The 17th International Information Security Conference organised by ISMS Forum Spain, in Matadero Madrid [1], has been again a chance to reflect on the evolution of the information security landscape. The Chairman of the Information Security Advancement Society – ISMS Forum Spain, Gianluca D’Antonio, opened the event by acknowledging the contribution of all the speakers, sponsors, public institutions, media partners and think-thanks. Francisco Lázaro and David Alonso presented the newly established Mobility Centre, an initiative of ISMS Forum Spain, and invited all ISMS Forum’s members interested in the security aspects of mobile technologies and IoT to participate in the initiative.

Richard Bach, Assistant Director for Cyber Security, at the UK Government’s Department for Business, Innovation and Skills, gave the opening speech. In his talk, Richard stated the importance of cyber security for business and spoke about the measurements adopted by the British Government to help small and medium size enterprises invest in information security. He presented, for example, a specific plan which gives firms £5000 vouchers to be spent on cyber security innovations [2]. The spectrum of initiatives presented was very broad: it went from training activities, such as the Open University’s online open introductory course on cyber security [3], to the Cyber Incident Response Scheme (CIRS) [4], or the requirement to comply with certified cyber security standards in Government procurement. Richard emphasised also the role played by the collaboration between the private and public sector in defining a common scheme to implement the 2011 Cyber Security Strategy (£860m). In concluding his intervention, Richard presented the way his department is cooperating with the UK Information Commissioner’s Office to create a common vocabulary to talk about information privacy and security in the Cyber Essentials scheme developed to assist Government procurement. Overall, the speech perfectly resembled and clarified the title of the 17^th International Information Security Conference organised by ISMS Forum Spain, which was “Blurring Privacy and Security Boundaries: A Few Market Shaking Ideas”.

Straight after, the first panel of experts, moderated by Raffaele Di Giovanni-Bezzi, from DG Connect, discussed how mobile technologies are challenging the old idea of the security perimeter. Raffaele spoke about the importance of building cyber resilience and trust to create a common digital market within Europe. James Kretchmar, VP & CTO EMEA for Akamai, explained how the commodification of cyber threats, such as DDoS ‘as a service’ attacks, is dangerously busting malicious activity by making it highly accessible and relatively cheap, while defending organisations’ data and operations still require big investments and efforts. Laurent Heslault, Chief Security Strategist at Symantec, invited the audience to think about the fact that often the place where strategic information is stored is located outside the enterprise, outside the firewall. David Francis, UK Chief Security Officer at Huawei, advocated for the need to build cyber security into every single aspects of both products and organisational procedures, stating that cyber security is everyone’s responsibility – not just the CISO’s responsibility – within an organisation. Ram Motipally, Senior Director of the Global Samsung Knox Business Team, spoke of the challenges posit to the security of mobile devices by the specific features of already existing organisational information system infrastructures and the demand for accessing new complex business applications from these devices.

The second panel, moderated by Marcos Gómez, Deputy Director at INCIBE, touched upon several aspects related to the management of a cyber-crisis. Vicente Pastor, Head Enterprise Security Services at NATO, presented NATO’s Malware Information Sharing Platform (MISP): an open-source project which aggregates and analyses information on security incidents coming from CERTs of all NATO’s member states. He also spoke of other initiatives, such as the NATO-Industry Cyber Partnership, the Cyber Security Incubator, and the Smart Defence capability project. Eutimio Fernández, Security Account Manager at Cisco, spoke of the need to gather historical data to perform forensic investigation and learn from past cyber incidents. Richard Curran, Security Officer EMEA for Intel Security, said that we need to embed security in every single piece of silicon as everything is becoming interconnected and interoperable and we need to be prepared to analyse and react to an exponential growth of security incidents per day. Fernando Picatoste, partner at Deloitte, closed the panel by offering insights on the ways an organisation can learn from the simulation of a crisis, and the need for board members and CISOs to receive specific crisis management training.

The third panel, moderated by Nicole Van Der Meulen, Analyst at RAND Europe, focused on the evolving security threat landscape. Nicole specifically paid attention to the lack of harmonisation in the definition of threats and the large amount of not-comparable surveys constantly produced by several organisations, which do not help consolidate knowledge in the field, and what kind of information official institutions like ENISE should provide to help all actors understand the level of cyber security maturity they have achieved. Neil Thacker, Information Security & Strategy Officer EMEA for Websense, said that we need to understand that nowadays personal data has become a commodity item on the underground digital market, and that organisations need to implement data breach remediation procedures. Simon Young, VP Strategic Alliances & Partnerships for Europe at Trend Micro, spoke of the challenges brought by enterprise data virtualisation processes and of the need for CISOs to use new set of controls based on vulnerability and breach detection systems to increase other C-level executives’ level of awareness. Johan Arts, Director of Security Systems Europe at IBM, told about the need to embrace the integration challenge to develop holistic security strategies and overcome the limits of the fragmented security solutions landscape. Richard McCluney, Senior Vice President of Business Operations for Blue Coat, spoke about cloud-based solutions and how they can help organisations process and make sense of the huge amount of data daily produced.

