Focus on Cyber Security: The Recap

On May 26, Canadian Security hosted Focus on Cyber Security, showcasing thought leaders and best practices from across Canada’s cybersecurity community.

The event was sponsored by IBM Canada, Trend Micro, Fortinet and (ISC)² Toronto Chapter.

The event kicked off with a message from Daina Proctor, security threat management associate partner, IBM Canada. During her keynote, Proctor discussed some of her experiences working with clients who are dealing with the challenges related to the evolution of their threat management programs.

A roundtable discussion followed: “The cyberthreat landscape – the issues that keep business leaders up at night and the solutions that help them sleep.”

Moderated by Canadian Security editor Neil Sutton, the panelists included:

• Bill Ohlson, CISO, nanopay Corp.
• Tim McCreight, managing director, enterprise security, CP Rail
• Imran Ahmad, Partner and Head of Technology, Co-Chair Data Protection, Privacy and Cybersecurity at Norton Rose Fulbright
• Helen Knight, Fractional CIO, Helen Knight Consulting

The panelists shared their thoughts on effective cybersecurity, with topics including: inter-department collaboration; developing budgets and working with vendors; data privacy compliance; physical and logical security convergence; and effective disaster recovery.

“[There’s] this idea of resilience but resilience within the information security organization,” said McCreight. “I think it’s on us as professionals and leaders within information security organizations to make sure that we have that resilience throughout the organization, and that we’re involving other parties, not only within security but on cybersecurity so you can remove that ping pong effect. From my perspective, that ties in things like the skills gap and making sure that we’re addressing it, that we’re understanding the business requirements because we need to ask those questions in advance of an incident to understand really what’s important to the business.”

When it comes to delegating cybersecurity responsibility within a business or organization, Ohlson stressed that everyone relies on one another. “I tend to fall back on a lot of those fundamentals when I’m organizing an information security program, but also being cognizant that it’s very rare in an organization that the security team can do something unto themselves,” Ohlson said. “We’re always relying on other people — whether it’s your IT group, HR, legal, whoever it is.”

The COVID-19 pandemic has had an impact on the evolution of threat development and the response from cybersecurity professionals. For example, Ahmad said he has seen an acceleration of digital transformation.

“We’ve seen IT departments trying their absolute best to meet those timelines because it’s becoming a competitive advantage or competitive piece you want to have in your organization, and building that relationship,” Ahmad said. “I find myself working much more directly, oddly enough, with CISOs and IT professionals, than I do with the lawyers at that same company because they’re saying, ‘What do we need to do on the due diligence for this vendor that we want to accelerate?'”

Knight, who works with the non-profit community, stressed the importance for cybersecurity professionals to reach out to non-profits and join their board in order to provide them some awareness of what to do about cybersecurity. “Finding volunteer opportunities in nonprofits are a great way to get some hours behind you and I also find that on your resume it looks excellent and people reach out to you a lot more to because it shows your passion for the field,” Knight explained.

Following a short coffee break, Myla Pilao, Director of Research, Trend Micro, gave a keynote presentation on “The Business of Security: How Cyber Security Helps the Bottom Line.” Pilao’s keynote delved into the COVID-19 vaccine rollout across Canada and described the ways in which organizations are reassessing how to operate securely under extended remote work models.

Detective Constable with the Toronto Police Service and Canadian Security contributor Kenrick Bagnall followed Pilao’s presentation with a session focused on working effectively with law enforcement.

Bagnall said that sharing the details of a suspected cybercrime with the police can marshal effective resources and help resolve crimes more quickly. Bagnall said that while there is nothing that currently says that businesses have to report a cybercrime to law enforcement, he stressed that “at the end of the day, if someone broke into your house and stole all your valuables, you’re probably going to call the police. Or if somebody broke into your business and stole all your physical, tangible assets, you’ll probably call the police. If they breach your network, and take your data which has value to yourself and your customers, you should also call the police.”

Hassan El-Masri, security strategist with Fortinet’s FortiGuard Labs, gave an informative keynote presentation that assessed threat intelligence from the second half of 2020, and the first few months of 2021. The findings he provided demonstrated an unprecedented cyber threat landscape where cyber adversaries maximized the constantly expanding attack surface to scale threat efforts around the world.

Concluding the event was a second panel called “Developing an effective cybersecurity culture – how to build awareness and keep remote employees safe.”

Moderated by Canadian Security‘s associate editor Alanna Fairey, the second panel included:

• Victoria Granova, president, (ISC)² Toronto Chapter
• Andrew Vezina, Vice President and CISO, Equitable Bank
• Ritesh Kotak, Principal, Ritesh Kotak Consulting

They shared best practices on educating staff, creating a cybersafe work culture and building work-from-home programs safely and effectively.

When it comes to identifying the most common cyber-vulnerabilities that employees can introduce to any organization, Vezina sorts them into three categories.

“We have actions where the employees have made a mistake or an error in their daily activities like clicking on links going to sites they shouldn’t,” Vezina said. “There’s a second category where it’s more of a failure of the security team to educate our employees and that’s where the employees might set weaker passwords, not use a password manager, not protect their credentials properly. And then the third category gets into things that the employee knows that they shouldn’t do, but they’re doing anyways, which is where we have people who maybe send information to their personal email, sometimes for good reasons, sometimes for bad.”

Stressing that good cyber hygiene is something that employees should continuously work on, Kotak said that some of the more effective training techniques or tools that employers can provide are continuous interactive learning techniques that are implemented daily.

“What I found to be the most effective, and what a lot of organizations are actually deploying, are inexpensive micro learning techniques,” Kotak explained. “When you go through a particular form or you go through a particular incident, you get pop-ups, and those pop-ups are ‘Would you like to review a video about phishing, would you like to a review a video about ransomware’ and you build it into somebody’s day so it kind of becomes intuitive.”

To conclude, Granova said that while the COVID-19 pandemic has shifted everyone’s lives, it has complicated cybersecurity with more and more people working from home and using their personal devices. However, “there’s a lot of great mobile device management software that could allow the company to manage that device, even though it’s a personal device.”

To view archived versions of these presentations, please visit the Focus On Cyber Security home page.