author photo
By Bruce Sussman
Thu | Apr 11, 2019 | 3:44 AM PDT

Thank you, Philadelphia, for your passion for cybersecurity.

It came through loud and clear at the 16th annual SecureWorld conference, which featured packed keynotes, overflowing breakout rooms, and great after parties.



GuidePoint_AfterParty_SWPHL19Looks like we're going to need more space for next year.

More people means more personal networks were expanded and more wisdom was shared. With that in mind, here are seven great quotes we overheard in Philadelphia.

Anahi Santiago, CISO at Christiana Care Health System on what is at stake and who going after health data:

"When I talk to my leaders and speak to the industry, I speak in terms of information security in healthcare is not a technology problem. It’s a patient safety issue and we have to think of that each and every day.

In addition to that, we have nation-states that are coming after our information. You would wonder why a nation-state would want all of our information.

Well, back during the Obama administration, he started a genomics program and a medicine program and he asked individuals to donate their information so that researchers and health care entities could run analytics and apply business intelligence and potentially develop cures and develop cures for diseases at a faster rate. Now, he had a difficult time obtaining that kind of information. We as a country don’t trust that anyone is really going to protect that information. Well, at around the same time, the Chinese came in and stole around two billion (U.S. patient) healthcare records. And they are doing it for that reason."

Bernie McGuinness, Vendor Risk Lead at Campbell Soup Company, on asking non-IT employees the right questions about third-party risk:

"IT understands this data needs to be protected by vendors. But I always ask the non-IT people that want to contract with our third-party partners, 'Can this vendor protect the data as good or better than we protect the data?'

That leads to a conversation, the conversation being, 'What data are you providing them, and what is your expectation on privacy and confidentiality of that data?' Sometimes they don’t get it, so I always leave the non-IT people with this question: 'If the vendor were to lose, compromise, destroy, or otherwise damage your data, how bad a day is it going to be for you, how bad a day is it going to be for the company?'"

 Jim Menkevich, Director of Data Protection and Security Governance, Health Partners Plans, on a shifting perimeter and Identity and Access Management:

"My job is to provide the right access, to the right people, at the right time, on any device, anywhere in the world. So the shift is, the fact that people had the perception all the data resided within the network and on corporately owned devices. Now it can be personal assets and the data can be on those personal assets, it can be in the cloud, it can be on virtualized instances and virtualized desktops. So the big shift is understanding that we can’t just rely on the moat and drawbridge to protect anything anymore; you have to put it right on the front lines."

John DiLullo, CEO of Lastline, Inc., on why the race to the cloud is being taken one step at a time and how it is more complicated than many realize:

"Very few people are doing a 'lift and shift' wholesale move into the public cloud, where they move all their enterprise computing into the cloud. What really happens is people start moving workloads one by one, or in families into the public cloud.

You need to see it and have visibility to it but you also have this problem: you’ve actually increased your surface area because now you have instances all over the place. The computing environment is getting more complicated than it was in the past because of the cloud."

Senior Special Agent Hazel Cerra on why you should contact the U.S. Secret Service if your organization becomes a victim of Business Email Compromise:

"We have strong relationships with banks, going back to 1865. When you have a BEC situation, call us and we can help you attempt to get those funds back, through the relationships we have."

Jordan Fischer, Co-Founder and Managing Partner of women-owned XPAN Law Group and Professor of Law at Drexel University, on why focusing on GDPR alone is not enough from a legal standpoint, when it comes to privacy:

"GDPR is good privacy practices that you should be doing. But unfortunately, the way a lot of our U.S. legislation is being drafted there are unique carve-outs, there are exceptions, there are requirements that are tweaked and slightly different than what you see in the GDPR context. So you do need to be aware of various state specific requirements, as it stands right now, because the states are dominating the conversation in the United States."

Joe Walsh, Director of Master of Arts and Criminal Justice Program at DeSales University, who teaches digital forensics and cybersecurity, on how to do digital forensics so your cyber investigation remains admissible in court:

"One of the most important things you want to do is a chain of custody. This is a document that allows you to know who seized the piece of evidence and who had contact with it throughout its entire lifecycle. So from the moment it's seized until the moment it ends up in court, we need to know who might have touched it, who could have tampered with it, and basically we’re trying to prove it was not tampered with."

And if you need more cybersecurity quotes for a presentation or just want to see what your peers are saying across North America, check out 20 Cybersecurity Quotes You Need to Hear from 2018

Lastly, catch all of the social media action around SecureWorld Philadelphia 2019 by searching for #SWPHL19.