Contenu connexe Similaire à Security BSides Atlanta - "The Business Doesn't Care..." (20) Security BSides Atlanta - "The Business Doesn't Care..."1. The Business Doesn’t Care
…and its your fault.
Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software
Security BSides Atlanta
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
2. Follow me down the rabbithole.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
3. “Security” is estranged from business
Why?
A vast amount of IT Security professionals are distant from their business.
• Why is this?
–what are some of the reasons you think this is true?
• What are the results?
–what are some of the observed results?
3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
4. This is an …
4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
5. And this is an …
5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
6. That was too easy …
6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
7. Define Risk
1. First definition
2. Second definition
3. Third definition
7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
8. Define
Vulnerability
1. First definition
2. Second definition
3. Third definition
8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
9. 9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
10. Security IS part of the business.
…but what does that
mean, really?
• Is your CISO/CSO on the executive board of the
company?
• Does your CISO/CSO have executive power?
• …what does this mean?
10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
11. Relating Security <> Business
What are the 3 of your company’s board-
level goals for the next fiscal year?
1. Goal 1
2. Goal 2
3. Goal 3
11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
12. The bridge between Security | Business is out.
12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
13. We speak “security talk”
vulnerabilities
SQL Injection, XSS, …
0-day attacks
hacking
critical, high, medium…
13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
14. “The business” speaks a different language
Leveraged risks
Business exposures
Cost of capital
Velocity of change
Shareholder value
14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
15. Driving off the risk/reward cliff …blind
15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
16. Oh …
16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
17. No what? How do you succeed?
• “Speak business language”
• cliché …but how?
• How do you relate IT risks to
business risks?
17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
18. Get to know your business
Get to know your business
• what does your company really do?
• what does your board care about?
• what gets your CEO his or her bonus?
• what do analysts say about your company?
• what do your customers care (or not) about?
What are your company’s business exposures, risks?
• what are your market risks from doing business?
• what are your critical business exposures?
• how can the CISO/CSO help mitigate those issues?
18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
19. How can we relate IT to business ‘security’?
How would you convince
your CEO that a SQL
Injection vulnerability can
sink their shareholder
value?
19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
20. Ultimately “IT Security” will evolve
20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
21. Security Ops vs. Security Strategy
Security Operations (SecOps) Security Strategy
• Operational security group • IT “risk” advisory consulting
• Traditional firewall controls • Align to risk management, legal
• Day-to-day security technology • Review, relate, advise the business
VS
• Not a separate IT unit (“security”) • Independent, small, agile group
• Infused into operational IT groups • Report into CRO, CFO
• server management • eliminate conflict of interest
• network management • get “closer to the business”
• desktop management
21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
22. It is possible to do both
“Serve the business”
Reduce IT vulnerabilities
22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
23. Thanks for learning something.
Follow me on Twitter:
@Wh1t3Rabbit
Read my blog:
hp.com/go/white-rabbit
Listen to the podcast:
podcast.wh1t3rabbit.net (or iTunes)
Discuss on LinkedIn:
23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Join the ‘SecBiz’ group