ISMG Editors: What's the Status of the SBOM?Also: Highlights From ISMG's Upcoming Healthcare Summit
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity issues, including the hot topics at ISMG roundtable discussions - such as challenges around software supply chain security, highlights from ISMG's upcoming Healthcare Summit, and how some cybersecurity vendors are creating their own venture funds.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The editors - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, business; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discuss:
- A summary of the latest themes raised in ISMG roundtable discussions, including software supply chain security and executive digital protection;
- Highlights from ISMG's Healthcare Summit to be held in New York City next week;
- How cybersecurity vendors, such as Ping Identity and CyberArk, are creating their own venture funds.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the June 24 edition discussing when an insider threat costs millions and the July 1 edition discussing how Russia's war has changed the cyber landscape.
Anna Delaney: Hello, I'm Anna Delaney and welcome to the ISMG Editors' Panel, a weekly show, where I'm joined by three of my colleagues to discuss their take on the week's top stories. And with me this week are Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity; and Michael Novinson, managing editor for ISMG business. Thank you very much for joining me.
Tom Field: Thanks for having us back.
Delaney: So, Tom, beautiful skies again. Is that from Fourth of July?
Field: It's the fifth of July and it would have been my grandfather's 111th birthday. I was staying at the lake house that he built 60 years ago. I thought it was a beautiful way to honor him.His name was Oliver C. And I remember him; he never went more than 50 miles away from where he lived his entire life, but had a huge influence on me. Anytime you hear me make a quick comment, it comes from him; anytime you hear me say something inappropriate, it comes from him. He used to say, "There is no such word as can't." But he never had an issue with won't.
Delaney: He sounds like a brilliant man. I don't blame him for not traveling more than 50 miles outside. It's beautiful. Impressive. Marianne, another outdoor scene.
Marianne McGee: Yeah, and this is within 50 miles of my house. Plymouth Harpers Park. I showed you the Mayflower II last time. This time you see the park.
Delaney: Very nice, very civilized. Michael?
Michael Novinson: This is Nori the Dragon. Nori sits atop the Providence Children's Museum in Providence, Rhode Island. He was a gift from the Boston Museum of Fine Arts. The Children's Museum was opening up and they needed a home for the dragon so they figured what better to add a whimsical touch to the Children's Museum than to have a dragon wrapped around the former industrial building. It's always nice to see the dragon and my daughter loves going there. They know her by name.
Delaney: I'm back in New York this week. And this is from the interior of the Met Art Museum. I think this room homes the Egyptian artifacts. I promise you I'll share something else next week. No more New York.
Field: I might not. It's nice up here in New England. It's a good time to stay at the lake.
Delaney: Tom, you've been hosting a few roundtables recently. Can you share some highlights?
Field: Absolutely. I think it's something we all participate in. We still have a full slate of virtual roundtables, as well as in person roundtables. I've got one later today that's going to be on automation. There are a couple of topics that stand out. I think one thing that we need to step back and let our audience know is we don't just host these roundtable discussions, we are editors and we all participate in these. And it's a way for us to get particularly close to our constituency, to the security leaders, to the vendor community, and to understand what's being talked about and what's being experienced. I think that gives us a unique edge. A couple of topics I've been able to discuss recently, one is software supply chain security. Been doing a series of discussions with Veracode, leading these with their CTO and co-founder, Chris Wysopal. And some of the takeaways have been interesting. Software supply chain security is a huge vulnerability for organizations. Log4j made that terribly apparent for us last Christmas. As recently as just a couple of months ago, more than 40% of the Log4j downloads were for the original infected version. Organizations aren't learning lessons. We have these discussions about supply chain security issues and it's clear that organizations of all sizes are challenged just to know what they have for code within their organizations. There is a huge asset inventory issue. And even though the executive order from last year talked about the software bill of materials, and everyone's conversant with the SBOM, the SBOM has kind of become like information sharing. Everybody wants the information, everybody wants the SBOM, and people are reluctant to provide it. So this is becoming a significant challenge for organizations, and I'm enjoying these discussions, because I don't know if we're necessarily resolving the issues. Talking about them is important. And they're consistent no matter what type of sector you're talking about, or size of organization. Another topic of discussion I've enjoyed has been with Chris Pierson, the CEO of BlackCloak, which provides executive digital protection. And the premise here is, as security leaders, you have been protecting executives and senior leaders and board members within the traditional corporate perimeter. What happens when they go home? How secure are those homes and the networks for those homes? How secure are the devices they're using? Who has access to these devices into the homes? And it's been a bit of a wakeup call, particularly for the participants as they start to realize how vulnerable executives' homes and devices are, how vulnerable the executives are, how they have become accidental insider risks because of these issues. As we talk about these, all over the country, in person, virtually, with executives from all sectors, we find that these are questions that aren't being asked. A lot of the security leaders are saying I wish someone in our organization was asking what we're doing or what we should do. And there's an opportunity here for CISOs, particularly to step up and take control of this issue, because the hybrid workforce isn't going to go away. You know, what we do on these devices isn't going to change. We've got to extend this cloak of executive digital protection more broadly than we have. These have been topics I have particularly enjoyed. They are ongoing and just demonstrate how in these roundtable discussions, whether in person or in Zoom, we're having important discussions with security leaders.
