SlideShare une entreprise Scribd logo

Building Bridges: Security Metrics to Narrow the Chasm Between Perception and Reality

InnoTech
InnoTech

The document discusses the gap between perception and reality in security. It notes that many factors contribute to widening this gap, including inconsistent standards implementation, ambiguous regulations, and subjective risk assessments. The author proposes using standardized security metrics to narrow this gap and build bridges between perception and reality. Specifically, metrics should measure what security controls are implemented, how effective they are, and the residual risks remaining. This can help organizations determine if they are truly secure and provide a framework for a sustainable security program.

TechnologieActualités & Politique
1  sur  27
Télécharger pour lire hors ligne
BUILDING BRIDGES Security Metrics to Narrow the Chasm Between Perception and Reality Brian A. Engle CISO, Texas Health and Human Services Commission
Agenda In the beginning…  What created the perception chasm?  Contributing factors that widen the chasm Truth, Fact and Reality  Primary support materials to bridge the gap  Construction elements and design Where can the bridge take us…  Practical uses and worthy destinations 5/15/2012 DIR Information Security Forum 2
Speaking in tongues Ponemon Second Annual Cost of Cyber Crime Study Viruses, worms, Trojans ==> 100% Malware ==> 96% Malicious Code ==> 42%  Virtually all organizations experienced attacks relating to viruses, worms and/or trojans over the four-week benchmarking period. Ninety-six percent experienced malware attacks, 82 percent experienced botnets, 64 percent experienced Web-based attacks, 44 percent experienced stolen or hijacked computing devices, 42 percent experienced malicious code, and 30 percent experienced malicious insiders.  Footnote - Malware attacks and malicious code attacks are inextricably linked. We classified malware attacks that successfully infiltrated the organizations’ networks or enterprise systems as a malicious code attack. 5/15/2012 DIR Information Security Forum 3
The Bigger Picture  Standards interpreted and implemented with tribal inconsistency  Ambiguous regulations, laws, audit and compliance requirements  Qualitative risk math in vivid Technicolor  Voodoo and Magic Fairy Dust  Personality based bias and trust  The “End of the World” as we know it vulnerabilities  Misguided faith in legacy protection and various technologies 5/15/2012 DIR Information Security Forum 4
Mobility Virtualization Cyber <InsertTermHere> threat war terrorists activists hacktivists bully Consumerization cybercybercybercyber 5/15/2012 DIR Information Security Forum 5
You want me on that wall… You need me on that wall… What happened to the wall? 5/15/2012 DIR Information Security Forum 6
Executive Dashboard Financial Metrics Investment metrics do not validate security  ROI for Security?  Cost Avoidance?  Insurance Comparisons % of Security Spend Compared to Overall IT Spend  Comparative, but irrelevant Consider % of Security Spend Compared to Overall Company Expenditures 5/15/2012 DIR Information Security Forum 7
Gartner Security Maturity Model 5/15/2012 DIR Information Security Forum 8
So close, yet so far away… 5/15/2012 DIR Information Security Forum 9
5/15/2012 DIR Information Security Forum 10
Jaquith’s Laws of Metrics  Consistently measured without subjective criteria  Expressed as a cardinal number or percentage, not qualitative  Expressed using at least one unit of measure  Contextually specific / relevant such that they are actionable  Cheap to gather 5/15/2012 DIR Information Security Forum 11
3 “Simple” Metrics 1. What you do - and conversely what you don’t do 2. The effectiveness, maturity and breadth of coverage of what you do 3. The risk that is in the remainder of the factorable computation of 1 and 2 5/15/2012 DIR Information Security Forum 12
Truth, Fact and Reality What you do  How well is it working? (effectiveness)  Are you doing it everywhere you need to be? (scope/depth/breadth)  Can you continue doing it consistently? (maturity)  How much does it cost? What you don’t do  Dig for the denominator 5/15/2012 DIR Information Security Forum 13
