Security BSides Atlanta - "The Business Doesn't Care..."

The Business Doesn’t Care …and its your fault.Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP SoftwareSecurity BSides Atlanta© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here

“Security” is estranged from businessWhy?A vast amount of IT Security professionals are distant from their business.• Why is this? –what are some of the reasons you think this is true?• What are the results? –what are some of the observed results?3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

Define Risk 1. First definition 2. Second definition 3. Third definition7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

DefineVulnerability 1. First definition 2. Second definition 3. Third definition8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

Security IS part of the business. …but what does that mean, really?• Is your CISO/CSO on the executive board of the company?• Does your CISO/CSO have executive power? • …what does this mean?10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

Relating Security <> Business What are the 3 of your company’s board- level goals for the next fiscal year? 1. Goal 1 2. Goal 2 3. Goal 311 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

The bridge between Security | Business is out.12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium…13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

“The business” speaks a different language Leveraged risks Business exposuresCost of capital Velocity of change Shareholder value14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

Driving off the risk/reward cliff …blind15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

No what? How do you succeed?• “Speak business language” • cliché …but how?• How do you relate IT risks to business risks?17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

Get to know your businessGet to know your business • what does your company really do? • what does your board care about? • what gets your CEO his or her bonus? • what do analysts say about your company? • what do your customers care (or not) about?What are your company’s business exposures, risks? • what are your market risks from doing business? • what are your critical business exposures? • how can the CISO/CSO help mitigate those issues?18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

How can we relate IT to business ‘security’? How would you convince your CEO that a SQL Injection vulnerability can sink their shareholder value?19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

Security Ops vs. Security Strategy Security Operations (SecOps) Security Strategy • Operational security group • IT “risk” advisory consulting • Traditional firewall controls • Align to risk management, legal • Day-to-day security technology • Review, relate, advise the business VS • Not a separate IT unit (“security”) • Independent, small, agile group • Infused into operational IT groups • Report into CRO, CFO • server management • eliminate conflict of interest • network management • get “closer to the business” • desktop management21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

It is possible to do both “Serve the business” Reduce IT vulnerabilities22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) Discuss on LinkedIn:23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Join the ‘SecBiz’ group

Security BSides Atlanta - "The Business Doesn't Care..."

by Rafal Los

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 5

Statistics