SlideShare une entreprise Scribd logo

BSIDES DETROIT 2015: Data breaches cost of doing business

Télécharger en tant que PPTX, PDF
Joel Cardella
Joel Cardella

Data Breaches are the cost of doing business for many large Corporations.

Technologie
1  sur  28
Joel Cardella
Who am I?  Joel Cardella  Over 20 years in IT in various capacities – infrastructure operations & data centers, sales support, network ops, security  Email: jscardella@gmail.com  Twitter: @JoelConverses
Fear, Uncertainty and Doubt (FUD) can no longer be the fait accompli of the security world to try and drive good security decisions. fait ac·com·pli ˈfet əkämˈplē,ˈfāt/ noun a thing that has already happened or been decided before those affected hear about it, leaving them with no option but to accept. "the results were presented to shareholders as a fait accompli"
http://securityintelligence.com/cost-of-a-data-breach-2015/#.ValJ7vlVhBc • The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015. • The lowest cost per lost or stolen record is in the transportation industry, at $121, and the public sector, at $68. • On the other hand, the retail industry’s average cost increased dramatically, from $105 last year to $165.
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches- hacks/ Number of records
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches- hacks/ Data sensitivity
http://daveshackleford.com/
http://daveshackleford.com/
http://daveshackleford.com/
http://daveshackleford.com/
http://daveshackleford.com/
Michael Lynton, CEO of Sony Entertainment Inc In a December [2014] interview with National Public Radio, Lynton insisted his company was “extremely well prepared for conventional cybersecurity,” but faced “the worst cyberattack in U.S. history.” He has repeatedly described it as a “highly sophisticated attack.” Sony Pictures provided written responses to questions through Robert Lawson, its chief spokesman. He says Lynton has no plans to fire or discipline anyone. The CEO’s reasoning rests on the belief that because Sony’s assailant was a foreign government, with far more resources than a renegade band of hackers, what happened was unstoppable. The studio simply faced an unfair fight. http://fortune.com/sony-hack-part-1/
If the data represents you, you are the owner. The company hosting it, or collecting it, or buying it from a clearinghouse is merely the custodian. And as a custodian they have fiduciary responsibilities to that data, but they also have financial obligations to their investors and shareholders. So, in that equation, Mr and Mrs Data Owner suffer the downside of risk.
These are all things I tried and did not succeed with  Don’t refer to security as an insurance model  Don’t use standards that don’t map to your industry, or use apples & oranges comparisons  Don’t confuse compliance with security, and don’t discuss them in the same context – separate the words and define them differently
What do we do?  Pivot  This can be (sometimes should be) very obvious  Understand what your ROI is  E.g. If the penalty for non-compliance is $X, then we spend $Y to offset it  X < Y = Positive ROI  X > Y = Negative ROI  X = Y = ROI needs to be evaluated  Other ROI can be more complex, and need their own models
What to do?  Treat Cybersecurity as a Business Risk  And start referring to it as business risk ○ Example: SGRC  Ask how your business assess risk and pattern a model that follows it – show execs what they are used to seeing  Engage your peers and superiors on risk topics – use what is in the media as a conversation starter  This is where ROI begins
What to do?  Build the path to awareness by your leadership  Prepare reports on what’s going on in the industry around you – execs love to know how they are ding compared to those around them  Start with the next level manager, or managers in other departments – sometimes it’s a journey not a ladder  This is where ROI is discussed
What to do?  Learn from the past mistakes of others  This is where ROI is proven  Example of Sony:  Sony’s email-retention policy left up to seven years of old messages on servers, unencrypted  The company was essentially using email for long-term storage of business records, contracts, and documents saved in case of litigation.  An array of sensitive information—including user names and passwords for IT administrators— was kept in unprotected spreadsheets and Word files with names like “Computer Passwords.”
What to do?  Be prepared! Know your data and know what it takes to protect it – but let someone else make the risk decision on it  This requires emotional detachment!  This is where ROI is defended
What to do?  Network! Network! Network!  Come to community meetups and cons  Come to local group meetings (#misec)  Engage on Twitter, or other social mediums  Forum discussions  Ask questions, share info  SWIPE  This is where ROI can be enhanced
Functional Area Key functions How we achieve it Business value Security • Ensure proper controls for systems and data access • Ensure Confidentiality of business data • Ensure business data is resistant to unauthorized change • Investment in security technologies • Multi-layer defensive strategy • Segregation of duties controls in SAP and other business critical systems and applications • Ensure logical separation of critical data • Business can operate within acceptable tolerance of risk • Enterprise “crown jewels” are protected from malicious threats • Confidence in data is increased, business decisions have greater value Governance • Ensure global and regional directives and standards are in place for all NASC and relevant business processes • Global ISMS participation • Policy creation and documentation • Reviewing and approving standards and practices • Ensures the effective and efficient use of IT Security in enabling the business to achieve its goals • Ensures alignment with global governance Risk • Reduce enterprise risk • Stay abreast of new risks and threats • Business continuity planning and system availability planning • Ongoing risk assessments for both IT and business • Continually manage threats in constantly changing threat landscape • Proactively test systems for vulnerabilities • Investment in risk technologies • Business continuity planning for recovery of data and continuation of business in disaster situations • Business can run with reduced risk, allowing more innovation and growth • Newly emerging threats can be dealt with more quickly • Recovery capabilities for outage situations can be dealt with quickly, allowing for minimal business interruption Compliance • Ensure compliance activities for regional and global directives are met • Ensure Legal mandates are met • ICS activities • Interfacing with IT, global and business auditors on all audits • Interfacing with Legal • Ensure follow up on audit findings • Internal Controls Systems mandates are met • Legal mandates are met • Understanding of audit risks and findings, help with mitigation
Critical Success Factors • Confidentiality, Integrity and Availability of data is managed to business expectation • Providing cost effective security controls and risk mitigation • Proactively addressing security improvements and mitigations where required • Improve recovery capability Key Activities • Managing audit findings as a tool for improving security posture and maturity • Execute control activities for governance and compliance • Continually assess risk and validate mitigations and controls • Disaster/continuity planning and recovery planning • Assess vulnerabilities, mitigate and manage emerging threats Key interfaces • Global IT security • Project management • Regional and global auditors • External auditors (E&Y, PwC) • Legal, both regional and global • Corporate Communications • Business units, all LOBs and process areas • Executive management • IT Security community Guiding Principles 1. Focus on the Business 2. Comply with Relevant Legal and Regulatory Requirements 3. Evaluate Current and Future Information Threats 4. Adopt a Risk-based Approach 5. Protect Classified Information & Ensure Proper Use
Layered security model 26 Perimeter defense (hardware firewall, intrusion detection) Managed security services, security threat detection Windows Firewall, patching (software) Anti-Virus Measures End User Access Controls Critical business data Hardware, restricts network access from the internet Software to restrict access, patching to deal with known vulnerabilities End user awareness training, strong passwords, dual factor authentication Services partner watches all network activity, looks for suspicious activity Anti-virus blocks known threats Access controls restrict access to the critical systems, manage SOD conflicts
Final thoughts  Remember, your job is to LOWER the risks of doing business. Do so using positive ROI.  Emotionally detach yourself from the things that drive you nuts as an infosec admin or manager.  Understand you are there as an advisor, a counselor. When you make decisions in this capacity, you become trusted. You are no longer a gatekeeper. Gatekeeper = compliance.  But keep in mind: your business can do business without security. It’s high risk, but if the benefits outweigh the risks…
Who am I?  Joel Cardella  Over 20 years in IT in various capacities – infrastructure operations & data centers, sales support, network ops, security  Email: jscardella@gmail.com  Twitter: @JoelConverses

