WILL IT BLEND?

CISO’s and Hackers

14.4.2017 © Nixu 1

WILL IT BLEND?

CISO’s and Hackers

14.4.2017 © Nixu 2

Theory

– Risk management

– Compliance and Audits

– Security Operations

– Architecture

– Identity Management

– ...

WHAT DOES A CISO DO?

14.4.2017 © Nixu 3

A CISO protects the

organisation from

information related problems

CxO

CIO

CISO

WHAT DOES A CISO DO?

14.4.2017 © Nixu 4

Demands and expectations

– Operations

– Projects

– Digital Strategy

Things beyond his control

– Legacy

– Consumerisation

– Limited budget, resources

Risks

– Hackers

– Security breaches

– Availability problems

– Disasters

CIO HAS DO DEAL WITH

14.4.2017 © Nixu 5

CIO’s challenge:

Where to put the

money?

Demands and expectations

– Operations

– Projects

– Digital Strategy

Things beyond his control

– Legacy

– Consumerisation

– Limited budget, resources

Risks

– Hackers

– Security breaches

– Availability problems

– Disasters

CIO HAS DO DEAL WITH

14.4.2017 © Nixu 6

We will be audited

We have a customer demand

We’re hacked

But risk analysis …. fake news

CXO WILL ACT ON REAL THINGS

14.4.2017 © Nixu 7

Demands and expectations

– Operations

– Projects

– Digital Strategy

Things beyond his control

– Legacy

– Consumerisation

– Limited budget, resources

Risks

– Hackers

– Security breaches

– Availability problems

– Disasters

WHERE IS THE CIO’S RISK?

14.4.2017 © Nixu 8

Other peoples risk

Minor risks

Risks costing me my bonus

Risks costing me my job

CATEGORIZING CIO’S RISK

14.4.2017 © Nixu 9

COMPLIANCE: INITIAL FINDING

14.4.2017 © Nixu 10

COMPLIANCE: 60% IMPROVEMENT

14.4.2017 © Nixu 11

How do we get the CxO to act on information security risks?

How do we make these risks real?

HOW DO WE SOLVE THE CHALLENGE?

14.4.2017 © Nixu 12

Demands and expectations

– Operations

– Projects

– Digital Strategy

Things beyond his control

– Legacy

– Consumerisation

– Limited budget, resources

Risks

– Hackers

– Security breaches

– Availability problems

– Disasters

UNREAL = REAL CHALLENGE

14.4.2017 © Nixu 13

Hack everything

Declaring it’s all bad

Unlikely scenario’s

Exaggerating impact

Unsolvable problems

Being a vendor

Presenting a problem is not the solution

HOW NOT TO MAKE IT REAL

14.4.2017 © Nixu 14

Game (ask for scenarios)

What-if scenario’s (story telling)

Risk analysis

HOW TO MAKE IT REAL?

CISO-WAY

14.4.2017 © Nixu 15

Demands and expectations

– Operations

– Projects

– Digital Strategy

Things beyond his control

– Legacy

– Consumerisation

– Limited budget, resources

Risks

– Hackers

– Security breaches

– Availability problems

– Disasters

HOW HACKERS CAN HELP

14.4.2017 © Nixu 16

Hack it + Responsible Disclosure

– Demonstrates likelihood

– Disclose to the Board

Focus on CxO’s risk

– CVSS (Nixu way)

– Create Hackers Business Case

HOW TO MAKE IT REAL?

HACKER-WAY

14.4.2017 © Nixu 17

THANK YOU

14.4.2017 © Nixu 18

www.nixu.com

Chris van den Hooven

Security Consultant

chris.vandenhooven@nixu.com +31 6 41244346