LAS VEGAS. Cybersecurity clients are citing new European data privacy rules as their top policy concern, according to Kudelski Security executives interviewed here, as an expected 17,000 cyber professionals, vendors and policymakers descended on this city for the back-to-back Black Hat and DEF CON conferences this week.
Black Hat 2018 opened Saturday with training sessions, and features a closed-press “CISO Summit” today before moving into a full schedule of briefings on Wednesday and Thursday, beginning with a keynote from Google director of engineering Parisa Tabriz, who will discuss vulnerability disclosure and other issues. Inside Cybersecurity will provide full coverage of the Black Hat conference in addition to exclusive interviews with representatives from a variety of cybersecurity firms.
Kudelski CTO Andrew Howard and global strategy and governance managing director John Hellickson said in a wide-ranging discussion that the National Institute of Standards and Technology’s ongoing work on Internet of Things security is one of the most eagerly awaited initiatives coming out of government. And, they said, the NIST framework of cybersecurity standards has become the pre-eminent cyber benchmark among the companies they work with.
Kudelski Security is headquartered in Switzerland and Phoenix, AZ.
GDPR is “the number one policy issue I hear from clients,” who express concerns about how the regulation on companies that handle the data of European Union residents will be enforced and what the potential liability will be, Howard said. “The legal risk landscape is unknown.”
Howard said the U.S. is unlikely to adopt a national GDPR-type data rule, while cautioning that the reach of the EU regulation and action in states such as California means that many U.S. companies will still have to contend with its standards.
He predicted “a huge spike” in the reporting of cyber incidents due to GDPR requirements, though that won’t necessarily mean that actual attacks are increasing.
Corporate reactions to GDPR have varied, Hellickson said, with some “spending a lot of energy” on its requirements while others are in a “wait-and-see” mode, “waiting to see how it plays out.”
But Howard added that “client requests for data-loss prevention services are through the roof.”
The ‘ubiquitous’ framework
On the NIST framework of cybersecurity standards, Howard said he is seeing “ubiquitous use domestically” in the United States. “It is the benchmark – it goes across industries nicely and provides a high-level view that’s good for the C-suite.”
Hellickson said Kudelski always uses the framework’s five functions –- identify, protect, detect, respond and recover -- to illustrate its points in presentations to corporate boards. On the downside, Howard said, “you can rate high in a given category and still have some gaping holes, it’s not very granular.”
He said many CISOs continue to be concerned about the framework’s tier system and may “draw a line in the sand about getting up to a certain level,” which may not be the necessary goal for that entity.
NIST released its first-ever update to the 2014 framework in April and will hold a conference in November in Baltimore, MD to discuss the changes and other cybersecurity issues. The update was especially helpful on third-party issues, Hellickson said.
Looking across the policy landscape on other issues, Howard said “there’s a space around IoT security where the government has a role to play.”
“We’re helping companies assess their [IoT] products and the conversation has transitioned to ‘what standard are you going to help me to meet?’” he said. NIST held an IoT workshop in July and Howard said there is a need for NIST to develop a security standard.
“Clients ask ‘what’s secure enough’ for an IoT device and NIST will help answer that,” he said. “What’s good enough is a complicated question – for IoT devices, there is no baseline.” – Charlie Mitchell (firstname.lastname@example.org)