• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security BSides Atlanta - "The Business Doesn't Care..."
 

Security BSides Atlanta - "The Business Doesn't Care..."

on

  • 1,433 views

This is my talk from Security BSides Atlanta ... the talk discusses how the disconnect between security and business keeps getting wider, why, and what to do about it.

This is my talk from Security BSides Atlanta ... the talk discusses how the disconnect between security and business keeps getting wider, why, and what to do about it.

Statistics

Views

Total Views
1,433
Views on SlideShare
1,426
Embed Views
7

Actions

Likes
0
Downloads
12
Comments
0

4 Embeds 7

http://a0.twimg.com 3
https://www.linkedin.com 2
http://us-w1.rockmelt.com 1
http://www.twylah.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security BSides Atlanta - "The Business Doesn't Care..." Security BSides Atlanta - "The Business Doesn't Care..." Presentation Transcript

    • The Business Doesn’t Care …and its your fault.Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP SoftwareSecurity BSides Atlanta© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    • Follow me down the rabbithole.© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    • “Security” is estranged from businessWhy?A vast amount of IT Security professionals are distant from their business.• Why is this? –what are some of the reasons you think this is true?• What are the results? –what are some of the observed results?3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • This is an …4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • And this is an …5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • That was too easy …6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Define Risk 1. First definition 2. Second definition 3. Third definition7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • DefineVulnerability 1. First definition 2. Second definition 3. Third definition8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • 9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Security IS part of the business. …but what does that mean, really?• Is your CISO/CSO on the executive board of the company?• Does your CISO/CSO have executive power? • …what does this mean?10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Relating Security <> Business What are the 3 of your company’s board- level goals for the next fiscal year? 1. Goal 1 2. Goal 2 3. Goal 311 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • The bridge between Security | Business is out.12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium…13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • “The business” speaks a different language Leveraged risks Business exposuresCost of capital Velocity of change Shareholder value14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Driving off the risk/reward cliff …blind15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Oh …16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • No what? How do you succeed?• “Speak business language” • cliché …but how?• How do you relate IT risks to business risks?17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Get to know your businessGet to know your business • what does your company really do? • what does your board care about? • what gets your CEO his or her bonus? • what do analysts say about your company? • what do your customers care (or not) about?What are your company’s business exposures, risks? • what are your market risks from doing business? • what are your critical business exposures? • how can the CISO/CSO help mitigate those issues?18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • How can we relate IT to business ‘security’? How would you convince your CEO that a SQL Injection vulnerability can sink their shareholder value?19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Ultimately “IT Security” will evolve20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Security Ops vs. Security Strategy Security Operations (SecOps) Security Strategy • Operational security group • IT “risk” advisory consulting • Traditional firewall controls • Align to risk management, legal • Day-to-day security technology • Review, relate, advise the business VS • Not a separate IT unit (“security”) • Independent, small, agile group • Infused into operational IT groups • Report into CRO, CFO • server management • eliminate conflict of interest • network management • get “closer to the business” • desktop management21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • It is possible to do both “Serve the business” Reduce IT vulnerabilities22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    • Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) Discuss on LinkedIn:23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Join the ‘SecBiz’ group