What you do  People, Process and Technology  Activities, Functions and Interactions  Objectives, Outputs and Oversight  Technological countermeasures and defenses = Controls 5/15/2012 DIR Information Security Forum 14
Not another standard 5/15/2012 DIR Information Security Forum 15
Control Frameworks Framework, Standard or Segmentation Defined Controls Regulation NIST 800-53 26 Families 228 (v3 Moderate) ISO 17799 / 27002 12 Sections 140 1 TAC 202 9 Subsections 110 Title 1 Part 10 Chapter 202 COBIT 5 Process Guidance Areas Metric Boatload 37 High Level Outputs PCI 12 Requirements 211 5/15/2012 DIR Information Security Forum 16
Control Effectiveness, Scope, and Maturity Objective Defined Scope / Effectiveness Maturity Cost Crosswalk Owner / Control Depth CMM Connections Division / Region AC Provision Specific or 90% Optimizing $$$$ 1TAC202Ref Account Groups of HIPAA Req Apps IRS 1075 AC De- Specific or 25% Ad-Hoc $$$$ Standards, provision Groups of Compliance Account System Requirements AC Grant Function 75% Repeatable $$$$ Standards, Access role or org Compliance Priv. Requirements AC Revoke {SOX |PCI 25% Defined $$$$ Standards, Access | HIPAA} Compliance Priv. Systems Requirements 5/15/2012 DIR Information Security Forum 17
Metrics X out of Y Mandatory Compliance Control Activities Implemented  Performed, costing $$  Leaving a remainder of $$ for additional protection control activities  Requiring T time to implement new activities 5/15/2012 DIR Information Security Forum 18
Metrics X out of Y Required Control Activities Implemented  Applied across Z scope  # Performed at E rate of effectiveness  # Performed below E rate of acceptable effectiveness  Time to remediate ineffective processes 5/15/2012 DIR Information Security Forum 19
Operational Control Metric Dashboard 8 1012 8 1012 8 1012 6 14 6 14 6 14 4 16 4 16 4 16 2 18 2 18 2 18 0 20 0 20 0 20 Physical and Environmental Access Control (AC) Configuration Management Protection (PE) (CF) 8 1012 8 1012 8 1012 6 14 6 14 6 14 4 16 4 16 4 16 2 18 2 18 2 18 0 20 0 20 0 20 Incident Response (IR) Digital Media Protection Personnel Security (PS) (MP) 5/15/2012 DIR Information Security Forum 20
Evaluating Residual Risk 5/15/2012 DIR Information Security Forum 21
Where Does the Bridge Lead? Internally  Actually answer the “Are we secure” question  Provide a sustainable program framework  Provide consistency (staff and management) Externally  Establish accountability and assurance 5/15/2012 DIR Information Security Forum 22
Where Can thethe Bridge Where Can Bridge Take Us? Take Us? Outsource Providers  Trust but VERIFIED  To the cloud on more than a wing and prayer Security Product Vendors  Ingredients and functions of security program (Silver Bullets and Assorted Fairy Tales) 5/15/2012 DIR Information Security Forum 23
Summary There is a gap in the perception of security and the reality of what is provided It takes a lot of effective activities that come at a cost to narrow the gap Articulating the size of the gap is difficult Closing the gap with truth and fact is costly, but absolutely necessary 5/15/2012 DIR Information Security Forum 24
About… Capitol of Texas ISSA The preeminent trusted global information security community http://www.austinissa.org @austinissa COMMUNITY -- KNOWLEDGE -- LEARNING -- CAREER HHSC HHSC oversees the operations of the health and human services system, provides administrative oversight of Texas health and human services programs, and provides direct administration of programs. $30B/Year - 200 programs - 56,000 Employees – 1,000 locations - 5 agencies Serving the citizens of Texas Teach Security, Teach Christ; Teach Security In Christ http://www.hackformers.org @hackformers 5/15/2012 DIR Information Security Forum 25
Thank You! Questions? Contact Info: Brian.Engle@hhsc.state.tx.us @brianaengle 5/15/2012 DIR Information Security Forum 26
Let’s start building some bridges. 5/15/2012 DIR Information Security Forum 27

