GRC: Be Connected! – about skills, frameworks and knowledge
Karel De Kneef, CSO of Swift, points out that ‘people make the difference’, with a consequent need to optimize the talent challenge. He presents his organization’s split between ‘protect’ and ‘transform’ activities, the latter targeting improved security, with a list of specific action points. Most of his efforts are spent on ‘security assurance’ (“policies are fine, but check whether they are correctly implemented”), ‘business support’ (“risk based approach and cooperation with the business”), ‘tools’ (“60+ tools and platforms”) and ‘cyber incident detection and response’. Every single point of attention requires people with appropriate skills, with growing needs of business insight and leadership qualities. It pays not only to broaden the horizons of security experts, but also to recruit people from the business side, with attention to diversity!
As frameworks go, the NIST cyber security framework is the leading standard. Umut Inetas, Manager Security Architecture at Ahold Delhaize, offers specific pointers how to apply NIST to organizations. In particular, NIST is a ‘framework of frameworks’ supported by a multitude of ‘special publications’ (SP’s) and FIPS (US Federal guidelines) covering specific sectors and needs. He discusses the three main components of NIST, in casu ‘tiers’ (implementation), ‘profile’ (from ‘as is’ to ‘to be’) and ‘core’ (strategy and roadmap). And of course how to tackle the five pillars: identify, protect, detect, response, recover. Along with these practical aspects, Umut Inetas also provides an insight as to ‘why NIST’ and its future.
The third presentation, by Vilius Benetis, director of NRD Cyber Security, underlines the usefulness of organizations as ISACA and First.org as sources of knowledge, certifications/certificates and trust. He points out why starting a CSIRT (Cyber Incident and Response Team) is important, and how to be about it.