From COVID-related cyberthreats to privacy laws to PCI programs, from firewall configuration to e-commerce web skimming, SecurityMetrics Summit 2020 provided cybersecurity content and sessions for everyone in the data security and compliance industry.
In this post, we recap the top moments, quotes, and topics from this year’s virtual sessions.
SecurityMetrics Summit Live Keynote
Our keynote is led by CEO Brad Caldwell and JB Bartholomew, VP of Technology, and features VP of Forensics Dave Ellis, SIEM Operations Director Matt “Heff” Hefflefinger, Senior Director of Penetration Testing Chad Horton, and Director of Assessments Matt Halbleib.
“Twenty years ago I experienced my own data breach. It was painful, it was awful, and I never wanted to experience it again. So I created SecurityMetrics to protect businesses from the same pain,” says CEO Brad Caldwell.
He outlines the mission of SecurityMetrics from its very beginnings as an ASV-certified scanning vendor until now: a full-service cybersecurity and PCI DSS compliance firm with an on-site security operations center (SOC), and award-winning technology patents that protect the payments ecosystem from malicious attacks.
The Keynote panel also spends a good deal of time discussing the current cyber threat landscape which SIEM Operations Director Heff describes as, “broader and wider than it’s ever been . . . just massive. The threat landscape is evolving at such a velocity that it’s difficult for anyone in the industry to keep up with.” The sheer number of types of hackers set against the background of motivation–money, thrill, political gain–make fighting cybercrime a huge undertaking. However, there are so many things organizations can do to prevent compromise.
With around a century of experience in the tech and security industries between them, the panel member shared their viewpoints and insights of the security and compliance industry–where it’s been, where it’s going, and what SecurityMetrics is doing to support and protect it.
SecurityMetrics Summit 2020 Day 1
PCI DSS 4.0: The Future of PCI DSS Compliance
Gary Glover, VP of Assessments
“Change is a good thing.”
Why make a major revision of the PCI DSS? People wonder why a standard that is considered “mature” would need to be changed. In short, we as a payments security try to keep the PCI standard dynamic. We want to keep up with industry changes and the PCI Council needs to address changes in technology and keep up with the bad guys. A lot of the changes you are going to see will fall into two categories: updating and clarifying existing requirements, or adding new requirements.
Gary explains about this revision in particular, “It’s been a very interesting revision and a great experience for me as a QSA. The Council has done an incredible job involving the community. Early involvement, multiple RFC rounds, roundtables, and feedback from merchants has helped make PCI DSS 4.0 revision experience the most fulfilling process yet.” He goes on to outline the specific changes you can expect and how you can best prepare your organization.
How to Conduct a Remote PCI Assessment
Matt Halbleib, Director of Assessments
They are the questions on everyone’s minds: how has the COVID crisis affected PCI Compliance? How can we conduct an assessment if we can’t travel or go into the office? Do we even need to do audits? Beyond that, how might the assessment process look in coming months? Will the Council allow remote assessments? How long will they allow them?
After all, the PCI Council explicitly states that, “the QSA is expected to be physically on site for each PCI DSS Assessment, though the duration of the on-site visit will vary.” (PCI SSC FAQ 1455) Matt addresses this issue in detail and answers many of the common questions businesses have about how to conduct remote PCI Assessments. During this time of uncertainty, we want to help businesses know what they can expect and how they can best be prepared for their PCI DSS Assessments and deadlines–which is the last thing they want to be unsure about right now.
COVID-19 Lessons For a Secure Workplace
Michael Simpson, Principal Security Analyst
Michael Simpson helps attendees understand the enemies those of us work with sensitive data face. He brought up the fact that drastic changes can make us more susceptible to these enemies and their attacks, in many ways that we may not even be aware of.
"Due to the pandemic, there's been an unprecedented shift to a remote workforce. Much of this shift happened practically overnight."
Michael outlines how businesses can avoid the common pitfalls of remote workforces, how they can best protect themselves and their data, and what important risks they should be sure not miss in all of the chaos of the pandemic.
Healthcare Problems, Security Solutions
Jen Stone, Principal Security Analyst
“Why are security and compliance gaps so prevalent in the healthcare industry?” The reasons are convoluted and complicated, but Jen Stone breaks them down for her attendees into three understandable concepts which she covered in depth: knowledge, tools, and alignment.
She explains, “you’ve got to know what you are protecting in order to protect it.” This is done by increasing knowledge compliance and privacy at your healthcare practice. Jen is not afraid to dive into the important parts of the HIPAA standard itself. As she said with a smile, “we can suffer through it together.”
HIPAA is not easy to understand. It’s even more difficult for the average person to understand its practical applications.
Misconceptions are many and common, but Jen manages to translate what HIPAA “wants” you to do, and provides an expert-level roadmap that any HIPAA compliance officer can take and use to frame their data security program.
What I've Learned From 10 Years In PCI Compliance Program
Scott Robinson, Director of Customer Success
Scott has been working with customers for over two decades, and specifically with acquirers and merchants in the PCI DSS space for over ten years. He knows what makes a PCI program work and what makes it fail. Scott drives home the importance of defining your vision specifically as an acquirer, getting all parties on the same page, and understanding the tools and help that are available to you as a SecurityMetrics partner.