The last panel, moderated by Jan Ellerman, Senior Specialist Europol at Europool Data Protection Office, closed the circle by exploring the opportunities and risks of applying analytics for incident prevention and detection purposes. Jaap-Henk Hoepman, Scientific Director of the Privacy & Identity Lab at the Radboud University in the Netherland, told the audience about the way Privacy-by-Design principles can help organisation share indicators of compromise in a responsible and privacy-friendly way. As a researcher, he also warned the audience about the risks of infer causation from simple correlation at the time of relying on data mining algorithms whose rules were not supported by theory. He said that a classical example used to understand the problem is the usual statistical association which exists between the number of criminals and the number of churches – a case of spurious correlation generated by the size of the place considered: bigger cities tend to have both more criminals and more churches. Anas Hadidi, Solutions Architect EMEA for HP Enterprise Security Products, explained that analytics already help protect millions of individual bank accounts every day and that it can also help control the flow of information, identify deviations, and detect intrusion or data breaches. Darren Gale, EMEA Lead, Network and Endpoint Forensics and Mandiant Consulting Services at FireEye, who has joined FireEye after the Mandian acquisition, presented the case of the data breach at the retail giant Target as an example of an organisation which was unable to consume the internal information the organisation were producing on the incident, and said that the median time before a threat is discovered still is 205 days, and that the median time from detection to remediation still is 32 days, which leads organisations to stop asking “Am I secure?” and begin asking “Am I compromised?”. Finally, Francesco Vitali, Communication and Media Officer at the Italian Data Protection Authority, invite the audience to reflect on the strategic value information has in today’s global digital economy and on the need to think about privacy and security not just as technical or legal terms, but also as key political terms in shaping international relationships, and comprehends information flows regulation and policies in terms of global power dynamics.

Along the morning, all actors agreed on the need to design and implement effective legislative actions to foster innovation in the area of cyber security without hampering competition or creating false demand. Cyber security training, incident information sharing, and public-private partnership were identified as key elements in promoting cyber security. Several speakers also stated that the time has come for CISOs to leave their departments and become board members. While exploring the relationship between privacy and security from different perspectives, some speakers pointed out that a particular interpretation of IP addresses as personal information in Germany and Spain has sometimes prevented organisations from sharing the IP addresses of machines attacking them. This issue, which raised serious security concerns among the audience, was taken as another example of the need to harmonise data protection laws across European countries.

The intervention of Miguel Portillo, Associate Director of Michael Page Executive Search, was the last one in the Cineteca. Miguel described the evolving market for cyber security experts and gave practical advices and useful tips to the audience.

Two parallel sessions in Spanish and two executive meetings were also held during the morning. Almudena Alcaide, from the CyberSOC Academy of Deloitte, and Pedro Marco, Presales Manager at Kaspersky Lab, held a workshop on the terrible malware known as ‘CryptoLocker’. Noemi Brito, partner at Legistel, moderated a panel on the limits of respecting privacy in incident investigation, with the contribution of Óscar de la Cruz, digital crime commander-in-chief of Guardia Civil, Joan Camps, Director Technology Unit, Consejo General Colegios de Médicos, and Roberto Baratta, Director of Prevention, Business Continuity and Security for Abanca, contributed to a lively and insightful discussion.

During the lunch break, Rodrigo Jiménez Del Val, Security Advisor at Necsia, and Antonio Fontiveros, Security Technology Officer at Abertis Autopistas, with Patrizia Morales Márquez, Trainer & Motivational Speaker for The Box innovation, entertained the audience by presenting how cyber security threats can be effectively incorporated into business continuity plans.

The event ends with a graduation ceremony and the award of the 8^th Edition of the Master of Cyber Security Governance, and the award of the prizes of the raffle game organised by ISMS Forum Spain.

[1] http://www.mataderomadrid.org/

[2] https://vouchers.innovateuk.org/cyber-security

[3] https://www.futurelearn.com/courses/introduction-to-cyber-security

[4] http://www.cesg.gov.uk/servicecatalogue/service_assurance/cir/Pages/Cyber-Incident-Response.aspx