Recommandé

G05.2013 gartner top security trends
G05.2013 gartner top security trendsG05.2013 gartner top security trends
G05.2013 gartner top security trendsSatya Harish
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
Product engineering services at a glance
Product engineering services at a glanceProduct engineering services at a glance
Product engineering services at a glanceHappiest Minds Technologies
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
2017 Predictions: Identity and Security
2017 Predictions: Identity and Security 2017 Predictions: Identity and Security
2017 Predictions: Identity and Security SecureAuth
 
The value of our data
The value of our dataThe value of our data
The value of our dataEnterpriseGRC Solutions, Inc.
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCSA Argentina
 
Csa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCsa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCSA Argentina
 

Recommandé

G05.2013 gartner top security trends
G05.2013 gartner top security trendsG05.2013 gartner top security trends
G05.2013 gartner top security trendsSatya Harish
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
Product engineering services at a glance
Product engineering services at a glanceProduct engineering services at a glance
Product engineering services at a glanceHappiest Minds Technologies
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
2017 Predictions: Identity and Security
2017 Predictions: Identity and Security 2017 Predictions: Identity and Security
2017 Predictions: Identity and Security SecureAuth
 
The value of our data
The value of our dataThe value of our data
The value of our dataEnterpriseGRC Solutions, Inc.
 
Csa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCsa summit who can protect us education for cloud security professionals
Csa summit who can protect us education for cloud security professionalsCSA Argentina
 
Csa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCsa summit la transformación digital y el nuevo rol del ciso
Csa summit la transformación digital y el nuevo rol del cisoCSA Argentina
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service providerpaulharry03
 
Feb 18-2015 vasco investor presentation
Feb 18-2015 vasco investor presentationFeb 18-2015 vasco investor presentation
Feb 18-2015 vasco investor presentationVASCO Data Security
 
Vasco Investor Presentation
Vasco Investor PresentationVasco Investor Presentation
Vasco Investor PresentationVASCO Data Security
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
G06.2014 magic quadrant for secure web gateways
G06.2014 magic quadrant for secure web gatewaysG06.2014 magic quadrant for secure web gateways
G06.2014 magic quadrant for secure web gatewaysSatya Harish
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
Midway Swiss Case Study: Journey towards CMMC Compliance with Ignyte
Midway Swiss Case Study: Journey towards CMMC Compliance with IgnyteMidway Swiss Case Study: Journey towards CMMC Compliance with Ignyte
Midway Swiss Case Study: Journey towards CMMC Compliance with IgnyteIgnyte Assurance Platform
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?Cognizant
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...CSA Argentina
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Apr 28-2015 vasco investor presentation
Apr 28-2015 vasco investor presentationApr 28-2015 vasco investor presentation
Apr 28-2015 vasco investor presentationVASCO Data Security
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavisCSA Argentina
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepEnterpriseGRC Solutions, Inc.
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_PackageRandy B.
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 

Contenu connexe

Tendances

Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service providerpaulharry03
 
Feb 18-2015 vasco investor presentation
Feb 18-2015 vasco investor presentationFeb 18-2015 vasco investor presentation
Feb 18-2015 vasco investor presentationVASCO Data Security
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
G06.2014 magic quadrant for secure web gateways
G06.2014 magic quadrant for secure web gatewaysG06.2014 magic quadrant for secure web gateways
G06.2014 magic quadrant for secure web gatewaysSatya Harish
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
Midway Swiss Case Study: Journey towards CMMC Compliance with Ignyte
Midway Swiss Case Study: Journey towards CMMC Compliance with IgnyteMidway Swiss Case Study: Journey towards CMMC Compliance with Ignyte
Midway Swiss Case Study: Journey towards CMMC Compliance with IgnyteIgnyte Assurance Platform
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?Cognizant
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Sounil Yu
 
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...CSA Argentina
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Apr 28-2015 vasco investor presentation
Apr 28-2015 vasco investor presentationApr 28-2015 vasco investor presentation
Apr 28-2015 vasco investor presentationVASCO Data Security
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavisCSA Argentina
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_PackageRandy B.
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecuritySounil Yu
 

Tendances (20)

Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service provider
 
Feb 18-2015 vasco investor presentation
Feb 18-2015 vasco investor presentationFeb 18-2015 vasco investor presentation
Feb 18-2015 vasco investor presentation
 
Vasco Investor Presentation
Vasco Investor PresentationVasco Investor Presentation
Vasco Investor Presentation
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
 
G06.2014 magic quadrant for secure web gateways
G06.2014 magic quadrant for secure web gatewaysG06.2014 magic quadrant for secure web gateways
G06.2014 magic quadrant for secure web gateways
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 
Midway Swiss Case Study: Journey towards CMMC Compliance with Ignyte
Midway Swiss Case Study: Journey towards CMMC Compliance with IgnyteMidway Swiss Case Study: Journey towards CMMC Compliance with Ignyte
Midway Swiss Case Study: Journey towards CMMC Compliance with Ignyte
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...
Csa summit cualquier aplicación, desde cualquier dispositivo, en cualquier ...
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
 
Apr 28-2015 vasco investor presentation
Apr 28-2015 vasco investor presentationApr 28-2015 vasco investor presentation
Apr 28-2015 vasco investor presentation
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consulting
 
Csa summit argentina-reavis
Csa summit argentina-reavisCsa summit argentina-reavis
Csa summit argentina-reavis
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_Package
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
 

En vedette

From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Pengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem ITPengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem ITMark Thalib
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity ModelSecurity Innovation
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...XEventsHospitality
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 

En vedette (20)

From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Pengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem ITPengenalan Keamanan Sistem IT
Pengenalan Keamanan Sistem IT
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity Model
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0
 
SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0
 
SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 

Similaire à Building Bridges: Security Metrics to Narrow the Chasm Between Perception and Reality

OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
How to implement security compliance with SanerNow
How to implement security compliance with SanerNowHow to implement security compliance with SanerNow
How to implement security compliance with SanerNowSecPod
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid ThemSasha Nunke
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...Ahmed Al Enizi
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringAaron Rinehart
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
 
Cisco on Cisco. Defining the NG Cloud & Data Center Services
Cisco on Cisco. Defining the NG Cloud & Data Center ServicesCisco on Cisco. Defining the NG Cloud & Data Center Services
Cisco on Cisco. Defining the NG Cloud & Data Center ServicesCisco Russia
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)Resolver Inc.
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Michael Ofarrell
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdfFinTech Belgium
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudVISI
 
2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insightsgotopaz
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataIBM Security
 
Modern Network Compliance: What It Is & How to Achieve It
Modern Network Compliance: What It Is & How to Achieve ItModern Network Compliance: What It Is & How to Achieve It
Modern Network Compliance: What It Is & How to Achieve ItItential
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 

Similaire à Building Bridges: Security Metrics to Narrow the Chasm Between Perception and Reality (20)

OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
How to implement security compliance with SanerNow
How to implement security compliance with SanerNowHow to implement security compliance with SanerNow
How to implement security compliance with SanerNow
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
 
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos EngineeringRSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Cisco on Cisco. Defining the NG Cloud & Data Center Services
Cisco on Cisco. Defining the NG Cloud & Data Center ServicesCisco on Cisco. Defining the NG Cloud & Data Center Services
Cisco on Cisco. Defining the NG Cloud & Data Center Services
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
 
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the Cloud
 
2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insights
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
Check Point Corporate Overview 2020 - Detailed
Check Point Corporate Overview 2020 - DetailedCheck Point Corporate Overview 2020 - Detailed
Check Point Corporate Overview 2020 - Detailed
 
Modern Network Compliance: What It Is & How to Achieve It
Modern Network Compliance: What It Is & How to Achieve ItModern Network Compliance: What It Is & How to Achieve It
Modern Network Compliance: What It Is & How to Achieve It
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 

Plus de InnoTech

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"InnoTech
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is MaturingInnoTech
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?InnoTech
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostInnoTech
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering StormInnoTech
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the fieldInnoTech
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implicationsInnoTech
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged InfrastructureInnoTech
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365InnoTech
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studiesInnoTech
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential InnoTech
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?InnoTech
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...InnoTech
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeInnoTech
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacyInnoTech
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio InnoTech
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumInnoTech
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2InnoTech
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionInnoTech
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentationInnoTech
 

