The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources - RSA Conference...
18
John B. Dickson, CISSP @johnbdickson Denim Group The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources
-
Upload
denim-group -
Category
Business
-
view
398 -
download
3
description
Security programs are almost always underfunded while organizations have no shortage of sophisticated threats. Getting executives to free up resources to invest in security before a breach is always difficult. How does one take modest formal authority, a bare-bones budget, and informal influence and leverage that to obtain scarce resources to protect the organization? How does a scrappy security leader identify pockets of existing resources, leverage ongoing business activities, and generally get others to do what they should already probably be doing in the world of security? This webcast helps those security leaders do a better job of identifying hidden resources within the enterprise to further the cause of security.
Transcript of The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources - RSA Conference...
John B. Dickson, CISSP @johnbdickson
Denim Group
The Savvy Security Leader: Using Guerrilla Tactics to ID
Security Program Resources
© 2014 EMC Corporation. All rights reserved. 2
• Application Security Enthusiast • Helps CSO’s and CISO’s with Application Security Programs • ISSA Distinguished Fellow • Security Author and Speaker
2
© 2014 EMC Corporation. All rights reserved. 3
Denim Group | Company Background
• Professional services firm that builds & secures enterprise applications • External application & network assessments
• Web, mobile, and cloud • Software development lifecycle development (SDLC) consulting
• Secure development services: • Secure .NET and Java application development & remediation
• Classroom and e-Learning for PCI compliance • Developed ThreadFix
© 2014 EMC Corporation. All rights reserved. 4
Overview
• Background on the Issue • Key Concept • Examples of Guerrilla Tactics • Questions and Answers
© 2014 EMC Corporation. All rights reserved. 5
Key Thought
• Executives are becoming more resistant to FUD carpet bombing
5
© 2014 EMC Corporation. All rights reserved. 6
Getting Your Security Budget Approved without FUD
• RSA 2014 track session • Assumption: internal sale of security
budget to executives is fundamentally different
• Security leaders competing for scarce corporate resources
• Common denominators exist – See more on RSA’s site here
© 2014 EMC Corporation. All rights reserved. 7
Getting Your Security Budget Approved without FUD
– Exploiting Pet Projects
– Accounting for Culture
– Tailoring to their Vertical
– Consciously Cultivating Credibility & Relationships
– Using Timing to Capitalize on Certain events
– Selling by-Products of Security Activities
© 2014 EMC Corporation. All rights reserved. 8
Security Budgets: The Starting Point
• Some have lost the game before getting on the field • Competing Against:
– Line of business pet projects – expansion of production
– Executive level visibility or utility – e.g., new corporate jet
– Things that product more tangible ROI • Information security as the “silent service” – Rich Baich, Wells
Fargo CISO – Source: “Winning as a CISO,” Rich Baich
© 2014 EMC Corporation. All rights reserved. 9
Security Budgets: The Starting Point
• Annual operations budgets are highly scrutinized – Are normalized to past budget years and easy
to compare • Some budgets items are easier to get
approved – Items mandated by compliance
– Items mandated by buyers
– Historical operations; Example: Licensing fees
© 2014 EMC Corporation. All rights reserved. 10
Security Budgets: The Starting Point
Photo by Matt Mechtley
© 2014 EMC Corporation. All rights reserved. 11
Security Budgets: The Starting Point
• So…. What does a savvy security leader do?
© 2014 EMC Corporation. All rights reserved. 12
Key Concept
• Adopts guerrilla selling tactics to increase budget – Uses the resources of others to expand your security
coverage
© 2014 EMC Corporation. All rights reserved. 13
Mergers and Acquisitions
• Corporate Mergers and Acquisition (M&A) activities include substantial attorneys fees for: – Due diligence and contracts
• M&A activity is the domain of the CEO – The CEO will be less price sensitive to security costs
• Insert security testing into M&A process to ID: – Risk of the acquired entity & provide a remediation path
– Lower downstream security exposure
© 2014 EMC Corporation. All rights reserved. 14
Leverage Things Already Bought
• Identify technologies bought by business units, leverage any security by-product
• Example #1: Web Application Firewalls (WAF’s)
– Mandated by PCI, bought by IT or Internal Audit
– Creates incredible Layer 7 logging and protection • Example #2: Big Data Technologies
– Big Data
© 2014 EMC Corporation. All rights reserved. 15
Development Tools
• Development tools stack
– Expensive
– Dwarf security vulnerability scanners • Get development team to purchase scanner for SDLC because
they own the SLDC
– A line item in a larger quote for a development stack
– Bake testing into SDLC earliest in the process • Might be able to use leverage of large purchase to get tools
thrown in
© 2014 EMC Corporation. All rights reserved. 16
Development Training
• For internally developed software • Cost of vulnerability most expensive when put into production
– Change the reality, make security a quality issue! • Have development teams pay for training
– Make this part of general developer training and onboarding
© 2014 EMC Corporation. All rights reserved. 17
Leverage Open Source
• Use what others have already contributed to the Open Source community to further your security coverage
• First steps
– Hire a security pro w/ Open Source experience
– Add an Open Source project that solves a problem – start small
– ThreadFix • Capture licensing cost savings and communicate
© 2014 EMC Corporation. All rights reserved. 18
Q&A @johnbdickson
