Balancing deployment of emerging technologies with legacy ecosystems is a challenge when IT is constantly bombarded with new threats, regulations and the seemingly endless “fix it now” issues of cybersecurity. Chevron’s road to cybersecurity maturity included developing a flexible approach to build a strong foundation based on long-term research with new agility to adapt to emerging threats. (Source : RSA Conference USA 2017)

1. SESSION ID:SESSION ID:
#RSAC
Gretchen Myers
From Vision to Reality: Delivering
Emerging Cyber Technologies
Effectively
TECH-T10
Lead, Security Strategy and Emerging Technologies
Chevron Corporation
© 2017 Chevron. This document is intended only for use by Chevron for presentation at the RSA® Conference February 13-17, 2017.
No portion of this document may be copied, displayed, distributed, reproduced, published, sold, licensed, downloaded,
or used to create a derivative work, unless the use has been specifically authorized by Chevron in writing.

2. The challenge…

3. …the stakes

5. #RSAC
Evergreen Strategy Management
5
Innovation Queue
Business Function/
Technology Domains
Master Cybersecurity Strategy
Life-cycle & GovernanceTrack Component Stages Roadmap
Review & Refreshed annually with portfolio planning.
External
•Research
•Vendors
•Universities
•Partnerships
•Analyst Services
Internal
•Business Strategy
•IT Strategy
•IT Strategists,
Technology Experts
& Architecture
Leaders
Influences
Focus Areas
Technology Qualification Process

6. #RSAC
TDS Name Description
1 Initiation Basic principles observed and reported
2 Concept
Technology concept and/or application
formulated
3
Proof of
Concept
Analytical and experimental critical funcitons
and/or characteristic proof of concept
4 Integration
Component and/or bench configured sub-
system validation in laboratory environment
5 Demonstration
Component and/or bench configured sub-
system validation in relevant ‘real world’
environment
6 Prototype
System/sub-system model or prototype
demonstration in a relevant environment
7 Pre-production
System prototype or demonstration in the
intended operating conditions and
environment
8 Production
Acutal system completed and qualified thorugh
test and demonstration in realistic operating
environments
9 Field Proven
Actual system(s) proven thorugh successful
field operations
Chevron’s Technology Qualification Process

7. #RSAC
Slow Road: Cybersecurity Advanced Analytics
7
• Chevron has encouraged strategic
research in data science, modeling
and analytics for almost a decade
• CISO recognized the need for
analyzing large volumes of data
effectively and approved a project to
develop data science and advanced
analytics capability
• Last 2 years have been working on
transitioning the emerging research
into an operational environment

8. #RSAC
Cybersecurity Data Science/Big Data Platform
exploration
è early adopters
•no standards
•proof of concept
standardization
è defining/refining
•standards selection
•targeted pilots
initial build
è deployment
•production platform
•continue research
research lab production
2016-17
hadoop / cloudera
data acquisition and provisioning
advanced analytics
visualization
analytics
big data

9. #RSAC
Fast Lane: Cloud Security
9
• Cloud services are so easy to use – a
credit card and a click to accept Terms
and Conditions
• Cloud security was identified as an
area of focus in early 2015
• At the same time, IT strategy began to
focus on adopting cloud services
creating a sense of urgency

10. #RSAC
Discovering Existing Usage and Risk Exposure
Executed simultaneous threads of discovery and analysis in 2015/2016
Ø Enterprisewide
view of usage and
risk exposure
Ø Recommended
monitoring
solutions
identify
Cloud
Access
Security
Brokers
compare
test results
and
recommend
best product
analyze
results and
prepare
stakeholder
reports
Understand current usage of
infrastructure and platform
services
Prepare
report on
overall
cloud usage
& projected
risks

11. #RSAC
Discovery Results as of December 2016
8356
Discovered Services
7067
Filtered Services
400
Services in Registry
107
Active Services
(In Registry)
Risks Reviewed Service 1 Service 2 Service 3 Service 4 Service 5 Service 6 Service 7 Service 8
Service Has Known
Vulnerabilities & Exploits
3 3 3 3 3 3 3 3
Ownership of uploaded
data
3 0 0 3 0 3 3 3
Timely Data Purge
on Customer Departure
0 0 0 2 0 3 3 3
Personal Info Shared with
3rd Parties
0 0 0 0 0 0 0 3
Third-party
Cookies
0 0 0 0 0 0 0 0
Data Center
Is Certified
3 3 0 3 0 3 3 3
Data Encrypted
In transit
3 3 3 3 3 3 3 3
Data Encrypted
At Rest
3 0 0 3 3 3 3 3
Role-based Authentication 3 0 0 3 0 3 3 3
Rating Score
Positive 3
Not Yet Determined 2
Negative 0
Enterprise Risk Analysis of Significant Cloud Services

12. #RSAC
Challenges
12
Data management and data quality
continue to consume significant effort to
address
Finding the right mix of technologists and
data scientists is a challenge because few
individuals have the full range of skills
including cybersecurity, software
development and data science
If not building completely within the cyber
function, then be very clear on
dependencies with other parts of the
organization
Fast Lane
With a fast moving target, decisions
need to be made quickly, but also
carefully documented
When evaluating vendors, strategic
roadmaps matter – how they align with
your plans, and how much can you rely
on the vendor to execute as planned
When evaluating the tradeoffs,
understand what you can fix and what
you can’t – i.e. embrace the serenity
prayer
Slow Road

13. #RSAC
Lessons Learned
13
Engage your critics - skeptics can be your best resource to combat tunnel vision
Listen to the concerns and let them ask the hard questions
… a common language is crucial to working with your extended community
… nothing undermines credibility more than misinterpretations of results
Embrace failure and capture the lessons learned
Emerging technology is often too narrowly focused or too broadly applied to be successful – find the
niche that works and go from there
… investment in a PoC or pilot does not mean you are obligated to the vendor to buy their product
… implementing a solution does not mean you have to ‘justify the investment’ with an extended
installation
Frame the problem you need to solve and stick to it
Short term gap to fill or long term vision to build?
Update legacy technology or find opportunity to insert the emerging solution?

14. #RSAC
Apply What You Have Learned Today
14
Next week:
Identify internal or industry processes devoted to innovation, research and
development
If none exist for your organization – define at least two opportunities to foster
innovation on your team
In the first month following this presentation:
Curate your favorite sources of information into a library of resources to facilitate
identifying trends, sharing thoughts, and challenging assumptions
Develop a consistent language for the “fuzzy front end” across your team
Within six months:
Define a vision for innovation that accommodates the practical issues that face
your organization today
Extend your resource library and consistent language out to your extended teams

16. #RSAC
Questions?
Gretchen Myers
email: gmyers@chevron.com