Plus de InnoTech (20)

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is Maturing
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters Most
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering Storm
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the field
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implications
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged Infrastructure
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studies
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to Life
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacy
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - Quorum
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner session
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentation
 

Dernier

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Building Bridges: Security Metrics to Narrow the Chasm Between Perception and Reality

  • 1. BUILDING BRIDGES Security Metrics to Narrow the Chasm Between Perception and Reality Brian A. Engle CISO, Texas Health and Human Services Commission
  • 2. Agenda In the beginning…  What created the perception chasm?  Contributing factors that widen the chasm Truth, Fact and Reality  Primary support materials to bridge the gap  Construction elements and design Where can the bridge take us…  Practical uses and worthy destinations 5/15/2012 DIR Information Security Forum 2
  • 3. Speaking in tongues Ponemon Second Annual Cost of Cyber Crime Study Viruses, worms, Trojans ==> 100% Malware ==> 96% Malicious Code ==> 42%  Virtually all organizations experienced attacks relating to viruses, worms and/or trojans over the four-week benchmarking period. Ninety-six percent experienced malware attacks, 82 percent experienced botnets, 64 percent experienced Web-based attacks, 44 percent experienced stolen or hijacked computing devices, 42 percent experienced malicious code, and 30 percent experienced malicious insiders.  Footnote - Malware attacks and malicious code attacks are inextricably linked. We classified malware attacks that successfully infiltrated the organizations’ networks or enterprise systems as a malicious code attack. 5/15/2012 DIR Information Security Forum 3
  • 4. The Bigger Picture  Standards interpreted and implemented with tribal inconsistency  Ambiguous regulations, laws, audit and compliance requirements  Qualitative risk math in vivid Technicolor  Voodoo and Magic Fairy Dust  Personality based bias and trust  The “End of the World” as we know it vulnerabilities  Misguided faith in legacy protection and various technologies 5/15/2012 DIR Information Security Forum 4
  • 5. Mobility Virtualization Cyber <InsertTermHere> threat war terrorists activists hacktivists bully Consumerization cybercybercybercyber 5/15/2012 DIR Information Security Forum 5
  • 6. You want me on that wall… You need me on that wall… What happened to the wall? 5/15/2012 DIR Information Security Forum 6
  • 7. Executive Dashboard Financial Metrics Investment metrics do not validate security  ROI for Security?  Cost Avoidance?  Insurance Comparisons % of Security Spend Compared to Overall IT Spend  Comparative, but irrelevant Consider % of Security Spend Compared to Overall Company Expenditures 5/15/2012 DIR Information Security Forum 7
  • 8. Gartner Security Maturity Model 5/15/2012 DIR Information Security Forum 8
  • 9. So close, yet so far away… 5/15/2012 DIR Information Security Forum 9
  • 10. 5/15/2012 DIR Information Security Forum 10
  • 11. Jaquith’s Laws of Metrics  Consistently measured without subjective criteria  Expressed as a cardinal number or percentage, not qualitative  Expressed using at least one unit of measure  Contextually specific / relevant such that they are actionable  Cheap to gather 5/15/2012 DIR Information Security Forum 11
  • 12. 3 “Simple” Metrics 1. What you do - and conversely what you don’t do 2. The effectiveness, maturity and breadth of coverage of what you do 3. The risk that is in the remainder of the factorable computation of 1 and 2 5/15/2012 DIR Information Security Forum 12
