Highlights from Geneva Information Security Day, Spring 2018
It’s been a few weeks since May 31st, which marked this year’s first session of Geneva Information Security Day, hosted by High-Tech Bridge (HTB). Since they’ve been successful in the past with their singular winter session, they’ve decided to try out doing two per year, and as expected it went well.
If you’re not familiar with Geneva Information Security Day, it’s an afternoon and evening of talks and panels with networking afterwards. Despite being hosted by a singular vendor, the magic behind the event is that it’s not a vendor event. Besides HTB’s usual intro, nobody is trying to push a product, which is why I care about going to this event. The added bonus of it being hosted in Geneva, is that you’ve got a mix of people from important and influential organisations across Europe, and the world — from police chiefs, to international banks, and global consultancy businesses.
The panels this year were:
- Disrupting cybersecurity with AI and Machine Learning: myths and reality
- First week with GDPR: sustaining cost-efficient compliance
- How to enforce your GRC[1] strategy in the era of cloud and shadow IoT[2], which I was asked to moderate.
Keynote takeaways
Before the panel discussions began, Ian Glover, President of CREST, gave a short keynote speech. He did a remarkable job of setting the stage and context of the panels, and frankly managed to summarise many of the topics we were about to discuss.
He noted that big data, artificial intelligence, and machine learning are key to understanding the changes in the security landscape. With so much data in the public space, and the technology becoming more accessible, their use in both offense and defence is increasing more and more.
He also pointed out some interesting warnings about GDPR, which really stuck with me. He basically said that GDPR Compliance can deflect the actual work of protection. What’s worse is that the current climate of compliance will make anyone who’s taken any kind of course, or is familiar with GDPR, look like they are experts in security. Some may be, but there’s no guarantee, and you don’t have to be a security expert to be a Data Protection Officer. It reminded me of last year’s GISD where it was said compliance is not security. I got the sense that compliance needs to focus far more on technical standard and technology.
With regards to IoT, Ian fired some shots at the industry, saying that we need to move to a place where we do better assurance on IoT devices. He suggested that we need to start issuing standards around this sector, and that of advanced consumer technology. How do we regulate things like Siri, or Google Assistant? What about AI and self-driving cars?
That spilled over into Ian’s comments on cloud technology overall, and perhaps a commentary on the “state of the world” when it comes to technology: Geneva, where this conference was held, is the namesake of international treatises and protocols for humanitarian treatment in times of war the Geneva Conventions. Perhaps it’s time for some new cyber security and cyber warfare conventions.
Shock and awe: AI and Machine Learning panel
The Panel discussion followed along Ian’s introduction pretty faithfully, despite the fact that we didn’t discuss the contents with him at all. That’s generally a good sign, as it does show that there’s consensus within the industry on what’s important. They showed examples of some of the incredible advances in the space, such as video and audio manipulation so advanced (called Deepfake), it’s nearly undetectable; and an interesting example of mind image capturing, using MRI.
In focusing on the security applications, the panel explored that the first benefits of AI and ML are in reducing the false positives and false negatives — but noted that we’re not quite there yet. Interestingly enough, the Head of UBS’s internal Red Team, Carlo Hopstaken, gave this simple advice: Machine Learning and advanced technology is great, but before going crazy with it, focus on basic security hygiene, and you’ll reap far greater rewards.
GDPR compliance isn’t a checklist
The GDPR Panel was reasonably calm, despite the fact that the GDPR ship had just set sailed a few days before. Some of the consultants on the panel served up some reassuring statistics that showed the vast majority of organisations (85% according to Cap Gemini) are not fully ready. Small business can be even worse. But that’s fine. GDPR compliance isn’t a checklist, as far as the panel was concerned — it’s a journey for all businesses.
Many on the panel, shared my personal opinion, that GDPR is actually a great opportunity to revise rules, processes and infrastructure. Overall, GDPR has happened, the law is in effect and nothing’s on fire. It doesn’t mean that some corporations won’t burn as a result, and there isn’t a lot of work undone, but at least everyone’s in the same boat.
Is the Cloud the only way forward?
I probably have the least notes on my own panel, on Cloud, GRC and IoT. The topic was broad (I wonder if HTB did that to me on purpose?) and the panel was 6 people! But we managed to trend on some key points nonetheless. One was a discussion around whether Cloud was really here to stay, and most seemed to think that it was inevitable that businesses adopt it fully. Pascal Buchner, ITS director at IATA saw Cloud as the only way forward.
In trying to manage GRC around it, the panel’s advice (along with mine) catered around having the right people who understand the technology and the risks involved. In some ways, the Cloud is just another data centre in the sky, but in other ways it is the key to tapping into technologies like Machine Learning. There was also a warning about risk, and the complacency that can sometimes come with companies that onboard with Cloud providers. Both Rainer Rehm (ISC2 Chapter President in Germany, and Information Security Architect at MAN) and Spencer Young (Regional VP EMEA at Imperva) cautioned that you must do due diligence, question your cloud providers and ensure that your data is actually protected by your strategy.
Overall, the event was a great success, and I’m looking forward to the one coming up in September. If you get the chance, do sign up for it (generally announced on https://www.htbridge.com/GISD/), even if you’re not in the Geneva area. Talking shop during and after is what it’s all about for me, and I’m excited to see new faces from all over the world, and continuing participate in a meeting of minds.
[1] Governance, Risk & Compliance generally refers to business strategies around reducing overall risk to its operations.
[2] Internet of Things broadly describes the huge variety of devices now connected to the internet, whether that be a webcam, a factory control system, a refrigerator or Amazon Echo (Alexa).
