"Cyber Security in evolutionary terms (food-for-thought)" by Greg Fragkos

and the next speaker is grigoris flaccos is responsible for the cyber defense and advisory services at digital 14 and greg is also the v science ceo for export 2020 in dubai which is the world like the seventh for 20 20 years and will also occur in 21 2021 on his vast curriculum greg also assisted anisa as network and information security expert organized besides events in that attempts and amsterdam and helping companies around the world sharing his experience expertise and ensuring security on multiple sectors such as banking payments maritime defense and space today greg is going to launch a challenge to rethink cyber security in evolutionary terms greg hello can you hear me yes excellent thank you so much hello to everyone uh

it is a pleasure to be part of the first security besides sport of virtual conference i wish it would possible for us all to be together but hopefully next year we will manage to do this but everything is going well i see and i hope everyone is having an amazing time i've seen some very good presentations up to this point so regarding my presentation which is more about it's a little bit more lightweight compared to the technical stuff but it covers a lot of them from my technical background it covers a lot of the technical issues how do you evolve and how do you do how do you manage the risk in the real in the real world so as the world right

now with a pandemic for example has taken several steps to protect against this global unprecedented pandemic i would like to reflect on the initiative that we as cyber security professionals need to both consider and act upon taking undercoast duration the way cybersecurity and cyber threats actually evolve thank you for the introduction so i don't have to go through this um my name is gregorio fragos i hope the ben vinto and all lights the right way to say it um yeah so this presentation um is both a holistic view of cyber security under a cyber lens based on hands-on experience and at the same time a provocation a food for thought around our own cybersecurity mindset for

its and everyone watching right now um in other words um the presentation is intended in a way to in to to spark a eureka moment to everyone personally in in the in the mindset that they have around security as we take this journey to reinvent in a sense realign or fine-tune the way that we think about security let me let me again let me discuss this a little bit so i had this slide here i was trying to decide i'm going to put it in or not so the best way to do this is to have a brief introduction around what is cyber security culture and illustrate how and in what way mindset is a core element of a cyber

security culture for those who are not familiar cybersecurity culture of organizations refer to the knowledge beliefs perceptions attitudes assumptions norms and values of people regarding cyber security and how they manifest in people's behavior with information technology in other words cyber security culture is about making information security considerations an integral part of employees job habits and conduct and bending them into their day-to-day actions and this is this definition in a sense comes from anisa's cyber security culture work which has been published and you can find it on the website um however this despite how descriptive this might be as a definition regarding what cybersecurity culture actually is for the purpose of this presentation i want you to visualize and place

mindset which is a key the key keyword in this case as part of the 3m in cybersecurity culture of course we have i have here mentality mindset and maturity but i want to focus within the middle layer mindset is the way to we tend to perceive think interact and behave as part of our own environment cyber security culture i use the word environment because for numbers because there are numbers everyday examples of different environments which are digital or otherwise where you are expected to engage your own security mindset such as for personal personal tasks you're using security in everyday life for example setting up your own laptop for example and handling or storing personal sensitive information in different

digital assets that you might have um you are embracing the use of smart technology you might have i don't know alexa or google whatever it's called smart personal assistance so whatever you do that's the point you need to build a mindset on what security in the modern terms is in the evolved terms while using four third-party devices or trivial tasks such as um when you go to the bank and you need to use a tablet what kind of formation do you put in this tablet and who's that tablet is is it the banks you're paying in a restaurant on a point of sales device is that actually the device that belongs to the to this shop or did someone replace it with

something else so there are so many things around security that we need to build the mindset around it in order to tackle the emerging threats nowadays all these aforementioned actions have slowly become over time part of our everyday lives and we're all part of the evolution of digital ecosystems and each one of us plays a different role so i have here the red queen hypothesis and the red hand queen hypothesis which is also referred to as the red queen effect is an evolutionary hypothesis which proposes that organisms must constantly adapt evolve and profile iterate not merely to gain a reproductive advantage but also simply to survive while period against ever evolving rival organisms in a continuously

