The presentation slides delivered by Evan Francen (FRSecure president) to Secure360 attendees on May 9th, 2012. The ten principles are:
1. A business is in business to make money.
2. Information security is a business issue.
3. Make information security fun.
4. People are the most significant risk.
5. "Compliant" and "Secure" are different.
6. There's no common sense in information security
7. Secure is relative
8. Information security should enable business
9. Information security is not one-size-fits-all
10. There is no "easy button"
The presentation was very well-received, and we sincerely thank all who attended!
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Ten Information Security Principles to Live (or Die) By
1.
2. WELCOME TO SECURE360 2012
Did you remember to scan your badge for CPE
Credits? Ask your Room Volunteer for
assistance.
Please complete the Session Survey front and
back (this is Room 12), and leave on your seat.
Note: “Session” is Tuesday or Wednesday
Are you tweeting? #Sec360
3. BEFORE WE GET STARTED
• This is not your typical presentation.
• What you have to say is as important as what
I am going to tell you.
• You are encouraged to participate!
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
4. SPEAKER – EVAN FRANCEN, CISSP
CISM
• President & Co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700
published articles
• Experience with 150+ public & private
organizations.
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
5. SPEAKER – EVAN FRANCEN, CISSP
CISM
NOT ME, BUT KIND OF
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
6. ABOUT FRSECURE
• Information security consulting company –
it’s all we know how to do.
• Established in 2008 by people who have
earned their stripes in the field.
• We help small to medium sized organizations
solve information security challenges.
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
7. HOW DO “NORMAL” PEOPLE FEEL?
About information
security…
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
8. TEN INFORMATION SECURITY TRUTHS
Nothing earth-shattering, but too often forgotten by those of us in
the industry.
“rules of the game”
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
9. #1 – A BUSINESS IS IN BUSINESS TO
MAKE MONEY
• Some risks are worth taking
• Not all risks require remediation
• All information security expenses
need justification
• There is no ROI in information
security, right?
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
10. #2 – INFORMATION SECURITY IS A
BUSINESS ISSUE
• It is NOT an IT issue!
• Executive management probably doesn’t need the
detailed specs of your new NGFW
• Executive management does need to be aware of
strategic direction and most significant risks.
• Ultimately, it’s executive management that’s
responsible
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
11. #3 – INFORMATION SECURITY IS FUN
• That’s right, we said FUN!
• Information security is more effective if people enjoy
it.
• Look for opportunities to make information security
fun
• Laugh at yourself sometimes (not always others)
• We can be serious AND fun. They don’t have to be
exclusive.
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
12. #3 – INFORMATION SECURITY IS FUN
Fun like this?
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
13. #3 – INFORMATION SECURITY IS FUN
Or this…
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
14. #3 – INFORMATION SECURITY IS FUN
Not this…
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
15. #3 – INFORMATION SECURITY IS FUN
Or this…
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
16. #4 – PEOPLE ARE THE BIGGEST RISK
• It’s not the
technology
• Change the culture
of the business
• Training &
Awareness is critical
• Personalize
information security
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
17. #4 – PEOPLE ARE THE BIGGEST RISK
Risky?
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
18. #4 – PEOPLE ARE THE BIGGEST RISK
“An employee at a car dealership who was authorized to view
Minnesotans' vehicle data allegedly shared his login information with a
friend working at a vehicle repossession company, leading to unlawful
data access that could affect about 3,700 people, the state said Friday,
April 27.”
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
19. #4 – PEOPLE ARE THE BIGGEST RISK
1. Why was this guy
running in the
first place?
2. Has this guy been
here before?
3. Uh sir, you
dropped your
gun!
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
20. #5 – “COMPLIANT” AND “SECURE”
ARE DIFFERENT
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
21. #6 – THERE IS NO COMMON SENSE IN
INFORMATION SECURITY
• What makes perfect sense to
you, probably doesn’t make
perfect sense to everyone else.
• Users feel justified in their
actions.
• Try to see the world the way
they see it.
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
22. #7 – “SECURE” IS RELATIVE
• Have you ever been asked “Are we secure?” or “Are
you secure?”
• We can only answer “how” secure we are
• Find metrics that you can measure
- CVSS Scoring for technical vulnerabilities
- Gap analysis
• Without measurement you don’t know
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
23. #8 – INFORMATION SECURITY
SHOULD DRIVE BUSINESS
• We have a bad rap for getting in the way of business,
and for being a cost-center.
• What opportunities does information security have for
enabling business and adding to the bottom line?
• Information security objectives must align with
business objectives.
• You won’t succeed unless you engage with key
business process owners.
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
24. #9 – INFORMATION SECURITY IS NOT
ONE SIZE FITS ALL
• What works for one, may not
work for another:
- Policies
- Technologies
- Compliance
• Information security is a
custom solution
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
25. #10 – THERE IS NO “EASY BUTTON”
WHAT, You mean that I can’t buy a solution to solve all
my information security problems?!
• Don’t sacrifice ease for missing fundamentals
• Information security is work, sorry.
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
26. THE TEN PRINCIPLES
1. A business is in business to make money.
2. Information security is a business issue.
3. Make information security fun.
4. People are the most significant risk.
5. “Compliant” and “Secure” are different
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
27. THE TEN PRINCIPLES
6. There’s no common sense in information
security
7. Secure is relative
8. Information security should drive business
9. Information security is not one size fits all
10. There is no “easy button”
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com
28. THANK YOU!
Questions?
Comments?
Evan Francen
FRSecure LLC
evan@frsecure.com
952-467-6384
10 Information Security Principles to Live (or die) By
Speaker: Evan Francen, FRSecure
www.frsecure.com