SlideShare une entreprise Scribd logo

Ten Information Security Principles to Live (or Die) By

Evan Francen
Evan Francen

The presentation slides delivered by Evan Francen (FRSecure president) to Secure360 attendees on May 9th, 2012. The ten principles are: 1. A business is in business to make money. 2. Information security is a business issue. 3. Make information security fun. 4. People are the most significant risk. 5. "Compliant" and "Secure" are different. 6. There's no common sense in information security 7. Secure is relative 8. Information security should enable business 9. Information security is not one-size-fits-all 10. There is no "easy button" The presentation was very well-received, and we sincerely thank all who attended!

Technologie
1  sur  28
WELCOME TO SECURE360 2012  Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.  Please complete the Session Survey front and back (this is Room 12), and leave on your seat. Note: “Session” is Tuesday or Wednesday  Are you tweeting? #Sec360
BEFORE WE GET STARTED • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
SPEAKER – EVAN FRANCEN, CISSP CISM • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
SPEAKER – EVAN FRANCEN, CISSP CISM NOT ME, BUT KIND OF 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
ABOUT FRSECURE • Information security consulting company – it’s all we know how to do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
HOW DO “NORMAL” PEOPLE FEEL? About information security… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
TEN INFORMATION SECURITY TRUTHS Nothing earth-shattering, but too often forgotten by those of us in the industry. “rules of the game” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#1 – A BUSINESS IS IN BUSINESS TO MAKE MONEY • Some risks are worth taking • Not all risks require remediation • All information security expenses need justification • There is no ROI in information security, right? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#2 – INFORMATION SECURITY IS A BUSINESS ISSUE • It is NOT an IT issue! • Executive management probably doesn’t need the detailed specs of your new NGFW • Executive management does need to be aware of strategic direction and most significant risks. • Ultimately, it’s executive management that’s responsible 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#3 – INFORMATION SECURITY IS FUN • That’s right, we said FUN! • Information security is more effective if people enjoy it. • Look for opportunities to make information security fun • Laugh at yourself sometimes (not always others) • We can be serious AND fun. They don’t have to be exclusive. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#3 – INFORMATION SECURITY IS FUN Fun like this? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#3 – INFORMATION SECURITY IS FUN Or this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#3 – INFORMATION SECURITY IS FUN Not this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#3 – INFORMATION SECURITY IS FUN Or this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#4 – PEOPLE ARE THE BIGGEST RISK • It’s not the technology • Change the culture of the business • Training & Awareness is critical • Personalize information security 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#4 – PEOPLE ARE THE BIGGEST RISK Risky? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#4 – PEOPLE ARE THE BIGGEST RISK “An employee at a car dealership who was authorized to view Minnesotans' vehicle data allegedly shared his login information with a friend working at a vehicle repossession company, leading to unlawful data access that could affect about 3,700 people, the state said Friday, April 27.” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#4 – PEOPLE ARE THE BIGGEST RISK 1. Why was this guy running in the first place? 2. Has this guy been here before? 3. Uh sir, you dropped your gun! 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#5 – “COMPLIANT” AND “SECURE” ARE DIFFERENT 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#6 – THERE IS NO COMMON SENSE IN INFORMATION SECURITY • What makes perfect sense to you, probably doesn’t make perfect sense to everyone else. • Users feel justified in their actions. • Try to see the world the way they see it. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#7 – “SECURE” IS RELATIVE • Have you ever been asked “Are we secure?” or “Are you secure?” • We can only answer “how” secure we are • Find metrics that you can measure - CVSS Scoring for technical vulnerabilities - Gap analysis • Without measurement you don’t know 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#8 – INFORMATION SECURITY SHOULD DRIVE BUSINESS • We have a bad rap for getting in the way of business, and for being a cost-center. • What opportunities does information security have for enabling business and adding to the bottom line? • Information security objectives must align with business objectives. • You won’t succeed unless you engage with key business process owners. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#9 – INFORMATION SECURITY IS NOT ONE SIZE FITS ALL • What works for one, may not work for another: - Policies - Technologies - Compliance • Information security is a custom solution 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
#10 – THERE IS NO “EASY BUTTON” WHAT, You mean that I can’t buy a solution to solve all my information security problems?! • Don’t sacrifice ease for missing fundamentals • Information security is work, sorry. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
THE TEN PRINCIPLES 1. A business is in business to make money. 2. Information security is a business issue. 3. Make information security fun. 4. People are the most significant risk. 5. “Compliant” and “Secure” are different 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
THE TEN PRINCIPLES 6. There’s no common sense in information security 7. Secure is relative 8. Information security should drive business 9. Information security is not one size fits all 10. There is no “easy button” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
THANK YOU! Questions? Comments? Evan Francen FRSecure LLC evan@frsecure.com 952-467-6384 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com