changing environment in louis scholar sequence carl's sequel of alice in wonderland and through the looking glass the red queen explains to alice the nature of the land at the top of the hill if for those who have seen it the red quake begins to round and alice begins to change after her alice starts to look very confused by the fact that even though they are running they seem to be running after each other they are staying exactly at the same place so alice asked the queen why is this happening and the red queen responded now here you see it takes all the running you can do to keep in the same place this particular message is an excellent

example on how we should be thinking around the evolution of cyber security today as cyber threats involve we need to be in a position to equally involve otherwise we keep we simply keep running just to stay in the same place and i hope this is clear enough as a message to the audience as the threat landscape is constantly changing shaping itself altering in other words evolving we need to keep in mind that we need to keep in mind um that and build of course a relevant mindset that we need to constantly counter involve to attack adequately defend against these evolving threats in order to do that we need to start discussing the factors that affect in

many cases define our cybersecurity evolution capabilities and perception in these slides we can go through a journey of key points where i could go in in each one of them in much more detail but i'll try to keep it as brief as possible for the purpose of the presentation um so first of all we have business needs understanding business needs as we evolve in how we perceive cyber security is something that's so crucial but it is not often taken under consideration as we plan and we don't see taking under consideration within the cyber security strategy of organizations or the tactics that will usually defend against threats we tend to discuss around several examples on how to manage the

risks while we lack in contextualizing the actual business needs and how this should redefine our risk management approach and i will come back at the end on this another factor in the next style is asking difficult questions and when what i mean by that is um questions like how we involve from a static approach to dynamic for solutions questions like um what is the current what is currently the management's commitment including their understanding on cyber security so the leadership in organizations do they understand it or not these are very difficult questions and a lot of people are afraid to ask their management or the leaders if they actually understand cyber security from different perspectives um what is the the cyber security

culture across different business units and especially in relationship between i.t and information security do they have a clear understanding of their roles and responsibilities how good is the existence is the existing different vendor solutions that are being used in organizations do they cooperate with each other have we measured how well these solutions perform given the context of the organization they are protecting what are the acceptable security related key performance indicators so these are difficult questions that everybody is avoiding to to on to ask when you are facing risks and threats and of course there are several other questions related to cyber security for all the different verticals within an organization which that includes even the hr or the

legal departments even facilities at the end of the day but again i could go into this styles in so much detail but i'm going to keep it very brief for the sake of the of the presentations and the time that we have available something that definitely is the audiences cares about is about companies that talk about hiring talents and in the past few years hiring talents have been a key focus for many organizations however do we really see hr departments assessing adapting and redefining their hiring processes in order to be able to shortlist identify interview and eventually hire talents in my experience and i'm trying to fix this as much as i can when i have the

opportunity it does not happen as often as we are told to believe um then we're talking up and which then brings us to the next point where we are discussing security community building and supporting strong security community like security science events ctfs knowledge sessions bug bounties webinars specialized trainings allows not only to keep abreast evolving threats but also counter involved to evolving cyber threats by sharing ideas and knowledge that's the only way to be able to defend against something that we don't know it is coming all this brings us to the next point where do we all of the aforementioned points in order to accept that the um to accept that how does the threat

landscape has involved and will involved beyond our current capabilities this is something that will happen anyway we want it or not as we said earlier on using the red queen's words it is a race and we need to keep moving and counter involving in everything that is happening there is no one solution that fits all obviously and no one knows everything as it was mentioned earlier on um during the the session this is where i would like to paraphrase a historical saying with the caesar has died long live the chief security the chip cyber security officer and what i mean by that this is simply to distinguish between the old chief information security officer mindset with the new

cyber security focused season mindset that has very specific responsibilities and understandings in the era of fast involving cyber threats where you have to include insider threats how to communicate both upwards and downwards in an organization understand current and technical initiatives even be familiar with cyber security financials in the modern world and then we move on to staying up to date stay up to date goes beyond the confines of updating and upgrading systems nowadays this means knowing what is the latest research and advisories regarding the threats related to the context of the organization you are protecting speak and collaborate with universities to get inputs for example because this is where the research is happening and up-to-date state-of-the-art research