“At the end of the day, helping your merchants maintain their livelihoods, provide for their families, and enjoy their free time without worrying about a looming catastrophe feels good.”
5 Acquirer Tips for PCI Program Success
Kelly Rodriguez, Program Manager
Kelly uses the overarching concept of “action,” as it applies to managing a large-scale successful security and compliance program. She reminds attendees of the reality of data breaches: the prevention of which is the primary goal of PCI DSS compliance. If merchants don’t take PCI compliance seriously, they are much more likely to experience a breach–the fallout of which can cause them to close their doors.
Kelly reminds us that we tend to focus on the big news stories: the multi-billion dollar corporations that experience massive breaches, but the reality is that data breaches affect many more SMBs. On average, a data breach costs $35,000: not an amount any business wants to pay. That’s not to mention brand damage and loss of professional relationships.
"What best drives high-PCI Compliance programs?"
Kelly conveys 5 crucial tips for PCI Program managers to increase the likelihood of merchant PCI DSS compliance and decrease the risk of a merchant experiencing a devastating breach.
Top 10 Fatal Flaws in SMB Networks
Greg Steffen, Director of Managed Security Services Team
“Sorry to keep you up at night, but they (hackers) are after you. They want your secrets. And even your non-secrets.”
Any IT professional at an SMB knows that gaps in network security are a major attractant for hackers. So why do security analysts see so many “fatal flaws” on SMB networks?
“Whenever we install a firewall for a new customer, we get to see every nook and cranny: good, bad, and ugly, and we see the same problems pop up again.” Greg and his team sifted out the top 10 mistakes they see at businesses, ordered by potential for risk and damage. He shows attendees the ultimate “what if” list–from flat networks to what firewall traffic to allow–this list is indispensable security training for any IT team.
Panel: Current Cyber Threats and Why You Should Care
SOC/SIEM Director Heff and SOC Analyst Forrest Barth
“Things are just nuts.” SOC/SIEM Director Heff didn’t hold back on his honest opinions about the current cyberthreat landscape. But while COVID phishing scams, web skimming, and ransomware rage, if you can understand the landscape, you’re halfway there. When it comes to knowing your enemy, the SecurityMetrics SOC/SIEM is running reconnaissance. Heff and Forest closely monitor the daily ebbs and flows of cyber threats and attacks, and use that time-sensitive information to better protect SecurityMetrics customers.
Attendees learned about the specific motives, tactics, and trends they need to know in order to have a fighting chance against cybercriminals. Heff and Forrest delves into statistics and stories about phishing attacks, crypto-mining, and ransomware in the field, and followed up with the absolute essentials businesses need for threat detection and compromise prevention.
GDPR and CCPA: Privacy Changes and Your Role in Data Protection
Brittany Woodard, Product Manager
Privacy laws and mandates are quickly becoming enforceable around the world. What are the differences between them all, in terms of fines, requirements, and enforcement?
Brittany Woodard covers the most relevant privacy laws for attendees, giving the background, motivations, and privacy facts from around the world. The world is quickly changing; personal data is being uploaded constantly: what is your role in maintaining lawfulness, fairness and transparency? It is crucial that each individual and citizen understands their duty, and more importantly that every business and organization knows what they need to do to honor privacy and protect data subjects and consumers.
Summit Day 2
HITRUST Assessment Basics
Trevor Hansen, Security Analyst
“Assess once, report many.” If you’re in the healthcare industry, you’ve no doubt heard about HITRUST; the Health Information Trust Alliance.
As Trevor Hansen explains to attendees, HITRUST was created to help them reach information risk management and compliance objectives. Although it’s a relatively new certification, HITRUST is already widely accepted in the healthcare industry with 81% of hospitals and health systems and 83% of health plans utilize HITRUST’s certification standard framework (CSF). Trevor explains the differences between HITRUST and HIPAA, whether HITRUST can replace HIPAA, and the reasons why an organization might get HITRUST certified.
HITRUST is expanding from healthcare to being more applicable to payment card data and personal data protection, and security professionals need to know what it covers and if it may apply to their organizations.
Save Money on Your PCI Audit: How Scooping Boosts Your Budget
George Mateaki, Principal Security Analyst
“From a business point of view, what security controls are critical? It’s not about due diligence or proving compliance, it’s about real dollars. Your PCI DSS controls translate to saving you actual money. Every control in the PCI DSS standard is there because there was a related breach and loss of data.”
With over twenty years in IT, George Mateaki shares a broad perspective and attitude with attendees that can only come through decades of real-world experience.
His wisdom and perspective led him to focus on these questions:
“What is it that results in actual loss of data? What are the things that actually cost businesses money?”
All of the controls you employ reduce your risk to an acceptable level–humans need to mitigate risk, and that is no different in the PCI DSS world. “These are not little irritating hoops people have to jump through, these are things that people have lost data over. These are serious requirements.” George reviews the top things you need to focus on to improve your security and ultimately–your bottom line.
