1. YouTube Summaries
  2. Cybersecurity Experts Discuss Data Protection, OT Security, and Regulatory Compliance

Cybersecurity Experts Discuss Data Protection, OT Security, and Regulatory Compliance

By scribe 10 minute read

Create articles from any YouTube video or use our API to get YouTube transcriptions

Start for free
or, create a free article to see how easy it is.

Introduction

In an increasingly digital world, cybersecurity has become a critical concern for organizations across all industries. As threats evolve and regulations tighten, companies must stay vigilant and adapt their security practices. Recently, a panel of cybersecurity experts gathered to discuss some of the most pressing issues facing the industry today.

The panel included:

  • Pav Gurv - Senior Security Expert at United Bulgarian Bank
  • Jan S. - Vice President at MasterCard
  • Mo Cashman - Field CTO at TRX
  • Yenko Gavila - Director of Cyber Security at Forter
  • George Sharov - COO of European Software Institute
  • Boris Goncharov - Cybersecurity Expert

These industry leaders shared valuable insights on topics ranging from data protection to operational technology security to regulatory compliance. Let's explore some of the key takeaways from their discussion.

Data Protection and Insider Threats

One of the first topics addressed was data protection, particularly in relation to insider threats. Yenko Gavila of Forter shared his perspective based on extensive experience with data protection projects:

"When companies want to protect data, they typically think about DLP (Data Loss Prevention) first," Gavila explained. "They focus on making sure confidential data, PII, financial information, etc. does not leave the company through any exit point."

While DLP is certainly an important component of data protection, Gavila cautioned that it's not sufficient on its own. He noted that many companies have invested in DLP solutions but ended up disabling them due to issues with false positives blocking legitimate business processes.

"A data protection project is not only about DLP," Gavila emphasized. "It's about understanding data - what really needs to be blocked and protected. We need tools for data classification and also for securely sharing data that must be shared."

He outlined three key aspects of effective data protection:

  1. Protecting sensitive data from unauthorized access/exfiltration
  2. Understanding and classifying different types of data
  3. Enabling secure sharing of data that needs to be shared externally

Gavila stressed the importance of a holistic approach rather than relying solely on DLP technology. By gaining a deeper understanding of their data and implementing the right mix of controls, companies can better protect sensitive information without impeding business operations.

Operational Technology Security

The discussion then shifted to the unique security challenges posed by operational technology (OT) environments. Mo Cashman, Field CTO at TRX, provided expert insights on this topic.

Cashman explained that OT refers to the hardware and software that monitors and controls physical devices and processes in industrial settings. This includes SCADA systems, industrial control systems, and similar technologies used in manufacturing, oil & gas, utilities, and other sectors.

"OT has some particular risks that used to be managed separately from IT or the rest of the business," Cashman noted. "But I'm seeing a trend towards more combined IT/OT security operations capabilities."

He described the concept of a "fusion center" that brings together intelligence and monitoring for both IT and OT systems. This integrated approach is valuable because many incidents affecting OT systems actually originate in the IT environment.

Cashman highlighted several best practices for OT security:

Shared Responsibility Model

Similar to cloud security, there needs to be a clear understanding of security responsibilities between OT vendors and the organizations using their systems. Cashman explained:

"Companies like Emerson, Honeywell, and Siemens who make SCADA systems have a level of responsibility in securing them. The enterprise also has responsibility in driving security and managing risk - they can't outsource that trust."

He noted that there is often friction between enterprises and OT vendors on security issues. Clearly defining roles and responsibilities is crucial.

Incident Response Planning

Organizations need to consider how OT systems factor into their incident response processes. Cashman posed the scenario:

"If you're in the OT space and you have an incident in a plant in Singapore, who's responsible? How do you get Emerson or Siemens involved? Who from the plant side is involved?"

Having clearly defined protocols for OT-related incidents is essential.

