Your SlideShare is downloading. ×
Security BSides Atlanta - "The Business Doesn't Care..."
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Security BSides Atlanta - "The Business Doesn't Care..."

1,267
views

Published on

This is my talk from Security BSides Atlanta ... the talk discusses how the disconnect between security and business keeps getting wider, why, and what to do about it.

This is my talk from Security BSides Atlanta ... the talk discusses how the disconnect between security and business keeps getting wider, why, and what to do about it.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,267
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Business Doesn’t Care …and its your fault.Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP SoftwareSecurity BSides Atlanta© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
  • 2. Follow me down the rabbithole.© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
  • 3. “Security” is estranged from businessWhy?A vast amount of IT Security professionals are distant from their business.• Why is this? –what are some of the reasons you think this is true?• What are the results? –what are some of the observed results?3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 4. This is an …4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 5. And this is an …5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 6. That was too easy …6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 7. Define Risk 1. First definition 2. Second definition 3. Third definition7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 8. DefineVulnerability 1. First definition 2. Second definition 3. Third definition8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 9. 9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 10. Security IS part of the business. …but what does that mean, really?• Is your CISO/CSO on the executive board of the company?• Does your CISO/CSO have executive power? • …what does this mean?10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 11. Relating Security <> Business What are the 3 of your company’s board- level goals for the next fiscal year? 1. Goal 1 2. Goal 2 3. Goal 311 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 12. The bridge between Security | Business is out.12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 13. We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium…13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 14. “The business” speaks a different language Leveraged risks Business exposuresCost of capital Velocity of change Shareholder value14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 15. Driving off the risk/reward cliff …blind15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 16. Oh …16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 17. No what? How do you succeed?• “Speak business language” • cliché …but how?• How do you relate IT risks to business risks?17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 18. Get to know your businessGet to know your business • what does your company really do? • what does your board care about? • what gets your CEO his or her bonus? • what do analysts say about your company? • what do your customers care (or not) about?What are your company’s business exposures, risks? • what are your market risks from doing business? • what are your critical business exposures? • how can the CISO/CSO help mitigate those issues?18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 19. How can we relate IT to business ‘security’? How would you convince your CEO that a SQL Injection vulnerability can sink their shareholder value?19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 20. Ultimately “IT Security” will evolve20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 21. Security Ops vs. Security Strategy Security Operations (SecOps) Security Strategy • Operational security group • IT “risk” advisory consulting • Traditional firewall controls • Align to risk management, legal • Day-to-day security technology • Review, relate, advise the business VS • Not a separate IT unit (“security”) • Independent, small, agile group • Infused into operational IT groups • Report into CRO, CFO • server management • eliminate conflict of interest • network management • get “closer to the business” • desktop management21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 22. It is possible to do both “Serve the business” Reduce IT vulnerabilities22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 23. Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) Discuss on LinkedIn:23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Join the ‘SecBiz’ group