Try Now
Get hands on with Cobalt's PtaaS Platform

Recapping the Most Popular Sessions at Sec Talks

Understanding the Present and Future of Security

Security has always been a fast-moving field. In the age of COVID-19, things are only accelerating.

Last month we held a virtual conference, Sec Talks, where we invited some of the industry’s foremost thought leaders to talk about current and future challenges in the security landscape. We held sessions on GRC, product security, DevSecOps, planning for the future, and much more.

In this article we’ll recap some of the most popular sessions, including their most important takeaways. We have also included links to a full recording of each session.

“There are decades where nothing happens, and weeks where decades happen”

To kick the conference off, Cobalt’s Chief Strategy Officer Caroline Wong talked about how the COVID-19 pandemic has affected security teams and organizations. Caroline noted that security is primarily about protecting value in all its forms, and that in recent years value has shifted from the physical world into the digital realm.

Now, COVID-19 has forced us into ‘World 2.0’ — a term coined by economist Tyler Cowen. Some major changes in World 2.0 include:

recapping 1

Naturally, in World 2.0 the demands placed on security have evolved rapidly. To help security teams adapt and overcome adversity, Caroline explained the tactics she uses personally:

“Pay attention to what’s going on, zoom out to think about the big picture and what’s coming next, and humbly learn from people who are smarter than I am.”

To see Caroline’s introduction in full, watch below.

Opening Remarks: How to Overcome Adversity & Adapt to Change from on Vimeo.

Risk Management and Governance and Compliance, Oh My!

risk management SEC Talks conference

Next on the agenda was “GRC in the age of COVID-19.” Hosted by Cobalt’s Director of Security Ray Espinoza, the panel also included Dan Burke, Director of Third Party Risk Management at DocuSign, and Kim Lamoureux, Lead Security Analyst for Security Risk and Compliance at Playstation.

The top 3 findings from the panel were as follows:

1. Remote working doesn’t harm GRC or risk identification… so long as existing controls are good.

Both Dan and Kim agreed the pandemic hasn’t significantly affected GRC or risk identification. Strong controls are effective regardless of whether the team is on site or off, and even remote audits can be conducted effectively. The panel did note that email is generally not a good communication tool, and that taking time for direct communication (e.g., via video conferencing) is essential.

The panel also highlighted the importance of strong relationships with technology owners and assessors, and noted that maintaining these relationships should be a priority — particularly when most people are working remotely.

2. Third party risk is a challenge… but it always was.

When it comes to assessing third party risk, working closely with the ‘owners’ of an external relationship is essential. Critically, these relationships must be in place in advance — now more than ever. You don’t want to be having the first conversation when something has already gone wrong.

However, as Kim Lamoureux noted, third party conversations have mainly been remote, anyway. Everything from completing questionnaires to understanding the controls of third parties can comfortably be done remotely — coordination between teams is still a challenge, but it always was!

3. COVID-19 has presented an opportunity to amplify risk management issues.

From a technology standpoint, not a huge amount has changed as a result of forced remote working. However, with so much emphasis on technology, now is an ideal time to raise the profile of essential activities like security awareness training, vulnerability management, and third party risk management.

These functions, which are particularly important at the moment, should be promoted internally to ensure they are properly funded and integrated into organizational culture.

To see the panel in full, watch the recording below.

Risk Management & Governance & Compliance, Oh My! from on Vimeo.

The State of Product Security

Product security is one of the fastest evolving security disciplines. At Sec Talks, we held a panel of four industry veterans to find out where product security currently stands, and what the top challenges are. We’ve already published an article specifically on this panel, but here are 3 of the top learnings:

1. Product security varies hugely depending on the product.

Depending on the customer (enterprise, SMB, consumer), the type of product (hardware, software), and the delivery model (SaaS, on-premises) product security can look completely different at every stage — from design through manufacturing, delivery, and maintenance.

2. Shifting left is about bringing visibility early.

‘Shifting left’ — where security testing is completed earlier in the product development lifecycle — has gained a lot of attention. However, as one of our panel explained, a light touch is essential:

“When I think about shifting left, it’s about ‘how do we bring visibility early?’ It’s not about blocking somebody or slapping them on the hand early. It’s bringing visibility so they can make changes that will impact the security posture of the product early enough to make a difference.”

3. Understanding business and technical context is essential.

The days of security teams as ‘gatekeepers’ are over. Today, product security teams must work to understand the business and technical demands on product development, and focus on building credibility within the organization.

