The Right Reporting Line is the One that Works. Period.
The topic of the reporting line of the CISO is probably one of the oldest topics of discussion amongst cyber security communities. But why are we still here talking about it? JC Gaillard, from Corix Partners, looks back at his experience of over 20 years on the matter and his various publications on the theme and explains why the right reporting line is key to success for the CISO but separation of duties considerations cannot rule alone.
In the speech, I'll talk about why the COVID-19 forced cybersecurity experts to include the human element in the equation in a different way. I will start from my experience as scientific director of the EU project DOGANA (www.dogana-project.eu) on social engineering and will update on implications of the recent trends. In general, the defence is made of tools, processes and people. Tools and technologies evolve, processes improve (marginally), but people are always the same. If the average attack detection time does not drastically change, it means that the combined effects of the evolution of attacks and the improvement of tools compensate each other. If one wants to reduce the detection time, you must intervene in processes and people. For years, effective defence plans considered the human element an integral part of the attacks techniques. However, the defences and simulations strategies for both employees and defenders must also foresee human presence's implications. Specifically, I will introduce the FSVA Full Spectrum Vulnerability Assessment methodology that we developed.
Trust is essential for conducting secure transactions online. The ability of users to prove their identity in a secure and assured manner is essential for many high value transactions. In this talk we will provide an overview of a governance framework for enhancing trust in online transactions through the use of decentralized identity concepts.