in order to answer difficult questions like the ones that we post early on use current technology and services which provide more than tools that can be used in different ways even twitter for those who don't know can be used as a threat intelligence gathering tool if it is done right for those who don't have a twitter account for example i would recommend going create one but instead of trying to follow celebrities and rockstars i don't know you know what is everybody's cup of tea at the end of the day try to follow a group of accounts related to information security security news security blogs renowned security professionals security researchers the speakers of this conference the

colleagues in the area industry or sector that you are working with all that will help you build the community a small community which um it will be more relevant to you um it will create your own network of real-time information um input regarding what you care most and you're gonna be staying up to date with the latest developments in in this in cyber security in general or even interact with all these professionals in real time around the world moving along zero to hero and hero to zero this particular one refers to the understanding and early plan planning of what you need to do in order to constantly develop your security career and become the hero of the work you do

which may include a university's degree certifications and specialized training of course build the right mindset with strong foundations to steer away from being in a position in the future to have to defend a house of cards instead of um having a solid and robust architecture and this again is a big big thing to be discussed in detail as we move along with different stuff that is happening in security nowadays now we jump again back to security mindset which i've already discussed but we had the opportunity to mention the high level but allow me at this point to take this opportunity to emphasize that you should everybody of you should take pride in doing security properly

be respectful and open-minded and try to share ideas when you are in a working environment make sure that you communicate you don't work in silos listen to justified facts and this is very important when you want to evolve within cyber security don't just um adapt ideas or opinions from people who haven't justified why they're saying something remember of course that there is no silver bullet when it comes to security obviously and always question bold unjustified statements for example our solution is using ai and machine learning to detect threats okay explain the technology it's not just a statement and try to learn more about it at or i've seen this and this is again a big debate

someone said you don't need a degree a university degree to work in security yes or no certification degrees have different purposes but the person who we're saying at this point in time was actually selling training sessions so if you're selling a training session it shouldn't be coming from you should be coming from people who can justify it i would like to hear the experts on the field trying to to to justify this um moving along we have educate network and participate and this is the only way to stay current in cyber security and emerging cyber threats the field of computer science and more specifically anything that is related to computer and information security has evolved into a massive field of

study and the only way to stay on top of all this is to go on conferences participate in discussions and educate yourselves further and i'm not going to discuss this in this case anymore because i want to give a little more time to talk about ethics because many few people are actually um that's upon this subject moving on to ethics which is one of my favorite fields to be honest especially when it comes to computer and security i was personally lucky enough to have a specific module when i was in the university during my software engineering degree that allowed me to discuss and understand ethics in an ethical mindset as cybersecurity professionals we have the knowledge and capability to do great

good when it comes especially when it comes to defending and protecting digital ecosystems the ethics and morals behind your security mindset is what separates you from cyber criminals and people who do harm in order to get to have personal gain there are a few people who have been convicted for computer crimes that most of you probably heard of unfortunately our generation has confused the thinking out of the box and ethical hacking with criminal activities and within the that confusion ex-convicts have seized the opportunity to become known to the general public as the media invest in selling more basically when talking about the next convicted malicious hacker instead of trying to promote all these people like yourselves like the speakers that

i've watched since the beginning of this conference we talked about finger printing scanning how can we do it how those these people did not do it in order because they want to go and rob a bank they did it because they want to defend that bank they want to um make sure that they ring the bell and the process the technology the sensors become better these are the people that i admire and i want the media to promote these people and that's why i have ethics in this um matrix that i have here of tiles and these people have dedicated their lives in security while at the same time keeping their moral compacts well aligned with

values which focus on how they can protect defend and evolve security in this information age with that said let's come to the next style which is a question for you to ask yourselves why are you in security and i hope up to that point i gave you as part of i made you spark a few eureka moments in your head what is the reason for joining this industry what makes you get up in the morning to do security work i asked this question myself many times especially when i started in this field the answer that i came up with is that i wanted to do good through computer security through the digital evolution of computers and contribute to