Recommandé

Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBsGFI Software
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Organizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachOrganizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachPECB
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Michael Ofarrell
 

Recommandé

Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBsGFI Software
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Organizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachOrganizational Resilience Management - an Integrated GRC Approach
Organizational Resilience Management - an Integrated GRC ApproachPECB
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Michael Ofarrell
 
William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William Tanenbaum
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat KeynoteJohn D. Johnson
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMInfinIT - Innovationsnetværket for it
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3Anne Starr
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaborationcentralohioissa
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistancePaul-Charife Allen
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
 
Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011Atlantic Security Conference
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Dawn Simpson
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceNational Retail Federation
 

Contenu connexe

Tendances

William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William Tanenbaum
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat KeynoteJohn D. Johnson
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3Anne Starr
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaborationcentralohioissa
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistancePaul-Charife Allen
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
 
Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011Atlantic Security Conference
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 

Tendances (20)

William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015William A. Tanenbaum Association of Benefit Administrators April 2015
William A. Tanenbaum Association of Benefit Administrators April 2015
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
 
2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaboration
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
 
Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011Robert beggs incident response teams - atlseccon2011
Robert beggs incident response teams - atlseccon2011
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 

Similaire à BSIDES DETROIT 2015: Data breaches cost of doing business

Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Dawn Simpson
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceNational Retail Federation
 
Protecting the Core of Your Network
Protecting the Core of Your Network Protecting the Core of Your Network
Protecting the Core of Your Network Mighty Guides, Inc.
 
