May 17, 2018 By Louise Byrne 4 min read

To quote Keren Elazari, “The immune system requires us all to collaborate.” On May 15, 2018, that’s exactly what over 100 security leaders from across the U.K. and Europe did, coming together for a day of thought leadership, learning and sharing at the Institute of Engineering and Technology (IET) in London.

The event was especially significant because it was the first ever IBM Security Summit to be held in London. As a major center of business and enterprise, London was the perfect location to bring people together. We were even lucky with the weather, with glorious sunshine throughout the day helping to make the event truly memorable.

Three Key Lessons For Security Leaders

Throughout the summit, three key themes and lessons emerged. The first was the importance of security for everyone — not just chief information security officers (CISOs) and security leaders, but also ordinary people on the street. The growing awareness of security issues and the ways in which vulnerabilities can be used to affect everyday life in catastrophic ways means that security is now a rapidly growing concern for customers. Therefore, it should become a higher priority for every area of a business.

Another key lesson from the day was that security professionals must work together or risk falling behind. Cybercrime is quickly becoming a very profitable venture and to be successful against it, CISOs must find ways to share their knowledge with each other safely and quickly.

The third lesson from the day was that to outsmart the cybercriminals, security leaders need to think creatively about where to find help. Untapped talent can be found in unexpected sources. For example, companies might consider offering rewards to friendly hackers who choose to report the vulnerabilities they find.

Everything in the World Is a Computer

In his session Bruce Schneier gave a fascinating talk on how since everything in our world is now essentially a computer, the rest of the world needs to learn some crucial lessons about cybersecurity. The theme of cybersecurity for everyone arose repeatedly throughout the sessions and keynotes.

In her inspirational keynote on the future of cybersecurity from a hacker’s perspective, Keren Elazari spoke about how cybersecurity is about our way of life. It is no longer just about protecting our secrets or our bank details — it’s about protecting the very way we live.

This theme was also clear in Dr. Saif Abed’s captivating talk on healthcare as the new frontier for cyber warfare. In this industry, breaches can be deadly — patient records can be compromised, blood test results can get mixed up, and this should be a major concern for everyone.

Abed highlighted the increasing digitization of hospitals, which expands the threat surface and puts more patients at risk. Humans often implicitly trust systems, meaning that integrity-based attacks are a real concern. Any system that becomes digitized in a hospital is a prime target.

Coming Together to Improve Security

Collaboration was another theme that repeatedly surfaced during the London Security Summit. In his opening, Rob Sedman, director of IBM Security in the U.K. and Ireland, asked the attendees to think about how they could work better together and learn from each other. By the end of the day, he said, everyone in the room should have three or four new security contacts. It is safe to say that many of the attendees achieved this goal because there was active participation and networking throughout the day, with security leaders in the breakouts frequently raising their hands to share their opinions and perspectives and speaking openly about their experiences and challenges.

The CISO panel offered some great perspectives on collaboration, particularly the importance of trusted networks and one-to-one relationships between CISOs for coaching and guidance. IBM’s own CISO, Shamla Naidoo, spoke about the practicalities of collaboration and how tools such as the IBM X-Force Exchange allow security leaders to consume important information about indicators of compromise (IoCs) and cyberattacks more easily. This helps them avoid the difficulties that can arise with duplication, validation and different formats.

A Hacker, a Doctor and a Best-Selling Author

Summit attendees noted that they enjoyed the variety and range of perspectives from the speakers and breakouts. “The content was relevant and ranked very highly,” said one attendee. “Brilliant breadth of speaker, industry and topics,” said another. “It’s been an exceptionally inspiring event with great insights and engagement!”

This was due in part to the fact that attendees were able to choose any two of three very different breakout sessions: A “Design Thinking” session that discussed how to influence the board with regard to cybersecurity investment, a simulated security operations center (SOC) experience, and a session on innovating with cloud. All three sessions had great engagement and questions from the audience.

The attendees also appreciated the focus on thought leadership and vision rather than technology. In “Right of Boom: Leadership-in-Crisis Post Breach,” Caleb Barlow, vice president of threat intelligence at IBM Security, conducted an interactive exercise with the audience. Attendees were divided into groups to unpack a scenario in which a board member received a call from a journalist asking to comment on a breach.

The groups thought about the response from either an HR/legal, IT/security or press/communications perspective, focusing on what needs to be done once a boom moment happens — and the need to practice those situations so everyone knows what to do when they occur.

The message of the session was clear: A company can damage its brand and lower its stock value by the way it reacts (or doesn’t react) to a data breach.

Friendly Hackers Could Be Our Greatest Allies

The main content of the London Security Summit ended with an invigorating and inspiring talk from Elazari, a self-professed geek and friendly hacker.

Elazari shared her journey into the cybersecurity industry and the highlighted the amazing talent that exists within the friendly hacker community — researchers who use their curiosity and creativity to show the myriad ways in which technology can be used and exploited. She also spoke about how organizations must work together and humans must learn to work alongside technology to perform the crucial work that machines are unable to do, such as making others care about cybersecurity, digital forensics, incident response and threat hunting.

This glimpse into the future of cybersecurity was a brilliant way to the end the day, and attendees left the event with a revitalized passion for cybersecurity, as they headed for drinks and networking on the roof terrace.

More from

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today