the greater good in my with with my field of expertise in this case i might not be a medical doctor i might not be i don't know a fireman to go and save a life but i can do good through what i'm doing at the moment and i want to do work in this industry to protect and defend digital ecosystems within different sectors whatever that is oil and gas commercial products automotive industry it doesn't matter which it's the field of that you guys working with by doing that i help organizations to grow to scale up which results in protecting actual jobs people's jobs so if you're working a financial sector and you're protecting payment systems you're gonna you are

protecting a family that has only one credit card to make shopping during the weekend and if they lose that they won't be able to make shopping so you need to see the bigger picture in these situations when you allow business and organizations to grow by defending them by protecting them you are creating more jobs for these opportunities you are allowing this business to invest in new technologies and when they take risks in order to further evolve they are in a position to perceive security as an enabler and not as an obstruction across all business initiatives they are trying to achieve and i hope this is a clear message but but but last but not least

the item in our list is was told don't scare them and these are these are the was told don't scare them stories that you might end up hearing in different situations during your career there are two types of people who fall under this category and unfortunately you are and you know one way or another face them at some point in your life this refers to people who are trying to divert you from bringing any news of concern to management and any execute executive teams there is no point of doing this discussion further at this point but i will leave you with this advice only your responsibility when you deal with these such situations is to inform in

writing your line manager and the stakeholders within the organization you are working with while making sure that you have communicated in a clear way the most clear way possible the message that you want to say not only the problem that you have identified over the risk but also the the business risk um in the appropriate language that takes us by saying business risk in the appropriate languages that takes us all the way back at the beginning of this slide where you need to know how to discuss and identify risk according to business needs and as you involve you go again through this cycle of these steps to bring even stronger foundations in organization in your everyday evolution

of the work that you do so moving along cyber threats in a fast evolving interconnecting world world are not always straightforward there will be unknown unknowns as we call them different types of threat actors third-party risks that are beyond our control and we need to accept this and there is always a bumpy road ahead full of challenges across all aspects of operations people and technology security is indeed a game of trust and one major key takeaway is that its emerging cyber threat affects different industries in completely different way and because security is indeed a game of trust we need to be in a position to define security and trust respectively most importantly what is the definition

of security today in realistic terms what is security what is cyber and what cybersecurity we might take these things for granted but as we will see in a couple of slides we don't actually have realistic terms for this um words when it comes to measuring risk in in in a real world scenarios do the dictionary terms that you see here cover what we mean by security in the context of protecting digital ecosystems it's just a definition of the word security in this case um do the and you'll probably have a presentation so you can go through it through in this more detail if you want so does the iso 2001 and 17522 definition provide a meaningful definition for you

for our purposes of security in a realistic scenario it again it can be debatable it's still again it starts talking about confidentiality integrity and availability um maybe the iso 20 000 series which reiterates the point around confidentiality integrity and availability or maybe the wikipedia which indeed provides slightly more context but still it is not clear what security is in the context of the formation age while protecting digital ecosystems and as we can never have a hundred percent security how do we define the acceptable level in its case and that is the core element of what we call today risk management um did i yeah again i have this here from 27 000 0 32 and 17 522

so even when i was doing my phd for example i had to discuss security in realistic terms and more specifically defining it as the state of being or feeling secure by having the ability to avoid being harmed um at in a recoverable level by any risk danger or threat when for protecting specific assets so the evolution of cyber security is not just to do one thing put a password policy in place do one thing and get done with it it's a collection of items that when depending on which um industry you are operating within and you have identified the specific threats of that industry you are taking completely different approach and you have completely different um risk tolerance that risk

tolerance is an indicator is an index that you need to move based on um hands-on experience this is a definition that tells you that you can move the dial of the acceptable risk wherever you believe it is most appropriate and acceptable in other words modern perception of cyber security cannot accept a one solution fits all and that is what this definition tries to portray gives a more dynamic and realistic definition to security given the the real world scenarios more specifically security is the enabler and that was mentioned earlier on for evolving and scaling up in a secure manner while minimizing the risk of being affected and at a recoverable level creating jobs allowing business to grow