Comprehensive Security Controls

Cashman emphasized that OT security goes beyond just endpoint protection:

"It's not just about the endpoints or devices. Similar to other aspects of your applications, there are network security requirements, boundary security, SOC monitoring, and specific intelligence that you need to collect."

A multi-layered approach considering all aspects of the OT environment is necessary.

Cultural Alignment

Bringing IT and OT security teams together requires bridging some cultural differences:

"On the IT side, if you want to block an IP address or a host, it's not a big deal. On the OT side, that could stop production or cause other disruptions," Cashman explained.

He noted that the primary goal on the OT side is safety, while IT prioritizes security. Finding ways to align these different mindsets is crucial for effective collaboration.

By following these best practices, organizations can better secure their OT environments and reduce risk across both IT and OT domains.

Third-Party Risk Management and DORA Compliance

The conversation then turned to regulatory compliance, specifically the EU's Digital Operational Resilience Act (DORA) and its implications for third-party risk management. Jan S., Vice President at MasterCard, provided expert analysis on this topic.

Jan explained that DORA places significant emphasis on ecosystem resilience, going beyond an organization's internal security to consider the broader network of partners and vendors. This makes third-party risk management a key focus area.

"When I speak with organizations, they tell me there are two topics that are most challenging with DORA: third-party risk management and incident response," Jan noted.

He outlined a structured approach to third-party risk management under DORA:

1. Risk Categorization

Organizations need to categorize their third-party relationships based on criticality and risk level. Jan explained:

"First you need to put them into different buckets depending on the criticality of those third parties. Some will be critical, some moderate risk, some low risk."

Factors to consider include:

  • Dependencies on the third party
  • Types of data being exchanged
  • Level of system access provided

2. Define Responsibilities

For each third-party relationship, clearly establish where security and compliance responsibilities lie. Jan noted:

"You need to establish where the responsibilities are - in which cases you are the data owner and they are the controller, or vice versa, or cases where you are jointly responsible."

3. Onboarding and Monitoring Processes

Develop appropriate processes for onboarding and ongoing monitoring of third parties based on their risk category. This should include:

  • Due diligence procedures
  • Security assessments
  • Continuous monitoring controls

4. Incident Notification Requirements

Define incident reporting expectations for each third-party relationship. Jan emphasized:

"You need to understand in which cases you need to be notifying them about incidents, as well as which third parties you are responsible for notifying."

This ties back to the incident management requirements in DORA.

By following this structured approach, organizations can better manage third-party risk and maintain compliance with DORA's requirements. Jan stressed that while challenging, effective third-party risk management is crucial for overall operational resilience.

Regulations Impacting Small and Medium Enterprises

The panel also discussed regulations specifically impacting small and medium-sized enterprises (SMEs). George Sharov, COO of the European Software Institute, provided valuable insights on this topic.

Sharov highlighted the EU Cyber Resilience Act as a key regulation affecting SMEs. He explained that this act focuses on:

  • Improving resilience across supply chains
  • Addressing the role of SMEs in overall ecosystem security
  • Enhancing risk management practices for smaller organizations

"We have to consider the Michael Porter model of the supply chain, which is actually a value chain," Sharov noted. "Companies receive external services to fulfill their mission, and the smaller the company, the larger number of external services they typically use."

This creates unique security challenges for SMEs, as they often lack the internal resources of larger enterprises but still face significant risks through their supply chain and technology dependencies.

Sharov emphasized the importance of Software Bill of Materials (SBOM) in this context:

"SBOM is something that every organization should implement, and it will soon be a requirement under the Cyber Resilience Act."

An SBOM provides an inventory of all software components used by an organization, including open-source and third-party code. This visibility is crucial for managing supply chain risk and addressing vulnerabilities.

The goal, according to Sharov, is to develop standards and practices that are adaptable and applicable to organizations of all sizes, including SMEs. This will help improve overall ecosystem resilience by ensuring smaller organizations can effectively manage their cybersecurity risks.

