Security BSides Atlanta - "The Business Doesn't Care..."
-
Upload
rafal-los -
Category
Technology
-
view
1.256 -
download
1
description
Transcript of Security BSides Atlanta - "The Business Doesn't Care..."
The Business Doesn’t Care
Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software
Security BSides Atlanta
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
…and its your fault.
Follow me down the rabbithole.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Why?
“Security” is estranged from business
A vast amount of IT Security professionals are distant from their business.
•Why is this? –what are some of the reasons you think this is true?
•What are the results? –what are some of the observed results?
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
3
This is an …
4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
And this is an …
5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
That was too easy … 6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Define Risk
7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
1. First definition 2. Second definition 3. Third definition
8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Define Vulnerability
1. First definition 2. Second definition 3. Third definition
9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Security IS part of the business.
10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
…but what does that mean, really?
• Is your CISO/CSO on the executive board of the company?
• Does your CISO/CSO have executive power? • …what does this mean?
Relating Security <> Business
11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
What are the 3 of your company’s board-level goals for the next fiscal year? 1. Goal 1 2. Goal 2 3. Goal 3
The bridge between Security | Business is out.
12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
We speak “security talk”
13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
vulnerabilities
0-day attacks
hacking
SQL Injection, XSS, …
critical, high, medium…
“The business” speaks a different language
14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Leveraged risks
Business exposures
Cost of capital
Velocity of change
Shareholder value
Driving off the risk/reward cliff …blind
15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Oh …
16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
No what? How do you succeed?
17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
• “Speak business language”
• cliché …but how?
• How do you relate IT risks to
business risks?
Get to know your business
18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Get to know your business • what does your company really do? • what does your board care about? • what gets your CEO his or her bonus? • what do analysts say about your company? • what do your customers care (or not) about?
What are your company’s business exposures, risks?
• what are your market risks from doing business? • what are your critical business exposures? • how can the CISO/CSO help mitigate those issues?
How can we relate IT to business ‘security’?
19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
How would you convince your CEO that a SQL Injection vulnerability can sink their shareholder value?
Ultimately “IT Security” will evolve
20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Security Ops vs. Security Strategy
21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Security Operations (SecOps) • Operational security group • Traditional firewall controls • Day-to-day security technology
• Not a separate IT unit (“security”) • Infused into operational IT groups
• server management • network management • desktop management
Security Strategy • IT “risk” advisory consulting • Align to risk management, legal • Review, relate, advise the business
• Independent, small, agile group • Report into CRO, CFO
• eliminate conflict of interest • get “closer to the business”
VS
It is possible to do both
22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
“Serve the business” Reduce IT vulnerabilities
Thanks for learning something.
23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) Discuss on LinkedIn: Join the ‘SecBiz’ group