To see the panel in full, watch the recording below.

Where Product Security Fails & Wins from on Vimeo.

Quantifying DevSecOps

One of the most popular sessions from Sec Talks was given by Larry Maccherone, a distinguished expert on engineering, security, and DevSecOps. Given in the style of a pulp detective novel (seriously, watch the recording, you don’t want to miss this one!) Larry gave a full rundown on implementing DevSecOps to reduce cyber risk.

Top 3 learning points included:

1. DevSecOps maturity correlates tightly with cyber risk.

Larry has seen first-hand how cementing DevSecOps into the culture of hundreds of engineering teams has had a huge impact on cyber risk. After careful analysis, Larry has calculated that teams with high DevSecOps maturity have lowered cyber risk by as much as 85% compared to teams with low maturity.

DevSecOps Practice Maturity

2. Three things are required for DevSecOps implementation:

  • Win the hearts and minds of developers

  • Shallow team-level improvement ramp (not overwhelming)

  • Management visibility and goal setting

Larry emphasized that DevSecOps isn’t a quick fix for cyber risk. He advocates a slow approach to implementation, where engineering teams are encouraged to take ownership of secure development.

3. Improvement is a gradual path

Larry splits DevSecOps into 45 subcategories, and scores each category on a five point maturity scale:

DevSecOps 45 subcategories and a five-point maturity scale

In a 90 day cycle, Larry encourages engineering teams to focus on just two DevSecOps subcategories and increase their maturity by one level. While this may seem a slow approach, Larry has found that it has a drastically better impact on engineering practice than traditional approaches. He has also had repeated feedback from engineering teams that they much prefer working with security in this way.

To see Larry’s presentation in full, watch the recording below.

Quantifying DevSecOps: The Impact of Software Security Adoption from on Vimeo.

Predicting (and Planning For) the Future

sec talks closing remarks by Daniel Miessler

To conclude the conference, Daniel Miessler gave a talk on building resilience — both in cyber security and in our personal lives. Daniel gave a simple formula for how teams and individuals make decisions about how to act:

Cyber security teams: Goals + Situation → Action

Individuals: Self + Situation → Action

In other words, by knowing ourselves and understanding the current situation, we can make informed decisions.

However, as Daniel noted, most of us don’t know ourselves because we haven’t done the hard work of self exploration. Similarly, most of us — as teams and individuals — haven’t fully mapped out all of the potential situations that could arise. As a result, it’s impossible for us to have sensible plans in place that are ready to implement when a situation arises.

This lack of planning means that every challenge becomes a potential ambush. This is debilitating for teams and individuals, damages real world results, and causes a lot of stress. To avoid these outcomes, Daniel recommends a simple process:

Step #1: Look at everything you’re currently doing and prioritize. For example:

  • Which activities would you cut if you had to?

  • Create runbooks based on all of this.

  • Which activities would you cut if you had to?

Step #2: Identify all the things that could happen. For example:

  • What will you keep no matter what happens?

  • Identify all the things that could happen. For example:

  • Budget cuts or increases

  • Forced remote working

  • A sudden rise or fall in demand for core products or services

Step #3: Create runbooks based on all of this.

Now that you understand yourself and have considered what might happen in the future, plan how you would respond to each situation. Note that it is — of course — impossible to identify every situation in advance. However, even when you can’t predict the specific circumstances, you can still plan how to respond to the resulting pressures.

This simple, three-step process creates resilience. And, as Daniel noted, this type of resilience is also the original meaning of security. In Latin, security literally means:

Or, as it was explained by Stoic philosophers like Marcus Aurelius and Seneca:

“We can’t control what happens to us, but we can control how we react to it.”

To see Daniel’s talk in full, watch the recording below.

Closing Remarks from Daniel Miessler from on Vimeo.

Interested in catching every session? You can check out our Vimeo Showcase here: Sec Talks 2020 *Join the web's most supportive community of creators and get high-quality tools for hosting, sharing, and streaming

New call-to-action
Back to Blog
About Cobalt
Cobalt provides a Pentest as a Service (PtaaS) platform that is modernizing the traditional, static penetration testing model by providing streamlined processes, developer integrations, and on-demand pentesters. Our blog is where we provide industry best practices, showcase some of our top-tier talent, and share information that's of interest to the cybersecurity community. More By Cobalt