The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources - RSA Conference...
-
Upload
denim-group -
Category
Business
-
view
398 -
download
3
description
Transcript of The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources - RSA Conference...
John B. Dickson, CISSP @johnbdickson
Denim Group
The Savvy Security Leader: Using Guerrilla Tactics to ID
Security Program Resources
© 2014 EMC Corporation. All rights reserved. 2
• Application Security Enthusiast • Helps CSO’s and CISO’s with Application Security Programs • ISSA Distinguished Fellow • Security Author and Speaker
2
© 2014 EMC Corporation. All rights reserved. 3
Denim Group | Company Background
• Professional services firm that builds & secures enterprise applications • External application & network assessments
• Web, mobile, and cloud • Software development lifecycle development (SDLC) consulting
• Secure development services: • Secure .NET and Java application development & remediation
• Classroom and e-Learning for PCI compliance • Developed ThreadFix
© 2014 EMC Corporation. All rights reserved. 4
Overview
• Background on the Issue • Key Concept • Examples of Guerrilla Tactics • Questions and Answers
© 2014 EMC Corporation. All rights reserved. 5
Key Thought
• Executives are becoming more resistant to FUD carpet bombing
5
© 2014 EMC Corporation. All rights reserved. 6
Getting Your Security Budget Approved without FUD
• RSA 2014 track session • Assumption: internal sale of security
budget to executives is fundamentally different
• Security leaders competing for scarce corporate resources
• Common denominators exist – See more on RSA’s site here
© 2014 EMC Corporation. All rights reserved. 7
Getting Your Security Budget Approved without FUD
– Exploiting Pet Projects
– Accounting for Culture
– Tailoring to their Vertical
– Consciously Cultivating Credibility & Relationships
– Using Timing to Capitalize on Certain events
– Selling by-Products of Security Activities
© 2014 EMC Corporation. All rights reserved. 8
Security Budgets: The Starting Point
• Some have lost the game before getting on the field • Competing Against:
– Line of business pet projects – expansion of production
– Executive level visibility or utility – e.g., new corporate jet
– Things that product more tangible ROI • Information security as the “silent service” – Rich Baich, Wells
Fargo CISO – Source: “Winning as a CISO,” Rich Baich
© 2014 EMC Corporation. All rights reserved. 9
Security Budgets: The Starting Point
• Annual operations budgets are highly scrutinized – Are normalized to past budget years and easy
to compare • Some budgets items are easier to get
approved – Items mandated by compliance
– Items mandated by buyers
– Historical operations; Example: Licensing fees
© 2014 EMC Corporation. All rights reserved. 10
Security Budgets: The Starting Point
Photo by Matt Mechtley
© 2014 EMC Corporation. All rights reserved. 11
Security Budgets: The Starting Point
• So…. What does a savvy security leader do?
© 2014 EMC Corporation. All rights reserved. 12
Key Concept
• Adopts guerrilla selling tactics to increase budget – Uses the resources of others to expand your security
coverage
© 2014 EMC Corporation. All rights reserved. 13
Mergers and Acquisitions
• Corporate Mergers and Acquisition (M&A) activities include substantial attorneys fees for: – Due diligence and contracts
• M&A activity is the domain of the CEO – The CEO will be less price sensitive to security costs
• Insert security testing into M&A process to ID: – Risk of the acquired entity & provide a remediation path
– Lower downstream security exposure
© 2014 EMC Corporation. All rights reserved. 14
Leverage Things Already Bought
• Identify technologies bought by business units, leverage any security by-product
• Example #1: Web Application Firewalls (WAF’s)
– Mandated by PCI, bought by IT or Internal Audit
– Creates incredible Layer 7 logging and protection • Example #2: Big Data Technologies
– Big Data
© 2014 EMC Corporation. All rights reserved. 15
Development Tools
• Development tools stack
– Expensive
– Dwarf security vulnerability scanners • Get development team to purchase scanner for SDLC because
they own the SLDC
– A line item in a larger quote for a development stack
– Bake testing into SDLC earliest in the process • Might be able to use leverage of large purchase to get tools
thrown in
© 2014 EMC Corporation. All rights reserved. 16
Development Training
• For internally developed software • Cost of vulnerability most expensive when put into production
– Change the reality, make security a quality issue! • Have development teams pay for training
– Make this part of general developer training and onboarding
© 2014 EMC Corporation. All rights reserved. 17
Leverage Open Source
• Use what others have already contributed to the Open Source community to further your security coverage
• First steps
– Hire a security pro w/ Open Source experience
– Add an Open Source project that solves a problem – start small
– ThreadFix • Capture licensing cost savings and communicate
© 2014 EMC Corporation. All rights reserved. 18
Q&A @johnbdickson