1. Governance Fail, Security Fail:
Why Are We Surprised About Data Theft?
James Tarala, Enclave Security

2. Companies Are Losing Data to Theft
Governance Fail, Security Fail © Enclave Security 2012

3. Nortel
Governance Fail, Security Fail © Enclave Security 2012

4. Zappos
Governance Fail, Security Fail © Enclave Security 2012

5. Stratfor
Governance Fail, Security Fail © Enclave Security 2012

6. Subway
Governance Fail, Security Fail © Enclave Security 2012

7. Virginia Commonwealth University
Governance Fail, Security Fail © Enclave Security 2012

8. Purdue University
Governance Fail, Security Fail © Enclave Security 2012

9. Bay Area Rapid Transit (BART)
Governance Fail, Security Fail © Enclave Security 2012

10. Universal Music
Governance Fail, Security Fail © Enclave Security 2012

11. Sega
Governance Fail, Security Fail © Enclave Security 2012

12. Bethesda Softworks
Governance Fail, Security Fail © Enclave Security 2012

13. Sony Pictures
Governance Fail, Security Fail © Enclave Security 2012

14. Lockheed Martin
Governance Fail, Security Fail © Enclave Security 2012

15. WordPress
Governance Fail, Security Fail © Enclave Security 2012

16. Whatever Shall We Do?!?
Governance Fail, Security Fail © Enclave Security 2012

17. Cause & Effect
If you don’t brush or
floss your teeth,
you’re going to
loose them.
Governance Fail, Security Fail © Enclave Security 2012

18. Cause & Effect
If you don’t care of
your car, you won’t
be driving it for long.
Governance Fail, Security Fail © Enclave Security 2012

19. Cause & Effect
If you only eat crap
& never exercise,
you will get fat.
Governance Fail, Security Fail © Enclave Security 2012

20. Cause & Effect
If you tell your wife,
she does look fat in
those jeans…
Governance Fail, Security Fail © Enclave Security 2012

21. Cause & Effect
If you don’t defend
your computers, you
will get hacked.
Governance Fail, Security Fail © Enclave Security 2012

22. Most Hackers Aren’t 31337
Governance Fail, Security Fail © Enclave Security 2012

23. No Executive Support = Fail
Executives allocate:
• Decisions
• Time
• Money
Governance Fail, Security Fail © Enclave Security 2012

24. No Documented Plan = Fail
They’re called policies.
Have a consistent plan.
Governance Fail, Security Fail © Enclave Security 2012

25. No Budget = Fail
Controls cost money + time.
Doing business costs money + time.
Protecting data costs money + time.
Governance Fail, Security Fail © Enclave Security 2012

26. Wrong Controls = Fail
Governance Controls (COBIT)
Technical Controls (20 Critical Controls)
Governance Fail, Security Fail © Enclave Security 2012

27. No Metrics = Fail
Measure Yourself
Report Success & Failure
Fix Your Failures
(US DoS iPost)
Governance Fail, Security Fail © Enclave Security 2012

28. General Michael Hayden
“Quit whining, act
like a man, and
defend yourself.”
-BlackHat 2010
Governance Fail, Security Fail © Enclave Security 2012

29. Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit, @jamestarala
– Blog: http://www.enclavesecurity.com/blogs/
• Resources for further study:
– SANS Audit Program – Audit 407, Governance Focused
– 20 Critical Controls Project
– The Balanced Scorecard (by Kaplan & Norton)
– Security Metrics (by Andrew Jaquith)
Governance Fail, Security Fail © Enclave Security 2012