Delaney: These are important discussions. And thinking about the home, it's not just the executives presumably in their home. They've got children, loved ones and family members, and if the criminal gets access to their devices and images on their devices, you can imagine the potential harm there.
Field: Any of us that have children understand the opportunities that are being opened up by social media, by shopping, by so many different things. And it's not often that executives have segregated networks or segregated devices, there's a lot of sharing going on. And one of the first things that organizations such as BlackCloak do is penetration testing. It's a good thing we're sitting down when we get the results of these pen tests.
Delaney: I was looking at some of the research that they released, I think they said that nine in 10 cell phones and tablets lack security software. That’s nearly 100%. But also going back to the SBOM, you said at the beginning of this year that this could be the year of SBOM. Is 2022 the year of SBOM?
Field: It's the year people are talking about it. We've gotten halfway through it at least as part of the conversation. But it's something that everybody wants to receive from their suppliers. But are they prepared to offer that in return? I don't think we're there yet. I don't know that we've come to a determination about what the proper SBOM format even is. That's still in discussion, but it's something that's going to have to mature pretty quickly.
Delaney: How has the conversation changed, compared to last year, in may be tone or content?
Field: A year ago, we thought SBOM was an expletive. I think it's changed in tone. And we understand what it is now. But we've got to get beyond understanding and that comes back to the discussions we have with government folks all the time. We've got to get beyond interpreting and understanding the executive order and actually executing. Government doesn't work particularly fast. Adversaries do. We've got to quicken our pace.
Delaney: Highly informative. Thanks, Tom. Talking of upcoming summits, Marianne, I know you've been working hard on our upcoming Healthcare Summit in New York next week. Can you share some highlights or what we are going to expect?
McGee: Sure. The live Healthcare Summit is taking place in New York. It's taking place in person on July 12, and it is our first in-person healthcare security summit since 2019. The summit is hybrid and it will also be available virtually on July 12 with a replay on July 13. We've got a great lineup of speakers and panelists from all corners of the healthcare sector, and a full agenda of sessions addressing important and timely cybersecurity and privacy issues. Speakers and panelists include some of the government healthcare sector leaders that include Dr. Suzanne Schwartz, who heads up Medical Device Cybersecurity at the FDA, and Nicholas Heesters who is a cybersecurity advisor at the Department of Health and Human Services Office for Civil Rights, which enforces HIPAA. We have Josh Corman, who just finished up a stint at DHS CISA as healthcare sector chief strategist during the height of COVID. Josh will be providing a call to action overview of what the healthcare sector needs to be doing right now to strengthen its position in health care overall to fight the latest and most serious cyberthreats that we're seeing. Panelists and speakers also include Errol Weiss of the Health Information Sharing and Analysis Center, and Errol also has a very broad view of the healthcare sector and its latest cybersecurity trends and challenges. Other speakers include legal and cyber insurance experts, and highly regarded CISOs from healthcare provider organizations, medical device vendors and other critical supply chain companies, as well as experts from leading cybersecurity vendors. Topics that we'll be tackling include medical device cybersecurity, third-party risk, identity, cybercrime, fraud, cyber insurance, evidence-based approaches to security, ransomware and top cybersecurity lessons that are emerging from the pandemic. I'm excited to have a chance to spend time discussing these and other important topics with our esteemed speakers and panelists next week and also to have an opportunity to chat with our summit attendees. Folks who are interested in attending the hybrid summit, either in person or virtually, can go on to any of ISMG's news sites, including healthcareinfosecurity.com, and click on Events to register. I just want to thank our summit advisory committee members, including Michael McNeil of McKesson, Errol Weiss of H-ISAC, Christopher Frenz of Mount Sinai South Nassau, Anahi Santiago of Christiana Care, Mitch Parker of Indiana University Health and Thad Phillips of Baptist Health Care for their valuable input in planning for the event.
Delaney: It sounds absolutely brilliant. Marianne, as you put together all the content, was there one theme that links each one or each one of the presentations that's quite pertinent to 2022?
McGee: One of the underlining things that kind of came through and it's probably going to come up again, at the summit, that hopefully no one gets COVID. But the pandemic changed a lot. Some things stay the same and the healthcare sector has been a laggard compared to some other sectors and many things cyber wise. But I think the pandemic put the magnifying glass on health care, because the threats certainly didn't disappear. But the challenges just piled up for health care. Vulnerabilities just became much more vulnerable and obvious for many of these entities.
