One dominant theme was artificial intelligence (AI), and impact from both AI-driven attacks, risk associated to the use of AI tools, and AI-risk management solutions. This included defining ‘shadow AI’, the sharing of information with easily accessible AI tools, the growth of AI in cybersecurity toolsets, and of course the use of AI by threat actors to increase sophistication of phishing and their attacks.
Discussed multiple times was vulnerability management by Rick Kaun and Brendan Clace, the challenge of managing the increasing wave of discovered vulnerabilities and growing threat of exploitation. For many manufacturers, vulnerability management is a growing tsunami that requires tools to help triage and prioritize the most important requiring attention. ‘Risk-based’ vulnerability management was a recuring term, generally defined as a prioritization scheme or risk score to identify those needing attention first.
Although DeNexus did not speak on the topic at this event we add another perspective with our DeRISK Quantified Vulnerability Management recently released product. This allows to identify those vulnerabilities that can cause a material financial impact to the business, an enhancement above traditional risk-based vulnerability management by having a dollar value, versus just a vulnerability score. There are times when the vulnerability is both severe and exploitable, but there are other factors that reduce the financial impact if attacked, and can make it non-relevant from the risk standpoint.
Insider threat was also discussed from both a law enforcement and an asset owner’s perspective. In many cases, insiders are not knowingly contributing to the attack. They are more likely to have their computer integrity or credentials compromised and be an accidental participant in the cyber attack campaign. Through their actions allowing initial access and the lateral movement to other parts of the network.
Early the first day, DeNexus spoke on ‘OT Telemetry – a Must-Have for Financial Quantification of OT Cyber Risk in Manufacturing’ and we received many thankful and positive comments on the talk from attendees and through the ManuSec organizers. For most, this was the first time they’ve heard of financial quantification of cyber risk and they agreed it can help change the conversation with their leadership as they push to justify OT cybersecurity budgets.
The most common misconception is that “we are not mature enough for this solution”, which we must correct. I spent over 15 years of my career advising customers to improve their cybersecurity and I always lacked the business perspective, the financial risk, associated with my recommendations. Over and over again, struggling to explain why a new cyber technology was better, with a history of not having an incident, was difficult to overcome.
The two days of insightful presentations, networking opportunities and many conversations were closed with a terrific panel on “How we can best ensure protection despite financial constraints”, where the need to communicate the business value of cybersecurity investments was highlighted. That need is exacerbated in times of volatility, uncertainty, and increasing exposure to cyber risk.
Thanks to all attendees, and special thanks to those that stopped by our both. You are the reason why we work every day to offer a better value proposition from the leading Cyber Risk Quantification solution for the Manufacturing space.
Congratulations to ManuSec for another terrific event. See you in Chicago in October!
If you want to learn more, get in touch with our team, or understand how the above is put to use to quantify and manage cyber risks at 250+ industrial sites monitored by DeNexus, you can contact us at https://www.denexus.io/contact.