Michael Smith, profile picture
Uploaded byMichael Smith
PPT, PDF1,087 views

Dojo Con 09

The document discusses the challenges and complexities of compliance in information security, highlighting the disconnect between decision-makers and the consequences of their choices. It emphasizes the need for better collaboration between compliance professionals and technical experts to bridge the gap in security practices. Ultimately, it argues for self-regulation and community-driven standards to foster a more effective compliance environment.

Technology
Related topics:
PCI DSS Training

Embed presentation

Downloaded 25 times
Compliancy, Why Me? Living with the Compliance Staff, a BSOFH Guide Michael Smith
Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey, CA DotCom survivor Infantryman, deployed to Afghanistan (2004) CISSP #50247 (2003), ISSEP (2005) Former CISO, Unisys Federal Service Delivery Center Currently a Manager in a Big Four Firm
Compliance is the arsenic and cyanide of the information security world! Source: Wikimedia Commons
Since it’s Election Week How many of you hate compliance? How many of you love compliance? How many of you think “meh” ? How many of you are out in the lobby ?
But First, a Dramatization… Hi, I’m from the Compliance Team, I’m here to help!
But First, a Dramatization… And the Security Engineering Team is glad to have you here!
But First, a Dramatization… Here’s a report for you too look at on our current compliance status.
But First, a Dramatization… Wow, it’s big.
But First, a Dramatization… Your project is out of compliance with Section 15 of the FROBITZ Act of 1994. This is troublesome!
But First, a Dramatization… First of all, what the hell does that mean? And secondly…why should I care?
But First, a Dramatization… It means you have to fix it.
But First, a Dramatization… I can't do it—the YoyoDyne Frobulator is the only product that fits our needs.
But First, a Dramatization… But the rulebook says...
But First, a Dramatization… I’m not going to do it. Besides, the rulebook was made by a bunch of old men who have no idea what technology is.
But First, a Dramatization… You suck and are a rogue cowboy
But First, a Dramatization… You suck and are a wannnabe data center lawyer.
But First, a Dramatization… This guy is brain-damaged and I can’t work with him. We’ll never be secure now. This guy is brain-damaged and I can’t work with him. We’ll never be secure now.
Questions Who’s right? Who’s wrong? Are we doomed to forever live out this tragedy? Why can’t we all just *sniff* get along?
With compliance, you can strong-arm people into doing your bidding. Source: Wikimedia Commons
The Problems with Compliance Cost Effectiveness Complexity Scope Skillset Issues Decision-makers are removed from the consequences of their decisions
My View of the World* Each layer only knows the one above and below it Traditional IT security focuses on the Enterprise and Project layers Everything meets in the midddddddle!!! *There will be a test later on this.
The Gap in the Security Workforce Compliance Top-down Focus on controls Risk is many-leveled: “How much is enough?” Tools focus on reporting/dashboards Not Sexy Technical/Operational Bottoms-up Focus on threat Risk is binary: “did/will we get pwned or not?” Tools focus on automation Very Sexy $8B Question: How do we bridge this gap?
Professor Rybolov Says I need more public-policy wonks who have technical and operational skills to understand their own framework and strategy and I need more techies who understand how to build viable regulatory schemes for sustainability of their tactical successes
Phrase of the Minute Direct and Indirect Costs
Phrase of the Hour Audit Burden
Phrase of the Day Commodity Service
Phrase of the Week Opportunity Costs
Phrase of the Month Leveling Effect
Phrase of the Year Regulatory Capture* *There will be a test later on this.
Regulatory Capture Examples Cyberwar, Cyber-Katrina, Cybergeddon, Cyberpocalypse, Cyberdouchery SANS 20 Critical Security Controls WAFs and Automated Code Review
And a Quote for Free Compliance is a Self-Licking Ice Cream Cone --One of my favorite BSOFHs
Source: Wikimedia Commons So there isn’t any magic where we become ultra-compliant?
Compliance Exercise: Requirement SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) Control: The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. Source: SP 800-53
Compliance Exercise: BSOFH Answer Just use DNSSEC you n00blette!
WTF People? Why is this disconnect there?
Rybolov’s Law My solution is only as good as my auditor’s ability to understand it.
Compliance Truthiness One Framework does not rule them all You can’t anticipate every single scenario The rules don’t always apply If you deviate from the rules, audit burden will kill you You have to interpret what the regulatory framework says
And More Importantly Compliance is awesome if it’s your rules!
The more non-compliant you are, the more we can forgive you for! Source: Wikimedia Commons
Revisiting an Issue The key problem with compliance as a concept is that the decision-makers are removed from the consequences of their decisions.
What my First Sergeant Told Me “ There are only 3 leaders in the Army: Team Leader, Squad Leader, and Platoon Leader. Everybody else is just support.”
UR Doing it Wrong When it comes to security, who is the customer here and who is support? Where is the groundswell from the bottom looking for support?
Protip: Self-Regulation is the Shizzle! Be careful what you ask for in regulation and laws, you just might get it. PCI-DSS sucks, but would you rather have the Government telling you how to do it? Committees suck, but at least the output is somewhat palatable. Having a small voice sucks, but it’s better than no voice at all. If you don’t participate, you become bound by other peoples’ rules.
Remember This One? Regulatory Capture
The Road Ahead Bridge the 2 worlds and heal the rift Fix what you can at your level Bring the smart people together Build community standards that give you the support that you need Tell the higher layers that you have the situation under control ??? Profit!
Source: Wikimedia Commons Compliancy: it’s not so bad after all as long as you’re driving the oxcart!
Questions, Comments, or War Stories? http://www.guerilla-ciso.com/ rybolov(a)ryzhe.ath.cx