Emerging Threats in the Financial Sector

The panel also touched on emerging threats specifically targeting the financial services industry. Jan S. from MasterCard shared insights based on their threat intelligence capabilities:

"When we look at Europe, we see that the majority of attacks were executed through malware and ransomware," Jan explained. "In the Balkans region, we see a lot of SMS phishing (smishing) attacks targeting end users and consumers."

He noted that while these attack vectors remain prevalent, the threat landscape is constantly evolving. Significant events like geopolitical conflicts, pandemics, or the discovery of major zero-day vulnerabilities can rapidly shift attacker tactics.

Jan emphasized the importance of ongoing threat monitoring and intelligence sharing to stay ahead of emerging risks. Organizations need to maintain visibility into threats relevant to their specific industry, region, and technology stack.

Best Practices for Penetration Testing

The discussion also covered best practices for penetration testing as a means of validating security controls. Yenko Gavila of Forter shared his perspective on this topic.

Gavila stressed the importance of comprehensive testing from multiple angles:

"You cannot rely on one thing - you have to do everything you can. Internal penetration testing, external penetration testing, everything. Because the attackers will do everything, they will try each and every angle."

He cautioned against over-reliance on automated tools, noting that while they are necessary, they are not sufficient on their own. Human testers are still crucial for creative problem-solving and identifying nuanced vulnerabilities.

Gavila also highlighted the industrialized nature of modern cybercrime:

"The hackers trying to attack our systems are not lone individuals in dark rooms. They are highly trained, highly specialized teams. Some specialize in initial access, others in exploitation. They work in a very organized way."

This sophisticated threat landscape necessitates equally sophisticated and multi-faceted testing approaches. Organizations should combine automated scans, internal testing, external red team exercises, and other methods to gain a comprehensive view of their security posture.

Coordinated Vulnerability Disclosure

The panel concluded with a discussion on vulnerability disclosure practices. George Sharov explained the concept of Coordinated Vulnerability Disclosure (CVD) as mandated by EU regulations:

"According to the NIS2 directive, it's officially required in Europe to implement a CVD mechanism at the country level," Sharov noted. "Each member state should appoint a contact point for vulnerability disclosure."

He emphasized the importance of responsible disclosure practices to prevent vulnerabilities from being exploited by malicious actors. Sharov outlined several key aspects of effective CVD programs:

  • Secure communication channels for reporting vulnerabilities
  • Clear processes for validating and triaging reported issues
  • Defined timelines for vendor notification and patch development
  • Coordinated public disclosure once mitigations are available

Sharov noted that while progress has been made, many countries including Bulgaria still need to fully implement robust CVD mechanisms. Establishing these programs is crucial for improving overall ecosystem security and fostering collaboration between researchers, vendors, and end-user organizations.

Conclusion

The cybersecurity landscape continues to evolve at a rapid pace, presenting both challenges and opportunities for organizations across all sectors. This panel discussion highlighted several key themes:

  1. The need for holistic approaches to data protection that go beyond just technological controls
  2. The growing importance of operational technology (OT) security and IT/OT convergence
  3. The impact of regulations like DORA on third-party risk management practices
  4. The unique security challenges faced by small and medium enterprises
  5. The persistence of traditional attack vectors alongside emerging threats
  6. The value of comprehensive penetration testing programs
  7. The importance of coordinated vulnerability disclosure mechanisms

By staying informed on these issues and implementing robust security practices, organizations can better protect themselves against cyber threats and maintain compliance with evolving regulations. Continuous learning, collaboration, and adaptation will be key as the cybersecurity field continues to advance.

The insights shared by these industry experts provide valuable guidance for security professionals, business leaders, and policymakers alike. As cyber risks become increasingly complex and interconnected, a multi-stakeholder approach to security will be essential for building true digital resilience.

Article created from: https://youtu.be/hsPGKVnpzk8

Ready to automate your
LinkedIn, Twitter and blog posts with AI?

Start for free