What to Expect When You're Expecting A Penetration Test
Chad Horton, Senior Director of Penetration Testing and Terrill Thorn, Penetration Testing Manager
“We want to help you maximize analysts’ time and save money,” says Chad Horton.
Time is money, and professional penetration testing is all about time: it takes time to research which firms are legitimate and thorough, time to understand what the test involves, time to scope your environment, and time to perform the test properly. Chad and Terrill explains to attendees the ways businesses commonly skimp on the time and due diligence involved, resulting in a weak and limited test.
They went on to list out the reasons why penetration tests need to happen in a very specific way–these reasons can feel like sticking points for businesses, and they often result in wasted time. Ultimately, there are no shortcuts in penetration testing. The scenery is only found on the scenic route, and SecurityMetrics Penetration Testing Team is well traveled. Chad and Terrill uses case studies, stories, and years of experience to help attendees understand more deeply what a real penetration test takes.
PCI Myth-Busters: 10 Misconceptions About Security Audits
Lee Pierce, Director of Sales Operations
“The biggest challenge in establishing your data security policies and practices is knowing what you need to learn more about,” explains Lee Pierce. A good PCI compliance partner will take the time to show you what you may be completely missing because not knowing what you need to know is far worse than not having an answer. And, if you’ve done your own PCI compliance for years, you may be even more likely to not know what you’re missing.
At SecurityMetrics, Lee and his team work to provide you valuable pre-assessment consulting to make sure you have the depth and direction you need to prepare for an assessment and become compliant. Lee explained this and listed out the top 10 misconceptions they run into while working with businesses. With years of experience and hundreds of customers helped, Lee gives generous tips and recounted real-life stories so attendees can understand what they likely don’t understand.
Easy, Breezy PCI Compliance
Sam Strong, Product Manager
“Let’s address the elephant in the room: when we talk about PCI, the first thought is that it’s complicated, hard, and illusive,” Sam explains to attendees.
But, understanding the inherent risks of life and the actions we take to mitigate those risks can help us accept the fact that there are good reasons for compliance. You want your customer to be able to get in, spend money, and get out with as little problem as possible. That’s where data security and compliance come in. Once you understand that the requirements were created to help protect you, they don’t feel like such a hassle.
Once we understand the importance and purpose of compliance, you can understand them for what they are: actions that mitigate risks and prevent worst-case scenarios. You will naturally appreciate that your solutions need to be powerful and effective. Sam goes on to illustrate the ways that actively addressing risk becomes “easy breezy” when you gain a deeper understanding of its importance. Further, Sam outlines a few tips and tricks to help businesses best meet PCI DSS requirements in a fast, easy, and accurate way.
Why Partner with SecurityMetrics for Data Security and Compliance?
Jason Leland, Director of Enterprise Sales
“Our customers choose SecurityMetrics and stick with SecurityMetrics because we value quality over quantity,” states Jason Leland.
When we provide a service, we are ultimately looking to remove you as the low-hanging fruit for hackers, and our customers appreciate that underlying goal. Jason outlined for attendees the excellent service and security we’ve provided to notable customers, including Carnegie-Mellon, who reported that SecurityMetrics helped them “build credibility with campus stakeholders and allowed them to confidently report their compliance.”
Jason explains how our values as a company directly contribute to the security and compliance at the organizations we work with; philosophies like proactivity vs. reactivity, a focus on security, and customer education that help give SecurityMetrics an unparalleled reputation for quality. Because SecurityMetrics is a full-service cybersecurity firm, customers often use the PCI DSS compliance product as a gateway to other professional services that address security gaps. We seek to keep communication high, simple, and fast throughout the entire process.
Meeting Merchant Needs: Balance Value and Simplicity
Robbi Watson, Director of Business Development
“Many merchants would throw PCI compliance out the window if they could, so we know that they value simplicity–and there are many things we can offer to give them that.” Robbi Watson explained to attendees how balancing simplicity, security, and value can sometimes be a puzzle to figure out. But SecurityMetrics is a company that can provide options, work with merchants, and find them the best configuration to achieve compliance and protect data.
“Obviously we can’t fill out the SAQ for merchants, but we can do everything we possibly can to make our process as user-friendly as possible to make it a positive experience.” Products like FastPass and Partner dashboards work together to save time and money from what could potentially be very expensive managed security tools. Robbi explains how in order to keep merchants happy, acquirers must provide simplicity and reduction of scope through technology and solutions, and value through monitoring and expertise that protects their business. Robbi goes in depth on how to provide these things to merchants, keep them happy, and help them prevent data breaches, all while balancing revenue streams.
Panel: Ecommerce Skimming Attacks and Solutions
Robert Reid (Director Product Management), Aaron Willis (Forensic Analyst), and Dave Ellis (VP Investigations)
This panel of experts dives headlong into the issue of web skimming, why it’s so pernicious, and how SecurityMetrics developed the patented Webpage Integrity Monitoring technology to stop web skimming and prevent credit card theft.