More Related Content

PPT
Test
byegermann
 
PPTX
Representation of violence in the media complete
byjacksoc19
 
PDF
Posecco clustering meeting
byfcleary
 
PPT
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...
byMichael Smith
 
PPT
Backtrack 3 USB
byMichael Smith
 
PPT
Why Care About Government Security
byMichael Smith
 
PPT
Security Content Automation Protocol and Web Application Security
byMichael Smith
 
PPTX
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
byClaus Cramon Houmann
 
Test
byegermann
 
Representation of violence in the media complete
byjacksoc19
 
Posecco clustering meeting
byfcleary
 
Meta-Metrics: Building a Scorecard for the Evaluation of Security Management ...
byMichael Smith
 
Backtrack 3 USB
byMichael Smith
 
Why Care About Government Security
byMichael Smith
 
Security Content Automation Protocol and Web Application Security
byMichael Smith
 
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
byClaus Cramon Houmann
 

Similar to Dojo Con 09

PDF
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
bySean Jackson
 
PDF
Mzumla_Dome_2015
byMohammed Zumla
 
PDF
Compliance vs Security
byRoger Johnston
 
PDF
Security crashcourse openwest_2019
bySean Jackson
 
PPTX
Compliance challenges in Information Security
byManas Deep
 
PPTX
Managing Risk or Reacting to Compliance
byEvan Francen
 
PDF
Cliffnotes on Blue Teaming
byRishabh Dangwal
 
PDF
Compliance is Hard: Two Worlds at Odds - ChefConf 2015
byChef
 
DOCX
Security from Compliance or Compliance from Security?--Metrics are the key
byAlan Covell
 
PPTX
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
bycentralohioissa
 
PPTX
Choose your own adventure: hacking the cybersecurity profession (BSidesCharm ...
byBrian Andrzejewski
 
PPTX
Cloudsolutionday 2016: Compliance and cost controlling on AWS
byAWS Vietnam Community
 
PDF
Establishing Continuous Compliance with Anchore & Chainguard
byAnchore
 
PDF
Treating Security Like a Product
byVMware Tanzu
 
PDF
Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture
byShahid Shah
 
PDF
How to emrace risk-based Security management in a compliance-driven culture
byShahid Shah
 
PPTX
Prioritized Approach Twenty Critical Controls 2008
byDonald E. Hester
 
PPTX
Compliance
byPriyank Hada
 
PDF
Today's Breach Reality, The IR Imperative, And What You Can Do About It
byResilient Systems
 