Recommandé

Information Security
Information SecurityInformation Security
Information Securityhaneefvf1
 
Information system security wk5-1-pki
Information system security wk5-1-pkiInformation system security wk5-1-pki
Information system security wk5-1-pkiBee Lalita
 
Information system security wk3-1
Information system security wk3-1Information system security wk3-1
Information system security wk3-1Bee Lalita
 
Hashing
HashingHashing
HashingTanzila Islam
 
Information system security wk6-1
Information system security wk6-1Information system security wk6-1
Information system security wk6-1Bee Lalita
 
Information systems 365 lecture four - Security Policy Development, Data Clas...
Information systems 365 lecture four - Security Policy Development, Data Clas...Information systems 365 lecture four - Security Policy Development, Data Clas...
Information systems 365 lecture four - Security Policy Development, Data Clas...Nicholas Davis
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 

Recommandé

Information Security
Information SecurityInformation Security
Information Securityhaneefvf1
 
Information system security wk5-1-pki
Information system security wk5-1-pkiInformation system security wk5-1-pki
Information system security wk5-1-pkiBee Lalita
 
Information system security wk3-1
Information system security wk3-1Information system security wk3-1
Information system security wk3-1Bee Lalita
 
Hashing
HashingHashing
HashingTanzila Islam
 
Information system security wk6-1
Information system security wk6-1Information system security wk6-1
Information system security wk6-1Bee Lalita
 
Information systems 365 lecture four - Security Policy Development, Data Clas...
Information systems 365 lecture four - Security Policy Development, Data Clas...Information systems 365 lecture four - Security Policy Development, Data Clas...
Information systems 365 lecture four - Security Policy Development, Data Clas...Nicholas Davis
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasEvan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Evan Francen
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyEvan Francen
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksEvan Francen
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & ManufacturingEvan Francen
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudEvan Francen
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionEvan Francen
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceEvan Francen
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information SecurityEvan Francen
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environmentEvan Francen
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance WorldEvan Francen
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderEvan Francen
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByEvan Francen
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Contenu connexe

Plus de Evan Francen

WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasEvan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Evan Francen
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyEvan Francen
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksEvan Francen
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & ManufacturingEvan Francen
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudEvan Francen
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917Evan Francen
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionEvan Francen
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceEvan Francen
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information SecurityEvan Francen
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environmentEvan Francen
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance WorldEvan Francen
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderEvan Francen
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT IssueEvan Francen
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest riskEvan Francen
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByEvan Francen
 

Plus de Evan Francen (20)

WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
 
WANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language ProblemWANTED – People Committed to Solving our Information Security Language Problem
WANTED – People Committed to Solving our Information Security Language Problem
 
Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219Harrisburg BSides Presentation - 100219
Harrisburg BSides Presentation - 100219
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
 
Step Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party RisksStep Up Your Data Security Against Third-Party Risks
Step Up Your Data Security Against Third-Party Risks
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
Simple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment FraudSimple Training for Information Security and Payment Fraud
Simple Training for Information Security and Payment Fraud
 
MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917MHTA Social Engineering Presentation - 050917
MHTA Social Engineering Presentation - 050917
 
People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017People. The Social Engineer's Dream - TechPulse 2017
People. The Social Engineer's Dream - TechPulse 2017
 
AFCOM - Information Security State of the Union
AFCOM - Information Security State of the UnionAFCOM - Information Security State of the Union
AFCOM - Information Security State of the Union
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
 
TIES 2013 Education Technology Conference
TIES 2013 Education Technology ConferenceTIES 2013 Education Technology Conference
TIES 2013 Education Technology Conference
 
Mobile Information Security
Mobile Information SecurityMobile Information Security
Mobile Information Security
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Information Security For Leaders, By a Leader
Information Security For Leaders, By a LeaderInformation Security For Leaders, By a Leader
Information Security For Leaders, By a Leader
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
People are the biggest risk
People are the biggest riskPeople are the biggest risk
People are the biggest risk
 
FRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) ByFRSecure's Ten Security Principles to Live (or die) By
FRSecure's Ten Security Principles to Live (or die) By
 

