5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013

  • 508 views
Uploaded on

The Chief Financial Officer (CFO) plays a critical role in Enterprise Security - but rarely gets a direct glimpse at some of the challenges, and no-frills realities of the challenge of defending an …

The Chief Financial Officer (CFO) plays a critical role in Enterprise Security - but rarely gets a direct glimpse at some of the challenges, and no-frills realities of the challenge of defending an enterprise. This talk provides 5 key take-aways for CFOs.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
508
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Enterprise Security and the CFO Five things you need to know Rafal Los, Principal – Strategic Security Services HP ES June 5th, 2013
  • 2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2 Enterprise Security is a boardroom topic.
  • 3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 “Enterprise Security” in transition
  • 4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 From a ‘blunt tech instrument’..
  • 5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 ..to a strategic business asset.
  • 6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 CFOs aren’t the enemy
  • 7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 I know a little about this-
  • 8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 From SMB to Fortune 50
  • 9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 CFOs should understand security
  • 10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 CFOs should support security
  • 11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 But…
  • 12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12 Security poses a challenge
  • 13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 of breaches are reported by a 3rd party94%
  • 14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 average time to detect breach 416days 2012 January February March April May June July August September October November December 2013 January February March April
  • 15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 71% Since 2010, time to resolve an attack has grown
  • 16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 Arming the CFO for reality
  • 17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 First-
  • 18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 A breach event is imminent
  • 19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 <uncomfortable silence>
  • 20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 This is an uncomfortable reality
  • 21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 Many have tried to be ‘secure’
  • 22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 All eventually fail.
  • 23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 $64,000.00 question: Why?
  • 24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 Every new ‘thing’ …
  • 25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 ..can pose a threat
  • 26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26 ..can contain a vulnerability
  • 27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 This isn’t a solvable problem…
  • 28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 ..detection is not perfect
  • 29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 ..compromises must be made
  • 30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 ..risk can never be eliminated.
  • 31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31 Humans will always be a weakness
  • 32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32 You can not demand ‘secure’.
  • 33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33 Second-
  • 34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34 Prevention is producing diminishing returns
  • 35. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.35 75% budget on network security
  • 36. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36 84% breaches at application level
  • 37. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37 This should tell us something
  • 38. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.38 WhathappensWHENyou’re breached
  • 39. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.39 Re-assess security budget
  • 40. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.40 What to focus on now?
  • 41. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41 Detection of malice, or attack
  • 42. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42 Find the attacker within, earlier
  • 43. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43 Understand the attack, sooner
  • 44. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44 Response to an incident
  • 45. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45 More than just technology!
  • 46. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46 Legal, PR, marketing – response
  • 47. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.47 “What do you do then?” Hint: Panic is not an option.
  • 48. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.48 Processes need to be built
  • 49. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.49 People need to be trained
  • 50. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.50 Mock scenarios must be run
  • 51. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.51 Yes, technology is needed
  • 52. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.52 Efficiency of response is critical
  • 53. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.53 Detected, Responded, now..
  • 54. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.54 Service recovery/restoration
  • 55. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.55 Restore business processes
  • 56. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.56 Bring back critical systems
  • 57. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.57 BUT – they have to be ‘fixed’ first
  • 58. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.58 ( Lots of costs hidden here )
  • 59. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.59 Spend $ here before it happens
  • 60. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.60 Spend $$$ here after the fact
  • 61. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.61 The bottom line:
  • 62. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.62 Spend more on preparedness
  • 63. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.63 Third-
  • 64. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.64 Technology alone isn’t a solution aka “boxes don’t stop attackers”
  • 65. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.65 Don’t forget the people!
  • 66. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.66 The general cycle of products-
  • 67. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.67 1. Architect a solution
  • 68. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.68 2. Purchase the solution
  • 69. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.69 3. Install the solution
  • 70. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.70 4. Done?
  • 71. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.71 This is where the real work starts
  • 72. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.72 Have you integrated?
  • 73. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.73 Have you operationalized?
  • 74. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.74 How do you respond to red lights?
  • 75. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.75 Fourth-
  • 76. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.76 Bigger budget may mean less effective security
  • 77. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.77 How is that possible?
  • 78. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.78 More stuff = better security
  • 79. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.79 Right?
  • 80. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.80 Not if you don’t operationalize
  • 81. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.81 Simple example-
  • 82. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.82 An analyst has finite capability
  • 83. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.83 If 1 analyst can do 1 task effectively
  • 84. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.84 They can do 2 tasks less effectively
  • 85. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.85 ..and 5 tasks poorly.
  • 86. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.86 Gets worse from there down.
  • 87. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.87 But this is what enterprises ask!
  • 88. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.88 Howisyourenterprisemost effective?
  • 89. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.89 Technology should enable
  • 90. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.90 Technology should adapt to people
  • 91. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.91 NOT people adapting to technology
  • 92. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.92 Fifth-
  • 93. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.93 You, Hackers motivated similarly
  • 94. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.94 Hackers want it.
  • 95. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.95 You try to spend it wisely.
  • 96. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.96 This gives us insight!
  • 97. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.97 So how do you win?
  • 98. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.98 Increase the attacker’s costs
  • 99. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.99 Play their game, on your terms.
  • 100. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.100 As the CFO you have a responsibility
  • 101. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.101 Empower your security organization
  • 102. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.102 Provide strategic financial guidance
  • 103. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.103 Not just $pending capital.
  • 104. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.104 Talk to me for more information…
  • 105. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.105 HP can help you fight smarter.
  • 106. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.106 . Rafal Los Principal, Strategic Security Services HP Enterprise Security Services Member “HP Cloud Advisors” http://h18004.www1.hp.com/products/solutions/cloud_advisors/index.html Cloud Security Alliance OWASP (Open Web Application Security Project) 10+ year Information Security industry veteran Security generalist to Business Security Leader Blogger, speaker Email: Rafal@HP.com Phone: +1 (404) 606-6056 Skype: Wh1t3Rabbit
  • 107. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you