by External Data Privacy in ensuring information and cyber security for your organization.
We hope the white paper resources and assets shared in this report provide value and perspective to you in your pursuit of greater security and overall business success. And we invite you to peruse our extensive resource library containing dozens more white papers, articles, studies and more.
If you’d like to learn more about how Privacy Bee for Business can help your organization with highly effective and affordable solutions for External Data Privacy risk mitigation, please reach out to us today. The platform offers a powerful array of innovative solutions, many of which were not even mentioned in this document. We’d be pleased to share with you all the value and benefit we offer to organizations like yours.