  • 13. Truth, Fact and Reality What you do  How well is it working? (effectiveness)  Are you doing it everywhere you need to be? (scope/depth/breadth)  Can you continue doing it consistently? (maturity)  How much does it cost? What you don’t do  Dig for the denominator 5/15/2012 DIR Information Security Forum 13
  • 14. What you do  People, Process and Technology  Activities, Functions and Interactions  Objectives, Outputs and Oversight  Technological countermeasures and defenses = Controls 5/15/2012 DIR Information Security Forum 14
  • 15. Not another standard 5/15/2012 DIR Information Security Forum 15
  • 16. Control Frameworks Framework, Standard or Segmentation Defined Controls Regulation NIST 800-53 26 Families 228 (v3 Moderate) ISO 17799 / 27002 12 Sections 140 1 TAC 202 9 Subsections 110 Title 1 Part 10 Chapter 202 COBIT 5 Process Guidance Areas Metric Boatload 37 High Level Outputs PCI 12 Requirements 211 5/15/2012 DIR Information Security Forum 16
  • 17. Control Effectiveness, Scope, and Maturity Objective Defined Scope / Effectiveness Maturity Cost Crosswalk Owner / Control Depth CMM Connections Division / Region AC Provision Specific or 90% Optimizing $$$$ 1TAC202Ref Account Groups of HIPAA Req Apps IRS 1075 AC De- Specific or 25% Ad-Hoc $$$$ Standards, provision Groups of Compliance Account System Requirements AC Grant Function 75% Repeatable $$$$ Standards, Access role or org Compliance Priv. Requirements AC Revoke {SOX |PCI 25% Defined $$$$ Standards, Access | HIPAA} Compliance Priv. Systems Requirements 5/15/2012 DIR Information Security Forum 17
  • 18. Metrics X out of Y Mandatory Compliance Control Activities Implemented  Performed, costing $$  Leaving a remainder of $$ for additional protection control activities  Requiring T time to implement new activities 5/15/2012 DIR Information Security Forum 18
  • 19. Metrics X out of Y Required Control Activities Implemented  Applied across Z scope  # Performed at E rate of effectiveness  # Performed below E rate of acceptable effectiveness  Time to remediate ineffective processes 5/15/2012 DIR Information Security Forum 19
  • 20. Operational Control Metric Dashboard 8 1012 8 1012 8 1012 6 14 6 14 6 14 4 16 4 16 4 16 2 18 2 18 2 18 0 20 0 20 0 20 Physical and Environmental Access Control (AC) Configuration Management Protection (PE) (CF) 8 1012 8 1012 8 1012 6 14 6 14 6 14 4 16 4 16 4 16 2 18 2 18 2 18 0 20 0 20 0 20 Incident Response (IR) Digital Media Protection Personnel Security (PS) (MP) 5/15/2012 DIR Information Security Forum 20
  • 21. Evaluating Residual Risk 5/15/2012 DIR Information Security Forum 21
  • 22. Where Does the Bridge Lead? Internally  Actually answer the “Are we secure” question  Provide a sustainable program framework  Provide consistency (staff and management) Externally  Establish accountability and assurance 5/15/2012 DIR Information Security Forum 22
  • 23. Where Can thethe Bridge Where Can Bridge Take Us? Take Us? Outsource Providers  Trust but VERIFIED  To the cloud on more than a wing and prayer Security Product Vendors  Ingredients and functions of security program (Silver Bullets and Assorted Fairy Tales) 5/15/2012 DIR Information Security Forum 23
  • 24. Summary There is a gap in the perception of security and the reality of what is provided It takes a lot of effective activities that come at a cost to narrow the gap Articulating the size of the gap is difficult Closing the gap with truth and fact is costly, but absolutely necessary 5/15/2012 DIR Information Security Forum 24
  • 25. About… Capitol of Texas ISSA The preeminent trusted global information security community http://www.austinissa.org @austinissa COMMUNITY -- KNOWLEDGE -- LEARNING -- CAREER HHSC HHSC oversees the operations of the health and human services system, provides administrative oversight of Texas health and human services programs, and provides direct administration of programs. $30B/Year - 200 programs - 56,000 Employees – 1,000 locations - 5 agencies Serving the citizens of Texas Teach Security, Teach Christ; Teach Security In Christ http://www.hackformers.org @hackformers 5/15/2012 DIR Information Security Forum 25
  • 26. Thank You! Questions? Contact Info: Brian.Engle@hhsc.state.tx.us @brianaengle 5/15/2012 DIR Information Security Forum 26
  • 27. Let’s start building some bridges. 5/15/2012 DIR Information Security Forum 27