WILL IT BLEND? · 2017-10-15 · Chris van den Hooven Security Consultant...
Transcript of WILL IT BLEND? · 2017-10-15 · Chris van den Hooven Security Consultant...
WILL IT BLEND?
CISO’s and Hackers
14.4.2017 © Nixu 1
WILL IT BLEND?
CISO’s and Hackers
14.4.2017 © Nixu 2
Theory
– Risk management
– Compliance and Audits
– Security Operations
– Architecture
– Identity Management
– ...
WHAT DOES A CISO DO?
14.4.2017 © Nixu 3
A CISO protects the
organisation from
information related problems
CxO
CIO
CISO
WHAT DOES A CISO DO?
14.4.2017 © Nixu 4
Demands and expectations
– Operations
– Projects
– Digital Strategy
Things beyond his control
– Legacy
– Consumerisation
– Limited budget, resources
Risks
– Hackers
– Security breaches
– Availability problems
– Disasters
CIO HAS DO DEAL WITH
14.4.2017 © Nixu 5
CIO’s challenge:
Where to put the
money?
Demands and expectations
– Operations
– Projects
– Digital Strategy
Things beyond his control
– Legacy
– Consumerisation
– Limited budget, resources
Risks
– Hackers
– Security breaches
– Availability problems
– Disasters
CIO HAS DO DEAL WITH
14.4.2017 © Nixu 6
We will be audited
We have a customer demand
We’re hacked
But risk analysis …. fake news
CXO WILL ACT ON REAL THINGS
14.4.2017 © Nixu 7
Demands and expectations
– Operations
– Projects
– Digital Strategy
Things beyond his control
– Legacy
– Consumerisation
– Limited budget, resources
Risks
– Hackers
– Security breaches
– Availability problems
– Disasters
WHERE IS THE CIO’S RISK?
14.4.2017 © Nixu 8
Other peoples risk
Minor risks
Risks costing me my bonus
Risks costing me my job
CATEGORIZING CIO’S RISK
14.4.2017 © Nixu 9
COMPLIANCE: INITIAL FINDING
14.4.2017 © Nixu 10
COMPLIANCE: 60% IMPROVEMENT
14.4.2017 © Nixu 11
How do we get the CxO to act on information security risks?
How do we make these risks real?
HOW DO WE SOLVE THE CHALLENGE?
14.4.2017 © Nixu 12
Demands and expectations
– Operations
– Projects
– Digital Strategy
Things beyond his control
– Legacy
– Consumerisation
– Limited budget, resources
Risks
– Hackers
– Security breaches
– Availability problems
– Disasters
UNREAL = REAL CHALLENGE
14.4.2017 © Nixu 13
Hack everything
Declaring it’s all bad
Unlikely scenario’s
Exaggerating impact
Unsolvable problems
Being a vendor
Presenting a problem is not the solution
HOW NOT TO MAKE IT REAL
14.4.2017 © Nixu 14
Game (ask for scenarios)
What-if scenario’s (story telling)
Risk analysis
HOW TO MAKE IT REAL?
CISO-WAY
14.4.2017 © Nixu 15
Demands and expectations
– Operations
– Projects
– Digital Strategy
Things beyond his control
– Legacy
– Consumerisation
– Limited budget, resources
Risks
– Hackers
– Security breaches
– Availability problems
– Disasters
HOW HACKERS CAN HELP
14.4.2017 © Nixu 16
Hack it + Responsible Disclosure
– Demonstrates likelihood
– Disclose to the Board
Focus on CxO’s risk
– CVSS (Nixu way)
– Create Hackers Business Case
HOW TO MAKE IT REAL?
HACKER-WAY
14.4.2017 © Nixu 17
THANK YOU
14.4.2017 © Nixu 18