up and scale up in a secure manner this is what we do we enable them we're not obstructing them anyone in 2020 that believes that security is abstracting the business they haven't understand security and they should be and they should stop doing certifications that's for the heck of it and they should you know read the fundamentals um let's put things a little bit into perspective of what we're trying to protect and yes i work out at the moment with exploits expo is one of the biggest events that we're going to have it's going to last for six months we're talking about something like 30 million people who were expecting to to um to join and visit expo we're talking

about iot we're talking about all the new technologies of the world in one place and so this is why i have this example here this is the international space station a marvel of engineering composed of three millions lines of code of software code right and on the ground support there are more than 1.5 million lines of flight software code that runs on 44 computers communicating via 100 data networks transferring 400 000 signals it is overall 100 meters long this is a scientific laboratory in orbit capable of sustaining human lives and that is one of the key words here it does just um a technology fit it supports human life so as we are well as i'm currently i am

based in dubai this is the burj khalifa right and this is the tallest building in the world standing at 830 meters tall which is another kind of marvel of engineering like we have different industries in security this is another marvel of engineering for different reasons and you can see the comparison between the um how big the iis is compared to this um the reason why i have this here is because i want you to understand the fee in physical measurements how far we have coming technology and the magnitude of what we're trying to protect this is of course a space station of science fiction at least for now uh but this is a good example

how complicated and challenging has become over the years um to secure and defend our module digital ecosystems by using last decades mentality and mindset evolution of threat pushes us to counter involve the um yeah i wanted to make a point on this but i'm conscious of time i'm gonna move on and just mentioned uh because i don't know we were delayed a little bit i wanna you know try to get it on time you know save you some time but because it was delayed later on i didn't start on time um so all that what i'm trying to say with this presentation is that we have involved the way that we see security and i want people who are

really passionate about security and i want to work with these people to understand that this mindset is what built the security champions of tomorrow people like yourselves that understand what we have moved away from um a firefighting scene a firefighting approach if you may when it comes to security and try to avoid tackling problems all over the place with temporary solutions and i've seen it every day people that are willing to see the bigger picture and hopefully now understand maths better how to combine standards requirements and methodologies this is very important why contain should also be considered as part of new cyber security framework functions and i can discuss with you this offline if you want

what does it mean to be an enabler when it comes to security the value of having an actionable cyber resilience strategy how third-party tools even twitter as we said earlier on um could be utilized for security purposes there has been propagating cyber threats from my security networks on twitter which i became aware of within seconds and my threat intelligence fees which i'm paid provided them to me 24 hours later so um clearly if you if you build that twitter network basically you are in the good hands to get to know things very fast recognition for the hard work should only should not not only go to those who break things the hackers the ethical hackers but also to those

who fix the issues so let's not let's take this approach for a second our industry has this mentality of praising the person identifying a vulnerability while it is equally important to recognize the contributions of those taking all the necessary steps to identify the root cause fix it while not breaking something else which could have an immediate impact to our business needs that we've discussed earlier last but not least laws and regulations up to now we have been doing security based only on experience and recommended best practices to meet compliance requirements if that is necessary when it's necessary as we move towards a far more structured framework around cyber security and at least in europe and nisa

will be um we at last is looking after that and the laws and regulations will demand proper due diligence and this is the key word here having the opportunity to think about all these aspects of cyber security that we discussed today will not only put you in a position of being a security champion right i want you to be a security legend and this is what um i would like to see people the younger generation our generation pushing forward this world and by applying the principle of the red queen hypothesis in cyber security as an opportunity to constantly involve your understanding your abilities your skills your capabilities and overall your security mindset thank you so much and i really hope i

managed to light up and spark a future discussions and uh the future security legends across all your you attending the presentation thank you greg thank you for your talk um well it's good to rethink and to think a little bit more about security problems and security approaches thank you also for your tips and suggestions on how to improve security in general you