Endpoint Security & Why It Matters!
Endpoint Security & Why It Matters!Endpoint Security & Why It Matters!
Endpoint Security & Why It Matters!Net at Work
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
Cyber security guide
Cyber security guideCyber security guide
Cyber security guideMark Bennett
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityPriyanka Aash
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningDell EMC World
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?IBM Security
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 

Similaire à BSIDES DETROIT 2015: Data breaches cost of doing business (20)

Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3Institute for the entrepreneur v1r3
Institute for the entrepreneur v1r3
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Protecting the Core of Your Network
Protecting the Core of Your Network Protecting the Core of Your Network
Protecting the Core of Your Network
 
Endpoint Security & Why It Matters!
Endpoint Security & Why It Matters!Endpoint Security & Why It Matters!
Endpoint Security & Why It Matters!
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Cyber security guide
Cyber security guideCyber security guide
Cyber security guide
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response Planning
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
 
YBB-NW-distribution
YBB-NW-distributionYBB-NW-distribution
YBB-NW-distribution
 
Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
IT Policy
IT PolicyIT Policy
IT Policy
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 

Plus de Joel Cardella

GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!Joel Cardella
 
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedGRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedJoel Cardella
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapJoel Cardella
 
WCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterpriseWCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterpriseJoel Cardella
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
 
WCC 2013: The internet of everything
WCC 2013: The internet of everythingWCC 2013: The internet of everything
WCC 2013: The internet of everythingJoel Cardella
 
WCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsWCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsJoel Cardella
 
2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat HonanJoel Cardella
 

Plus de Joel Cardella (9)

GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!
 
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedGRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the Cheap
 
WCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterpriseWCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterprise
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
 
WCC 2013: The internet of everything
WCC 2013: The internet of everythingWCC 2013: The internet of everything
WCC 2013: The internet of everything
 
WCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsWCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security students
 
2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan
 

Dernier

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Dernier (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

