It is rare that we leave a conference feeling both energized by the connections and content about the content. Recently, Terbium Labs attended two concurrent events—the E-Crime Cybersecurity Congress and Fraud Forum—that explored the intersection of fraud and information security. The key takeaway from conversations with attendees and presenters: the risks for folks in fraud manifest as threats for those information security, and each can provide an early warning for the other. The organizers deserve kudos for curating a compelling program and experience.
Although this year marked our first attendance, both events have been around for quite some time, with the E-Crime and Cybersecurity Congress going on its 16th year! That event lasts two days, and on the second day, the Fraud Forum runs in parallel. Because of this overlap, certain themes connected across domains, namely the impact of cybercrime on organizations and efforts to combat it. In fact, the last two sessions of each conference were held jointly; the organizers clearly understood the convergence and built the program accordingly. Though the topics covered familiar terrain—ransomware, fraud prevention, threat landscape overviews, and emerging sources of compromise—three cross-cutting themes emerged, particularly in hallway conversations. (Given that the events are governed by Chatham House Rule, this post will not attribute comments to names or organizations.)
Theme 1: Have we improved as an industry?
To examine how well the cyber security industry adapts to evolving threats, one of the first speakers introduced the Red Queen paradox: defenders are constantly moving and improving, but not gaining the advantage over adversaries. This idea stirred the audience and ricocheted through conversations over both days. Information security practitioners over-index on measuring their controls—while important, this metric provides no insight on the differential between adversaries’ growing capabilities.
In a break time discussion, three mid-level information security managers talked about the importance and challenge of building security awareness within a medium size corporate. For many of these information security practitioners, awareness is both a prerequisite for and follow up to action; their CISOs are not only asking about prevention, but also measuring the impact of their educational efforts—a difficult task, to be sure.
Theme 2: Can cyber security approaches mature from threat-focused to risk-based?
The demand for collaboration, increased regulatory scrutiny, and complex threat landscape create a trifecta of challenging operating circumstances. Only security organizations that enable their business stakeholders will thrive, while the rest will barely survive by using headlines to chase budget and drive organizational buy-in—an unsustainable trajectory. In another conversation with the CISO of a large retailer, he expressed the challenge in communicating risk to board members inured to fear-driven headlines; fear cannot sustain decision making yet risk is a complicated concept that must be explained simply. Various talks addressed this issue, if not directly, by way of presenting case studies.
Many attendees in both the cybersecurity and fraud tracks ascribe to the “lines of defense” risk governance framework when thinking about addressing vulnerabilities. Attendees from each groups diverged on this point: fraud risk professionals clearly placed their work primarily in the second line of defense (and occasionally the third), while information security practitioners saw themselves operating across all three lines. Although self-categorization depends on the organization size, program scope, and business model, this differentiation highlighted an important gap: although both groups can use a shared risk framework, they might disagree about how to map their action to governance. Again, risk can be difficult to understand and even harder to communicate.
Theme 3: Who is accountable and responsible for reducing the risk of cybercrime?
How do risk managers (both of fraud and information security) advocate for risk reduction? Beyond the inherent value of reducing organizational risk and regulatory requirements, convincing stakeholders which risks to address is a question of resource allocation. Senior executives are not going to spend 100 pounds to solve a 20-pound problem, so measuring the impact of fraud interventions means developing an internal metric. In the Fraud Forum, discussion about fraud risk assessments (FRAs) dominated—FRAs are helpful tool for fraud risk managers, but must be deployed thoughtfully and rigorously. Interpreting the results is even trickier.
A common thread through presentations from public sector representatives: we need to work together. At the least, the adversaries are collaborating, so we cannot afford to operate independently. Importantly, law enforcement appreciates input from industry, even when other partners are potential competitors. Commercial considerations notwithstanding, the desire for an aggregated product does not have to be onerous; one representative made a compelling argument that most burglars don’t get caught with evidence collected from one scene. Because cybercrime is often seen as victimless—a sentiment with which many attendees agreed—focused attention on collaboration becomes urgent, not just important.
Again, attending these two conferences deepened our understanding of the problems faced by our customers by identifying the exact nexus of cyber-enabled fraud and emerging information security vulnerabilities. The team at AKJ Associates puts on a variety of events around the world—we highly recommend finding the next one in your area. If you attend next year, you will definitely see Terbium Labs there!