The ISMS Forum held its 25th edition of the International Information Security Day on November 16th at the Cívitas Metropolitano Stadium in Madrid. We, at Inprosec, attended to keep up with the latest Cybersecurity trends in our national sector. This event, titled “Building Effective Cybersecurity & Privacy Governance: The Path to Resilience”, provided answers to key questions about the management of cybersecurity and privacy in organizations, reaffirming the growing importance of information security.
Roberto Barata, who presented the day, highlighted the impressive attendance of over 1500 people. The presentations were grouped into four main blocks:
- Privacy and Data Protection
- Strategy and Policies
- Cybersecurity Trends
- Cloud Security
Each block addressed topics such as Cyber Security Governance, Cyber INsecurity Indicator, Privacy and Security in Generative AI, Cyber Security Maturity Level, Data Breach Playbooks, and the State of the Art in Cloud Security.
Presentations
The first was led by James Murphy, Global Product Manager at IBM, who spoke about the opportunities that generative AI brings in improving the detection and prevention of cyberattacks. He also discussed how, conversely, in the hands of cybercriminals, it becomes a dangerous weapon by facilitating and automating their attacks. He also commented on the importance of regulating the use of AI.
This was followed by the round table on generative AI for track 2. Here, the importance of protecting internal information in the use of AI was discussed, as well as the need for adequate user privilege management. It was also mentioned that manufacturers believe the trend will be for cybercriminals to develop autonomous tools for generating cyberattacks using generative AI. They highlight the growth in the number of exploits being published due to the ease provided by AI. Some manufacturers are already using it in some of their products and services to absorb certain tedious and repetitive tasks.
The talk on Cyber Workforce Resilience. Antonio Cerezo, Head of Cybersecurity at Sanitas, gave an overview of how to retain talent and commented on the importance of motivating the team by assigning different tasks and occasionally moving them to other areas of the department to acquire new knowledge. He also emphasized the important role of continuous training.
The fourth presentation dealt with social engineering and generative AI. The various attendees spoke about the importance of raising employee awareness of their use through continuous training. It was approached from different points of view, all versions being complementary to each other through the use of tele-training platforms, with talks by experts in Cybersecurity, emphasizing that users can apply the actions they carry out in their personal lives, such as the use of two-factor authentication when accessing digital banking services, to generate habits that can then be applied at work.
The talk given by Adriel Regueira of Nozomi, dealt with the importance of being able to know the devices, detect vulnerabilities and risks associated with these devices, and have response mechanisms to improve the resilience of our OT networks and IoT devices.
In the presentation by the company Bitsight, on the management of cybersecurity risk in the supply chain, it was mentioned that 88% of companies already include cyberattacks as a business risk. According to a report by KPMG, 73% of companies have suffered at least one cybersecurity incident within their supply chain. Both DORA and NiIS2 regulations emphasize the importance of risk management with third parties. Another report by Enisa (European Union Agency for Cybersecurity) presents very worrying data, such as that only one in four companies has defined a cybersecurity responsible for OT environments.
Another talk was given by José Ramón Coz, internal cyber auditor at ESA (European Space Agency), who told us that Galileo is the world’s leading satellite navigation system. The main headquarters are in the Netherlands and from there the cyber audit team manages about 100 annual audits, dedicating 15% of the time to planning and 20% to communication with the involved parties. The scopes of the audits are complex because the supply chain is very large: many subcontractors at different levels, regulations are applied in 10 areas, periodic pentests are performed, and the importance of social engineering is emphasized. There are more than 1000 critical documents related to cybersecurity, more than 100 sites with infrastructure, and they work with more than 30 suppliers.
The last presentation was about the stress of the CIO. A study based on a questionnaire to more than 70 Spanish CISOs was carried out and the following conclusions were drawn: the perceived stress develops on a scale of 0 to 40, with an average of 19.34, a medium to high level that starts from 20. 10 respondents are in the risk zone, 10 in the burnout zone, and 10 in the depression zone. Five main factors were identified in the report to be published by the ISMS. In conclusion, the increase in cyberattacks directly impacts the stress of cybersecurity professionals. The keys are: 1. Survive, 2. Adapt to changes, and 3. Evolve. The key is to know ourselves to protect ourselves.
In conclusion, we can say that the 25th edition of ISMS was a public-private collaboration scenario where initiatives and value proposals were presented for the promotion and enhancement of good cybersecurity governance. The effective incorporation of good practices by the organization was a sign of maturity in cybersecurity and has contributed both to better risk management and to the protection of its objectives and, indirectly, of all those related actors who might be affected by the organization’s activities.