Editor’s note: This is the seventh in a series of interviews with the session leaders of the upcoming GSO 2025 event being held November 2 & 3, 2022 at the Vari (formerly VariDesk) global headquarters in Irving, Texas, near the DFW airport. The event is named with a future date because it takes a 3- to 5-year look ahead at where security leadership and security technology are going. Registration is open now.
SecurityInfoWatch.com (SIW) Editor-in-Chief Joel Griffin recently sat down with Ray Bernard, noted security consultant and author, columnist for Security Technology Executive magazine and writer for Security Business magazine and SIW, to inquire about the experience of attending the GSO 2025 summit.
SIW: Why is the GSO 2925 summit based on new ways of thinking?
Bernard: The corporate business landscape has changed considerably in the last few years, partly because of Covid-19 but also for other reasons. The traditional security thinking we’ve been using needs to be supplemented with new ways of thinking about both security leadership and security technology.
For technology, the situation is really about how we will use current-day and emerging technology to reduce current and emerging risks. Most of our security system deployments are very outdated compared to what information technology can do for us now, given exponential technology advancement and corporate digital transformation initiatives, especially for large enterprises.
The kind of business leadership that corporations need today from their security leaders is far beyond the expectations of 5 or 10 years ago. The new thinking from leading security practitioners who are already addressing today’s challenges builds on what most practitioners already know.
It is the thinking for today that organizations need now from its security leaders – not just at the very top but also the leaders and managers at who are building and executing the security program elements.
There are many questions involved in how you apply the new thinking, new perspectives and new approaches we introduce at GSO. What do you do and when? What are the time frames? What does progress look like? Who are the stakeholders in the various functional areas? What do you need from them? How can you engage them? What should you be reporting on to higher-ups? What should you be saying to, and asking from, the C-Suite?
Doing what organizations need today and tomorrow is not hard to do if you have the answers to these and other questions. And that’s what we provide, not just during the event, but also after the event.
SIW: Are you referring to the GSO USB Reference Stick?
Bernard: Yes, I am. The GSO Reference Stick, which attendees take home with them, contains a wealth of guidance material, plus dozens of simple tools to use, such as the Insider Threat Micro Assessment Template. Covid-19 impacts have significantly elevated insider threat factors in most large organizations. How do you get a handle on that when it involves so many different functional areas? How do you prioritize the risk treatment?
This micro-assessment template is a high-level gap analysis tool that gives you a baseline reading against 19 insider-threat mitigation best practices, based on the Common Sense Guide to Mitigating Insider Threats, a fantastic work published by the CERT Insider Threat Center. It provides insight into six different areas of insider threat mitigation:
- Human Resources (HR)
- Legal
- Physical Security
- Data Owners
- Information Technology (IT) including Information Assurance (IA)
- Software Engineering
This simple-to-do assessment is performed easily by the responsible/knowledgeable parties in the six areas of insider threat mitigation listed above. Someone in physical security or IT can easily coordinate the efforts.
The GSO Reference Stick also contains guidance documents for 15 different ways to assess and show the value of your security program. These and several other tools from the reference stick whose applications are reviewed during the sessions. When do you use them? What results can you expect? We talk about that.
SIW: Isn’t social unrest another insider threat factor, whose organizational impacts range from employee distraction to agitation to company reputation damage?
Yes. In most companies, diversity, equity, and inclusion (DE&I) initiatives are addressing those impacts in a variety of ways. Culture change initiatives are part of that. One of the results of effective company culture improvements is a reduction in insider threat risk factors. So, how do you assess cultural improvement needs? How should you prioritize the efforts for the greatest benefit to employees and to the organization?
Security has a reason to participate in such efforts and has very relevant knowledge and experience. Security specializes in performing risk assessments across the entire organization, and there is one tool that we examine during GSO that is extremely helpful in any culture improvement initiative. It can be applied one functional area at a time, or one region or division at a time, or even at a smaller scale just to get started. The Australian government funded the development of the tool which they call the Organisational Resilience HealthCheck. It addresses the full spectrum of organizational resilience the way that modern companies are addressing it, not just the business continuity and disaster recovery aspects that are traditionally addressed.
This is a powerful free tool that helps organizations focus most effectively and prioritize their efforts to achieve maximum progress. One of its three areas of focus is Leadership and culture. The tool can even be expanded to include additional cultural elements important to the organization.
During GSO, we explain how to use the tool in a way that’s minimally burdensome but maximally effective – based on practitioner experience. The HealthCheck takes just 15 minutes, and we ask attendees to take it in advance so that we can get right into actionable discussions about its use.
Some culture change initiatives, if done right, like workplace violence prevention and DE&I initiatives, are long-term efforts that span several years. There are many lessons to learn from the leaders involved in such initiatives and that’s another part of what we provide at GSO.
We’re talking about new thinking – but it’s easy thinking that naturally follows from what we in security already know and do.
SIW: Why do you give the attendees so many tools?
Bernard: Every practitioner’s situation is different. How much of their security program they inherited vs. how much they put in place themselves, for example. You can’t apply all the tools at once. Some tools will be helpful immediately, and some will be of better use later on – which tools to use first will depend on each attendee’s particular situation.
SIW: What is the most important reason to attend GSO 2025?
Bernard: It’s a very forward-looking event. Most of the attendees are accomplished security practitioners. I don’t think anyone can attend the GSO event and walk out the same as they were, in terms of their thinking and what the future looks like to them. A common comment from past attendees is, “I wish I had known these things much earlier.” Participating in this even will definitely impact the future for each attendee.
SIW: Best of luck and we look forward to hearing more from you at GSO 2025 this fall.
Bernard: Thank you, Joel. I am looking forward to all the discussions that will take place at GSO 2025.