Dernier

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Dernier (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Ten Information Security Principles to Live (or Die) By

  • 1.
  • 2. WELCOME TO SECURE360 2012  Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance.  Please complete the Session Survey front and back (this is Room 12), and leave on your seat. Note: “Session” is Tuesday or Wednesday  Are you tweeting? #Sec360
  • 3. BEFORE WE GET STARTED • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 4. SPEAKER – EVAN FRANCEN, CISSP CISM • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 5. SPEAKER – EVAN FRANCEN, CISSP CISM NOT ME, BUT KIND OF 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 6. ABOUT FRSECURE • Information security consulting company – it’s all we know how to do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 7. HOW DO “NORMAL” PEOPLE FEEL? About information security… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 8. TEN INFORMATION SECURITY TRUTHS Nothing earth-shattering, but too often forgotten by those of us in the industry. “rules of the game” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 9. #1 – A BUSINESS IS IN BUSINESS TO MAKE MONEY • Some risks are worth taking • Not all risks require remediation • All information security expenses need justification • There is no ROI in information security, right? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 10. #2 – INFORMATION SECURITY IS A BUSINESS ISSUE • It is NOT an IT issue! • Executive management probably doesn’t need the detailed specs of your new NGFW • Executive management does need to be aware of strategic direction and most significant risks. • Ultimately, it’s executive management that’s responsible 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 11. #3 – INFORMATION SECURITY IS FUN • That’s right, we said FUN! • Information security is more effective if people enjoy it. • Look for opportunities to make information security fun • Laugh at yourself sometimes (not always others) • We can be serious AND fun. They don’t have to be exclusive. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 12. #3 – INFORMATION SECURITY IS FUN Fun like this? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 13. #3 – INFORMATION SECURITY IS FUN Or this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 14. #3 – INFORMATION SECURITY IS FUN Not this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 15. #3 – INFORMATION SECURITY IS FUN Or this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 16. #4 – PEOPLE ARE THE BIGGEST RISK • It’s not the technology • Change the culture of the business • Training & Awareness is critical • Personalize information security 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 17. #4 – PEOPLE ARE THE BIGGEST RISK Risky? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 18. #4 – PEOPLE ARE THE BIGGEST RISK “An employee at a car dealership who was authorized to view Minnesotans' vehicle data allegedly shared his login information with a friend working at a vehicle repossession company, leading to unlawful data access that could affect about 3,700 people, the state said Friday, April 27.” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 19. #4 – PEOPLE ARE THE BIGGEST RISK 1. Why was this guy running in the first place? 2. Has this guy been here before? 3. Uh sir, you dropped your gun! 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 20. #5 – “COMPLIANT” AND “SECURE” ARE DIFFERENT 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 21. #6 – THERE IS NO COMMON SENSE IN INFORMATION SECURITY • What makes perfect sense to you, probably doesn’t make perfect sense to everyone else. • Users feel justified in their actions. • Try to see the world the way they see it. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 22. #7 – “SECURE” IS RELATIVE • Have you ever been asked “Are we secure?” or “Are you secure?” • We can only answer “how” secure we are • Find metrics that you can measure - CVSS Scoring for technical vulnerabilities - Gap analysis • Without measurement you don’t know 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 23. #8 – INFORMATION SECURITY SHOULD DRIVE BUSINESS • We have a bad rap for getting in the way of business, and for being a cost-center. • What opportunities does information security have for enabling business and adding to the bottom line? • Information security objectives must align with business objectives. • You won’t succeed unless you engage with key business process owners. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 24. #9 – INFORMATION SECURITY IS NOT ONE SIZE FITS ALL • What works for one, may not work for another: - Policies - Technologies - Compliance • Information security is a custom solution 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 25. #10 – THERE IS NO “EASY BUTTON” WHAT, You mean that I can’t buy a solution to solve all my information security problems?! • Don’t sacrifice ease for missing fundamentals • Information security is work, sorry. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 26. THE TEN PRINCIPLES 1. A business is in business to make money. 2. Information security is a business issue. 3. Make information security fun. 4. People are the most significant risk. 5. “Compliant” and “Secure” are different 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 27. THE TEN PRINCIPLES 6. There’s no common sense in information security 7. Secure is relative 8. Information security should drive business 9. Information security is not one size fits all 10. There is no “easy button” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  • 28. THANK YOU! Questions? Comments? Evan Francen FRSecure LLC evan@frsecure.com 952-467-6384 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com