National CyberSecurity Summit – Valencia

As a “requirement” to be updated and maintain my CISA/CISM certifications with continuing professional education (CPE) credits, these weeks I have been watching videos of the IX National CyberSecurity Summit that ISACA organized last year in Valencia. There have been interesting talks about the responsibilities of the government, companies and citizens, speeches about virtual vs physical, crime as a service, etc, etc and I would like to mention some reviews and summary about it.

We know that this world and our society work with confidence and trust but there are unfortunately criminals who want to get our data and money, and therefore we have to protect against them. But when we have data and/or money of others, not ours, we have to build fences and apply controls to avoid that this valuable information is compromised. In fact, as a government or company, we have responsibilities to take care of it.

This summit spoke about eGovernment as well. What, where and how the government protect our data? I mean … where my personal data are? who can see it? are there traceabilities controls? are they secured? who and how are going to notify to me if they are stolen? Today, we live in the digital age where most of our data are bits easy to access but easy to attack too. Fortunately, LOPD and ENS (Esquema Nacional de Seguridad) are here to protect our personal data but as Carmen Serrano from CSIRT-CV of Valencia said in her speech, it is a challenge to align the security strategy when the government changes every four years. However, CSIRT-CV along with S2 Group, they are 40 people aprox. working to protect citizens, pymes and the regional government. From my point of view, it is an enviable situation compared with other regions. Congratulation!!

From the side of private companies there are responsibilities as well. Is my bank account being protected properly? What about my insurance agreement? Are consultancies taking into account the security to protect the personal data of their customers? And private medical companies? Going beyond … are nuclear power plants protected against cyberattacks? What about electrical power grids? Thankfully, there are institutions like INCIBE, CSN and CNPIC which know that a cyberattack can impact the real world.

Therefore, as it was said in the summit, the virtual world or the cyberworld is a technology which can be used to attack and damage the real world. Everything we do in the virtual world impact in the real world. Cyberbullying, cyberattack, cybercrime … all impact the real world. Accordingly, cyber is a fashion world that it allows us to identify the medium where the offense has been done.

At the end of this summit, I was wondering, should there be the cybersecurity a public service to help private companies to protect personal information as well? What is the threshold between private cybersecurity services and public cybersecurity services? Because all of us know that most private companies can't, or they don't want, to invest money to protect against cyberattacks which we know that they impact the real world.

Regards my friend and remember, drop me a line with the first thing you are thinking.