BSIDES DETROIT 2015: Data breaches cost of doing business

  • 2. Who am I?  Joel Cardella  Over 20 years in IT in various capacities – infrastructure operations & data centers, sales support, network ops, security  Email: jscardella@gmail.com  Twitter: @JoelConverses
  • 3. Fear, Uncertainty and Doubt (FUD) can no longer be the fait accompli of the security world to try and drive good security decisions. fait ac·com·pli ˈfet əkämˈplē,ˈfāt/ noun a thing that has already happened or been decided before those affected hear about it, leaving them with no option but to accept. "the results were presented to shareholders as a fait accompli"
  • 4. http://securityintelligence.com/cost-of-a-data-breach-2015/#.ValJ7vlVhBc • The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015. • The lowest cost per lost or stolen record is in the transportation industry, at $121, and the public sector, at $68. • On the other hand, the retail industry’s average cost increased dramatically, from $105 last year to $165.
  • 12.
  • 13. Michael Lynton, CEO of Sony Entertainment Inc In a December [2014] interview with National Public Radio, Lynton insisted his company was “extremely well prepared for conventional cybersecurity,” but faced “the worst cyberattack in U.S. history.” He has repeatedly described it as a “highly sophisticated attack.” Sony Pictures provided written responses to questions through Robert Lawson, its chief spokesman. He says Lynton has no plans to fire or discipline anyone. The CEO’s reasoning rests on the belief that because Sony’s assailant was a foreign government, with far more resources than a renegade band of hackers, what happened was unstoppable. The studio simply faced an unfair fight. http://fortune.com/sony-hack-part-1/
  • 14. If the data represents you, you are the owner. The company hosting it, or collecting it, or buying it from a clearinghouse is merely the custodian. And as a custodian they have fiduciary responsibilities to that data, but they also have financial obligations to their investors and shareholders. So, in that equation, Mr and Mrs Data Owner suffer the downside of risk.
  • 15.
  • 16. These are all things I tried and did not succeed with  Don’t refer to security as an insurance model  Don’t use standards that don’t map to your industry, or use apples & oranges comparisons  Don’t confuse compliance with security, and don’t discuss them in the same context – separate the words and define them differently
  • 17.
  • 18. What do we do?  Pivot  This can be (sometimes should be) very obvious  Understand what your ROI is  E.g. If the penalty for non-compliance is $X, then we spend $Y to offset it  X < Y = Positive ROI  X > Y = Negative ROI  X = Y = ROI needs to be evaluated  Other ROI can be more complex, and need their own models
  • 19. What to do?  Treat Cybersecurity as a Business Risk  And start referring to it as business risk ○ Example: SGRC  Ask how your business assess risk and pattern a model that follows it – show execs what they are used to seeing  Engage your peers and superiors on risk topics – use what is in the media as a conversation starter  This is where ROI begins
  • 20. What to do?  Build the path to awareness by your leadership  Prepare reports on what’s going on in the industry around you – execs love to know how they are ding compared to those around them  Start with the next level manager, or managers in other departments – sometimes it’s a journey not a ladder  This is where ROI is discussed
  • 21. What to do?  Learn from the past mistakes of others  This is where ROI is proven  Example of Sony:  Sony’s email-retention policy left up to seven years of old messages on servers, unencrypted  The company was essentially using email for long-term storage of business records, contracts, and documents saved in case of litigation.  An array of sensitive information—including user names and passwords for IT administrators— was kept in unprotected spreadsheets and Word files with names like “Computer Passwords.”
  • 22. What to do?  Be prepared! Know your data and know what it takes to protect it – but let someone else make the risk decision on it  This requires emotional detachment!  This is where ROI is defended
  • 23. What to do?  Network! Network! Network!  Come to community meetups and cons  Come to local group meetings (#misec)  Engage on Twitter, or other social mediums  Forum discussions  Ask questions, share info  SWIPE  This is where ROI can be enhanced
  • 24. Functional Area Key functions How we achieve it Business value Security • Ensure proper controls for systems and data access • Ensure Confidentiality of business data • Ensure business data is resistant to unauthorized change • Investment in security technologies • Multi-layer defensive strategy • Segregation of duties controls in SAP and other business critical systems and applications • Ensure logical separation of critical data • Business can operate within acceptable tolerance of risk • Enterprise “crown jewels” are protected from malicious threats • Confidence in data is increased, business decisions have greater value Governance • Ensure global and regional directives and standards are in place for all NASC and relevant business processes • Global ISMS participation • Policy creation and documentation • Reviewing and approving standards and practices • Ensures the effective and efficient use of IT Security in enabling the business to achieve its goals • Ensures alignment with global governance Risk • Reduce enterprise risk • Stay abreast of new risks and threats • Business continuity planning and system availability planning • Ongoing risk assessments for both IT and business • Continually manage threats in constantly changing threat landscape • Proactively test systems for vulnerabilities • Investment in risk technologies • Business continuity planning for recovery of data and continuation of business in disaster situations • Business can run with reduced risk, allowing more innovation and growth • Newly emerging threats can be dealt with more quickly • Recovery capabilities for outage situations can be dealt with quickly, allowing for minimal business interruption Compliance • Ensure compliance activities for regional and global directives are met • Ensure Legal mandates are met • ICS activities • Interfacing with IT, global and business auditors on all audits • Interfacing with Legal • Ensure follow up on audit findings • Internal Controls Systems mandates are met • Legal mandates are met • Understanding of audit risks and findings, help with mitigation
  • 25. Critical Success Factors • Confidentiality, Integrity and Availability of data is managed to business expectation • Providing cost effective security controls and risk mitigation • Proactively addressing security improvements and mitigations where required • Improve recovery capability Key Activities • Managing audit findings as a tool for improving security posture and maturity • Execute control activities for governance and compliance • Continually assess risk and validate mitigations and controls • Disaster/continuity planning and recovery planning • Assess vulnerabilities, mitigate and manage emerging threats Key interfaces • Global IT security • Project management • Regional and global auditors • External auditors (E&Y, PwC) • Legal, both regional and global • Corporate Communications • Business units, all LOBs and process areas • Executive management • IT Security community Guiding Principles 1. Focus on the Business 2. Comply with Relevant Legal and Regulatory Requirements 3. Evaluate Current and Future Information Threats 4. Adopt a Risk-based Approach 5. Protect Classified Information & Ensure Proper Use
  • 26. Layered security model 26 Perimeter defense (hardware firewall, intrusion detection) Managed security services, security threat detection Windows Firewall, patching (software) Anti-Virus Measures End User Access Controls Critical business data Hardware, restricts network access from the internet Software to restrict access, patching to deal with known vulnerabilities End user awareness training, strong passwords, dual factor authentication Services partner watches all network activity, looks for suspicious activity Anti-virus blocks known threats Access controls restrict access to the critical systems, manage SOD conflicts
  • 27. Final thoughts  Remember, your job is to LOWER the risks of doing business. Do so using positive ROI.  Emotionally detach yourself from the things that drive you nuts as an infosec admin or manager.  Understand you are there as an advisor, a counselor. When you make decisions in this capacity, you become trusted. You are no longer a gatekeeper. Gatekeeper = compliance.  But keep in mind: your business can do business without security. It’s high risk, but if the benefits outweigh the risks…
  • 28. Who am I?  Joel Cardella  Over 20 years in IT in various capacities – infrastructure operations & data centers, sales support, network ops, security  Email: jscardella@gmail.com  Twitter: @JoelConverses