Antonio Ramos – Agilidad. La vía a la seguridad [Rooted CON 2014]

937 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
937
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Antonio Ramos – Agilidad. La vía a la seguridad [Rooted CON 2014]

  1. 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Agile. The way to security Antonio Ramos
  2. 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  3. 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Table of contents 1. Risk analysis? Analysis? Are you serious? 2. Risk in complex environments 3. Agility applied to risk management
  4. 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March RISK ANALYSIS? ANALYSIS? ARE YOU SERIOUS?
  5. 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What the f*$k?
  6. 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Risk Management Planning Risks Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk response Planning Risks control and monitoring
  7. 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Risk Management Planning Risks Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk response Planning Risks control and monitoring
  8. 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March But if we have never carried out a plan of this kind before, or worked in this kind of setting before, how successful can we be in anticipating all the risks?
  9. 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March When we look at projects that failed, the most devastating risk factors often turn out to be things no one expected or was even thinking about
  10. 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  11. 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  12. 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  13. 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Risk Management Planning Risks Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk response Planning Risks control and monitoring
  14. 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  15. 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March R R R R R R R R R R
  16. 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March BIASES Combining probabilities Base rate error Anchoring Overconfidence Availability Confirmation Categorization – Law of large numbers Representativeness
  17. 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  18. 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  19. 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  20. 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  21. 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Twister 564 90 Fireworks 160 6 Asthma 506 1886 Drowning 1684 7380 Yearly death number per 200 millions people Estimated Real
  22. 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  23. 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 8 × 7 × 6 × 5 × 4 × 3 × 2 × 1 1 × 2 × 3 × 4 × 5 × 6 × 7 × 8
  24. 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  25. 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  26. 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  27. 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  28. 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  29. 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  30. 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March C X C X C X C X C X C X C X C C X C X X C X X X C C C X
  31. 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March You’ ll like your job You’ ll own your own home You’ ll travel to Europe You’ ll go five years without a night in the hospital You’ ll have an alcohol problem You’ ll get divorced You’ ll get a sexually transmitted disease You’ ll have gum problems
  32. 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Risk Management Planning Risks Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk Response Planning Risks control and monitoring
  33. 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  34. 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  35. 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  36. 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Risk Management Planning Risks Identification Qualitative Risk Analysis Quantitative Risk Analysis Risk Response Planning Risks control and monitoring
  37. 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  38. 38. 38 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  39. 39. 39 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  40. 40. 40 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Analysis? Are you serious?
  41. 41. 41 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March RISK IN COMPLEX ENVIRONMENTS
  42. 42. 42 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Dave Snowden
  43. 43. 43 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Complex Complicated SimpleChaotic Best Practice Sense - Clasify - Respond Good practice Sense - Analyze - Respond Emerging practice Test – Sense - Respond Novel practice Act - Sense - Respond
  44. 44. 44 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Simple
  45. 45. 45 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Sense Clasify Respond
  46. 46. 46 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  47. 47. 47 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Complicated
  48. 48. 48 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Sense Analyze Respond
  49. 49. 49 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March PMBOK PMI Practice Standard for Risk Management SEI’s SRE v2_0 ISO/IEC 16085 – 2006 ISO/IEC 27001
  50. 50. 50 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Complex
  51. 51. 51 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Probe Sense Respond
  52. 52. 52 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  53. 53. 53 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  54. 54. 54 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  55. 55. 55 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Chaotic
  56. 56. 56 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Act Sense Respond
  57. 57. 57 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  58. 58. 58 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Complex Complicate d SimpleChaotic
  59. 59. 59 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Prioritize-and-reduce makes the most sense for well- ordered domains The calculate-and-decide approach to risk works best in well-ordered situations
  60. 60. 60 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March This is really the essence of doing risk management planning in agile: determining if we need to do it formally or if we should instead allow risk to be addressed organically as part of the overall process of constant inspection and adaptation
  61. 61. 61 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  62. 62. 62 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Traditional Risk Management will make us overconfident when we are in complex and ambiguous situations
  63. 63. 63 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March If we enforce traditional RM practices in complex situations, we run the risk of imposing additional procedures and constraints that reduce flexibility
  64. 64. 64 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  65. 65. 65 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March near-misses
  66. 66. 66 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  67. 67. 67 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Hypothesis Arguments Facts Assumptions
  68. 68. 68 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Data Formulate Design Obtain Hypothesis Experiment Learn
  69. 69. 69 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March We need to develop resilience as a tactic for protecting ourselves against risk. We need to engage in Risk Management by Discovery.
  70. 70. 70 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March AGILITY APPLIED TO RISK MANAGEMENT
  71. 71. 71 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  72. 72. 72 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March In Agile, the way addressing risk is built organically into the Agile Values, Principles and Practices
  73. 73. 73 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Scrum XP Crystal Clear DSDM FDD
  74. 74. 74 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Plan A Plan B Plan C
  75. 75. 75 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  76. 76. 76 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  77. 77. 77 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Original target ? Original target New target
  78. 78. 78 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Original target ? New target New target New target New target
  79. 79. 79 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Original target New target New target New target New target New target New target New target ?
  80. 80. 80 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Apply Inspect Adapt
  81. 81. 81 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  82. 82. 82 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  83. 83. 83 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  84. 84. 84 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  85. 85. 85 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  86. 86. 86 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  87. 87. 87 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  88. 88. 88 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  89. 89. 89 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  90. 90. 90 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Entonces, si el cliente cancela la reserva, ¿Tiene derecho a la devolución de la fianza? No, te diré… ¿Tú qué crees? ¿Qué se van a quedar con mi pasta? Y además tendrán que darme una confirmación por email de que la cancelación es Ok! Ya, pero el cliente tendrá que hacerlo con una antelación mínima, digo yo
  91. 91. 91 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  92. 92. 92 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  93. 93. 93 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  94. 94. 94 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  95. 95. 95 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Early detection Inmediate response Quick exploitation
  96. 96. 96 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March ‘Resilience’
  97. 97. 97 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  98. 98. 98 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  99. 99. 99 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  100. 100. 100 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  101. 101. 101 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March A VIABLE organization Less controls An AGILE organization More controls A SECURE organization
  102. 102. 102 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March A VIABLE organization Less controls An AGILE organization More controls A SECURE organization Early detection Inmediate respond Quick exploitation
  103. 103. 103 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March A VIABLE organization An AGILE organization A SECURE organization A RESILIENT organization
  104. 104. 104 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  105. 105. 105 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  106. 106. 106 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  107. 107. 107 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  108. 108. 108 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Co-authors This presentation is possible thanks to Mario López de Ávila and his work and research on agile enterpreneurship ISACA blog,”Forget the impregnable fortress approach— it’s time to adapt” http://goo.gl/NZuDU
  109. 109. 109 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Contact Mario López de Ávila mario.lopezdeavila@nodos.es @mariolopezdeavila http://es.linkedin.com/in/lopezdeav ila
  110. 110. 110 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  111. 111. 111 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Contact Antonio Ramos antonio.ramos@enplusone.com antonio.ramos@leetsecurity.com @antonio_ramosga http://es.linkedin.com/in/sorani
  112. 112. 112 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Thank you!

×