M+E Europe

CPS Keynoter: ‘Cybersecurity is Not About Technology’

LOS ANGELES — Roger Cressey, a cybersecurity and counter-terrorism expert who’s served and advised in three presidential administrations, didn’t mince words during his keynote presentation at the Dec. 16 Content Protection Summit event: “Cybersecurity is not about technology.”

That earned more than a few grumbles from the technology-oriented, vendor-heavy crowd at the Luxe Sunset Boulevard Hotel, but only until Cressey expanded on the idea: “If you rely on technology for cybersecurity, you will fail, because humans are in the loop.”

Cressey, the go-to counter-terrorism analyst for NBC and the founder and CEO of personal safety organization Stiletto Agency, took a tough-love approach with the audience, listing all the ways organizations are attacks, the business-ruining consequences of not being prepared, and just how far behind so many companies are when compared to the threat actors in the world.

“It’s an arms bazar out there,” he said, noting that cyber criminals now spend months doing strategic reconnaissance on networks before striking, and constantly exchange attack ideas with each other (and sell attack products within their community). And while ransomware and phishing may always remain persistent threats, most organizations aren’t even close to being prepared for the horrors that come from Trojan logic bombs or attack and destroy forensics.

“The flat, interconnected network we’re in provides a lot of lateral movement opportunities for bad actors,” Cressey said. “Are they sophisticated? We can debate that. But they are thinking outside the box, and you need to as well.” One thing’s for sure in his view, and he repeated it throughout his presentation: “The attacker always has the advantage. Full stop.

“The only way you don’t have risk is if you unplug. That’s the mentality you need to adopt.”

While accepting we’re all vulnerable, there’s plenty that can be done to be prepared for what may come, Cressey said. Take a hard look at how to address both kinds of potential insider threats (“The premediated threat and the unintentional doofus,” Cressey quipped). Understand every inch of the software you’re buying, to avoid unaddressed vulnerabilities. Know who has access to your network, especially with the extension into workers’ homes. Be on top of all your dependencies, locking down everyone who is connected. And think of every possible attack that may happen, in advance, for a more effective incident response plan.

“Don’t tell me I’ve been shot, tell me where the shooter is at,” Cressey said. “And create an accountability culture. It’s not about who’s responsible, it’s about who’s accountable. Treat cybersecurity like you would harassment and discrimination: zero tolerance.

“And if you can’t implement multi-factor authentication into your organization, do yourself a favor, and donate your security budget to charity.”

The event was open to remote attendees worldwide using MESA’s recently introduced metaverse environment, the Rendez.Vu-powered MESAverse, an interactive 3D-world that allows for hybrid live and virtual events.

To kick off the event, Richard Atkinson, the newly elected president of the Content Delivery & Security Association (CDSA), Michael Haynes, global telecom, media and entertainment solutions leader for IBM, and Janie Pearson, director of business development for Synamedia, delivered welcome remarks. “It’s important that we come back together, and I hope we have more in-person events,” Pearson said.

The Content Protection Summit was produced by MESA, presented by IBM Security and Synamedia, sponsored by Convergent Risks, Richey May Technology Solutions, PacketFabric, archTIS, Code42, INTRUSION, NAGRA, StoneTurn and Vision Media.