Ten Information Security Principles to Live (or Die) By

1,311 views
1,240 views

Published on

The presentation slides delivered by Evan Francen (FRSecure president) to Secure360 attendees on May 9th, 2012. The ten principles are:

1. A business is in business to make money.
2. Information security is a business issue.
3. Make information security fun.
4. People are the most significant risk.
5. "Compliant" and "Secure" are different.
6. There's no common sense in information security
7. Secure is relative
8. Information security should enable business
9. Information security is not one-size-fits-all
10. There is no "easy button"

The presentation was very well-received, and we sincerely thank all who attended!

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,311
On SlideShare
0
From Embeds
0
Number of Embeds
199
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ten Information Security Principles to Live (or Die) By

  1. 1. WELCOME TO SECURE360 2012 Did you remember to scan your badge for CPE Credits? Ask your Room Volunteer for assistance. Please complete the Session Survey front and back (this is Room 12), and leave on your seat. Note: “Session” is Tuesday or Wednesday Are you tweeting? #Sec360
  2. 2. BEFORE WE GET STARTED• This is not your typical presentation.• What you have to say is as important as what I am going to tell you.• You are encouraged to participate! 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  3. 3. SPEAKER – EVAN FRANCEN, CISSPCISM• President & Co-founder of FRSecure• 20 years of information security experience• Security evangelist with more than 700 published articles• Experience with 150+ public & private organizations. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  4. 4. SPEAKER – EVAN FRANCEN, CISSPCISM NOT ME, BUT KIND OF 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  5. 5. ABOUT FRSECURE• Information security consulting company – it’s all we know how to do.• Established in 2008 by people who have earned their stripes in the field.• We help small to medium sized organizations solve information security challenges. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  6. 6. HOW DO “NORMAL” PEOPLE FEEL?About informationsecurity… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  7. 7. TEN INFORMATION SECURITY TRUTHSNothing earth-shattering, but too often forgotten by those of us inthe industry. “rules of the game” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  8. 8. #1 – A BUSINESS IS IN BUSINESS TO MAKE MONEY• Some risks are worth taking• Not all risks require remediation• All information security expenses need justification• There is no ROI in information security, right? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  9. 9. #2 – INFORMATION SECURITY IS A BUSINESS ISSUE• It is NOT an IT issue!• Executive management probably doesn’t need the detailed specs of your new NGFW• Executive management does need to be aware of strategic direction and most significant risks.• Ultimately, it’s executive management that’s responsible 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  10. 10. #3 – INFORMATION SECURITY IS FUN• That’s right, we said FUN!• Information security is more effective if people enjoy it.• Look for opportunities to make information security fun• Laugh at yourself sometimes (not always others)• We can be serious AND fun. They don’t have to be exclusive. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  11. 11. #3 – INFORMATION SECURITY IS FUNFun like this? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  12. 12. #3 – INFORMATION SECURITY IS FUNOr this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  13. 13. #3 – INFORMATION SECURITY IS FUNNot this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  14. 14. #3 – INFORMATION SECURITY IS FUNOr this… 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  15. 15. #4 – PEOPLE ARE THE BIGGEST RISK• It’s not the technology• Change the culture of the business• Training & Awareness is critical• Personalize information security 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  16. 16. #4 – PEOPLE ARE THE BIGGEST RISKRisky? 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  17. 17. #4 – PEOPLE ARE THE BIGGEST RISK“An employee at a car dealership who was authorized to viewMinnesotans vehicle data allegedly shared his login information with afriend working at a vehicle repossession company, leading to unlawfuldata access that could affect about 3,700 people, the state said Friday,April 27.” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  18. 18. #4 – PEOPLE ARE THE BIGGEST RISK1. Why was this guy running in the first place?2. Has this guy been here before?3. Uh sir, you dropped your gun! 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  19. 19. #5 – “COMPLIANT” AND “SECURE”ARE DIFFERENT 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  20. 20. #6 – THERE IS NO COMMON SENSE IN INFORMATION SECURITY• What makes perfect sense to you, probably doesn’t make perfect sense to everyone else.• Users feel justified in their actions.• Try to see the world the way they see it. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  21. 21. #7 – “SECURE” IS RELATIVE• Have you ever been asked “Are we secure?” or “Are you secure?”• We can only answer “how” secure we are• Find metrics that you can measure - CVSS Scoring for technical vulnerabilities - Gap analysis• Without measurement you don’t know 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  22. 22. #8 – INFORMATION SECURITY SHOULD DRIVE BUSINESS• We have a bad rap for getting in the way of business, and for being a cost-center.• What opportunities does information security have for enabling business and adding to the bottom line?• Information security objectives must align with business objectives.• You won’t succeed unless you engage with key business process owners. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  23. 23. #9 – INFORMATION SECURITY IS NOT ONE SIZE FITS ALL• What works for one, may not work for another:- Policies- Technologies- Compliance• Information security is a custom solution 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  24. 24. #10 – THERE IS NO “EASY BUTTON”WHAT, You mean that I can’t buy a solution to solve allmy information security problems?!• Don’t sacrifice ease for missing fundamentals• Information security is work, sorry. 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  25. 25. THE TEN PRINCIPLES1. A business is in business to make money.2. Information security is a business issue.3. Make information security fun.4. People are the most significant risk.5. “Compliant” and “Secure” are different 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  26. 26. THE TEN PRINCIPLES6. There’s no common sense in information security7. Secure is relative8. Information security should drive business9. Information security is not one size fits all10. There is no “easy button” 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com
  27. 27. THANK YOU!Questions?Comments? Evan Francen FRSecure LLC evan@frsecure.com 952-467-6384 10 Information Security Principles to Live (or die) By Speaker: Evan Francen, FRSecure www.frsecure.com

×