PPT
Security Audit Best-Practices
byMarco Raposo
 
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
bySean Jackson
 
Mzumla_Dome_2015
byMohammed Zumla
 
Compliance vs Security
byRoger Johnston
 
Security crashcourse openwest_2019
bySean Jackson
 
Compliance challenges in Information Security
byManas Deep
 
Managing Risk or Reacting to Compliance
byEvan Francen
 
Cliffnotes on Blue Teaming
byRishabh Dangwal
 
Compliance is Hard: Two Worlds at Odds - ChefConf 2015
byChef
 
Security from Compliance or Compliance from Security?--Metrics are the key
byAlan Covell
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
bycentralohioissa
 
Choose your own adventure: hacking the cybersecurity profession (BSidesCharm ...
byBrian Andrzejewski
 
Cloudsolutionday 2016: Compliance and cost controlling on AWS
byAWS Vietnam Community
 
Establishing Continuous Compliance with Anchore & Chainguard
byAnchore
 
Treating Security Like a Product
byVMware Tanzu
 
Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture
byShahid Shah
 
How to emrace risk-based Security management in a compliance-driven culture
byShahid Shah
 
Prioritized Approach Twenty Critical Controls 2008
byDonald E. Hester
 
Compliance
byPriyank Hada
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
byResilient Systems
 
Security Audit Best-Practices
byMarco Raposo
 

Recently uploaded

PPTX
Cloud Backup Tips for IT Professionals..
byordersoftwarekeys
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
Lab 5.1 Architecture + Threat Modeling Exercise - 2nd Sight Lab Cloud Securit...
by2nd Sight Lab
 
PDF
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
PDF
Lab 4.2 Multi-cloud Deployments - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PPTX
Blue Futuristic Cyber Security Presentation.pptx
byrdelosreyes538795
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Cloud Backup Tips for IT Professionals..
byordersoftwarekeys
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Lab 5.1 Architecture + Threat Modeling Exercise - 2nd Sight Lab Cloud Securit...
by2nd Sight Lab
 
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
Lab 4.2 Multi-cloud Deployments - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
API-First Architecture in Financial Systems
bycyy111112
 
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
How to Evaluate a High Performance Database
byScyllaDB
 
Blue Futuristic Cyber Security Presentation.pptx
byrdelosreyes538795
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Lab 1.1 Introduction to AWS Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