Delaney: I look forward to watching it virtually. Michael, cybersecurity vendors are creating their own venture funds, what can you share?
Novinson: Thank you. Anna, it's a trend we've been seeing over the past couple of years here. And if you look more broadly in the technology sector that we've had several of the big technology firms doing this for a while, most notably Alphabet's CapitalG for a number of years, Salesforce has Salesforce Ventures, Dot Technologies has Dot Technologies Ventures. We haven't seen this much historically in the cybersecurity space, but that's been starting to change. Today, the most active fund by a considerable margin is the Falcon Fund. It's managed by CrowdStrike. It's been going for a couple years. They've recently raised some additional money to try to shape that early and mid-stage startup environment in their image. A couple years ago, Symantec launched their own venture fund in their pre-Broadcom days. Similarly, Palo Alto Networks launched a venture fund back in 2017, the two of those don't seem to be as active anymore. But we are seeing a lot of activity in the identity security space. Okta's had a venture fund for the past couple of years. Perhaps not coincidentally, a couple of their biggest competitors have decided to step up to the plate as well. Sstarting in April, we saw CyberArk who's category leader in privileged access management, viewed a $30 million venture fund, they're taking a broader approach to the industry so they're not necessarily looking to invest in identity, but they're looking to get more into things like micro-segmentation or cloud technologies, things that they can essentially embed it or they can build integrations and APIs into their platform. CyberArk was number one. And then a month later, we saw Ping Identity, which is in identity and access management space, which is a direct competitor of Okta in both the workforce and the customer, draw a venture fund, which was a $50 million fund. They're looking to go a little bit work with slightly later stage companies that they're wanting to go up to Series B, while the CyberArk one is more focused on Seed and Series A and the Ping Fund is looking to stay narrow, that they figure that they know identity the best and they want to focus on startups that are taking on different areas within identity such as identity verification, identity governance, machine identity, that they don't feel that they're the best qualified to evaluate kind of a field security technologies. This is a little different in terms of the security funds, they're smaller. So they're not going to be a lead investor around nor do they necessarily have the expertise internally to do that. They're really looking to be supporting investor and to provide good market, since anybody they're investing in can tap into their customer base and their partner base, but also to provide leadership technology expertise and acumen. But they're not. Neither CyberArk Ventures nor Ping Ventures are looking to lead massive rounds the way that we've seen like CapitalG or Salesforce Ventures do, but it is a newer dynamic. It's going to be interesting, because now with it, once one sale point is sold to Thoma Bravo, we'll have three pure play identity security companies who are publicly traded after Ping and CyberArk, and all three of them will have these venture funds. Interesting to see how active these are in the years ahead.
Delaney: And do you expect others to follow suit?
Novinson: I think we will see that. CrowdStrike has had a pretty stellar impact on the industry. So I do think we'll see other ones, I do think it is the domain of publicly traded companies in order to do this. It would be bizarre to have somebody who's still in the startup world funding other startups. I think this is going to be more on the public side. For the companies, they get to know some of these early stage startups, but they get to make sure that these startups have APIs, and they have integration features that will allow them to be more interoperable with their technology. So it does make sure that it keeps some of the more established vendors at the center of the startup conversation going forward.
Delaney: Thank you for those updates, Michael. Finally, who do you rate on Twitter or LinkedIn as a good source of security knowledge and/or information? Who do you enjoy following? Who should we follow to?
Field: I am a big fan of Richard Bird. He is currently with SecZetta. We know him as someone who's certainly an identity proponent, is part of our zero trust, brand trust. When he speaks, he speaks about cybersecurity. He speaks passionately about identity, but he also speaks passionately about his personal life, about social issues, and you get the complete package. When Richard is in, he's all in. When he speaks, I listen. Very much enjoy him and recommend him.
Delaney: Nicely introduced. I was enjoying some of his posts this week. He communicates very well. He argues his case very well. Great one to follow. Michael?
Novinson: What's been helpful for me in my day-to-day job is keeping an eye on cyber, particularly on LinkedIn. It's nice to have additional eyes and ears, particularly folks who are connected with the funders and key players. For me it is somebody who wants to keep abreast with the industry making sure that I'm not missing anything big.
Delaney: Good. Marianne?
McGee: I like keeping my eye on some of the healthcare privacy security experts. Attorneys including Kirk Nahra, David Holtzman, and Michelle Dennedy. I like reading Michelle's tweets. She is, like Tom was saying, a mix of business and family and personal and funny. I like following Michelle.
Delaney: I was going to say Rob Lee, particularly as the situation in Ukraine and Russia has unfolded and the intel that he's providing and his experience as well. I think he's definitely one to follow. That's all we have time for unfortunately. Thank you so much all of you. And thank you so much for watching. Until next time!