Dojo Con 09

  • 1.
    Compliancy, Why Me?Living with the Compliance Staff, a BSOFH Guide Michael Smith
  • 2.
    Who is MichaelSmith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey, CA DotCom survivor Infantryman, deployed to Afghanistan (2004) CISSP #50247 (2003), ISSEP (2005) Former CISO, Unisys Federal Service Delivery Center Currently a Manager in a Big Four Firm
  • 3.
    Compliance is thearsenic and cyanide of the information security world! Source: Wikimedia Commons
  • 4.
    Since it’s ElectionWeek How many of you hate compliance? How many of you love compliance? How many of you think “meh” ? How many of you are out in the lobby ?
  • 5.
    But First, aDramatization… Hi, I’m from the Compliance Team, I’m here to help!
  • 6.
    But First, aDramatization… And the Security Engineering Team is glad to have you here!
  • 7.
    But First, aDramatization… Here’s a report for you too look at on our current compliance status.
  • 8.
    But First, aDramatization… Wow, it’s big.
  • 9.
    But First, aDramatization… Your project is out of compliance with Section 15 of the FROBITZ Act of 1994. This is troublesome!
  • 10.
    But First, aDramatization… First of all, what the hell does that mean? And secondly…why should I care?
  • 11.
    But First, aDramatization… It means you have to fix it.
  • 12.
    But First, aDramatization… I can't do it—the YoyoDyne Frobulator is the only product that fits our needs.
  • 13.
    But First, aDramatization… But the rulebook says...
  • 14.
    But First, aDramatization… I’m not going to do it. Besides, the rulebook was made by a bunch of old men who have no idea what technology is.
  • 15.
    But First, aDramatization… You suck and are a rogue cowboy
  • 16.
    But First, aDramatization… You suck and are a wannnabe data center lawyer.
  • 17.
    But First, aDramatization… This guy is brain-damaged and I can’t work with him. We’ll never be secure now. This guy is brain-damaged and I can’t work with him. We’ll never be secure now.
  • 18.
    Questions Who’s right?Who’s wrong? Are we doomed to forever live out this tragedy? Why can’t we all just *sniff* get along?
  • 19.
    With compliance, youcan strong-arm people into doing your bidding. Source: Wikimedia Commons
  • 20.
    The Problems withCompliance Cost Effectiveness Complexity Scope Skillset Issues Decision-makers are removed from the consequences of their decisions
  • 21.
    My View ofthe World* Each layer only knows the one above and below it Traditional IT security focuses on the Enterprise and Project layers Everything meets in the midddddddle!!! *There will be a test later on this.
  • 22.
    The Gap inthe Security Workforce Compliance Top-down Focus on controls Risk is many-leveled: “How much is enough?” Tools focus on reporting/dashboards Not Sexy Technical/Operational Bottoms-up Focus on threat Risk is binary: “did/will we get pwned or not?” Tools focus on automation Very Sexy $8B Question: How do we bridge this gap?
  • 23.
    Professor Rybolov SaysI need more public-policy wonks who have technical and operational skills to understand their own framework and strategy and I need more techies who understand how to build viable regulatory schemes for sustainability of their tactical successes
  • 24.
    Phrase of theMinute Direct and Indirect Costs
  • 25.
    Phrase of theHour Audit Burden
  • 26.
    Phrase of theDay Commodity Service
  • 27.
    Phrase of theWeek Opportunity Costs
  • 28.
    Phrase of theMonth Leveling Effect
  • 29.
    Phrase of theYear Regulatory Capture* *There will be a test later on this.
  • 30.
    Regulatory Capture ExamplesCyberwar, Cyber-Katrina, Cybergeddon, Cyberpocalypse, Cyberdouchery SANS 20 Critical Security Controls WAFs and Automated Code Review
  • 31.
    And a Quotefor Free Compliance is a Self-Licking Ice Cream Cone --One of my favorite BSOFHs
  • 32.
    Source: Wikimedia CommonsSo there isn’t any magic where we become ultra-compliant?
  • 33.
    Compliance Exercise: RequirementSC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) Control: The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. Source: SP 800-53
  • 34.
    Compliance Exercise: BSOFHAnswer Just use DNSSEC you n00blette!
  • 35.
    WTF People? Whyis this disconnect there?
  • 36.
    Rybolov’s Law Mysolution is only as good as my auditor’s ability to understand it.
  • 37.
    Compliance Truthiness OneFramework does not rule them all You can’t anticipate every single scenario The rules don’t always apply If you deviate from the rules, audit burden will kill you You have to interpret what the regulatory framework says
  • 38.
    And More ImportantlyCompliance is awesome if it’s your rules!
  • 39.
    The more non-compliantyou are, the more we can forgive you for! Source: Wikimedia Commons
  • 40.
    Revisiting an IssueThe key problem with compliance as a concept is that the decision-makers are removed from the consequences of their decisions.
  • 41.
    What my FirstSergeant Told Me “ There are only 3 leaders in the Army: Team Leader, Squad Leader, and Platoon Leader. Everybody else is just support.”
  • 42.
    UR Doing itWrong When it comes to security, who is the customer here and who is support? Where is the groundswell from the bottom looking for support?
  • 43.
    Protip: Self-Regulation isthe Shizzle! Be careful what you ask for in regulation and laws, you just might get it. PCI-DSS sucks, but would you rather have the Government telling you how to do it? Committees suck, but at least the output is somewhat palatable. Having a small voice sucks, but it’s better than no voice at all. If you don’t participate, you become bound by other peoples’ rules.
  • 44.
    Remember This One?Regulatory Capture
  • 45.
    The Road AheadBridge the 2 worlds and heal the rift Fix what you can at your level Bring the smart people together Build community standards that give you the support that you need Tell the higher layers that you have the situation under control ??? Profit!
  • 46.
    Source: Wikimedia CommonsCompliancy: it’s not so bad after all as long as you’re driving the oxcart!
  • 47.
    Questions, Comments, orWar Stories? http://www.guerilla-ciso.com/ rybolov(a)ryzhe.ath.cx

Editor's Notes

  • #2 The following presentation contains insights and opinions gathered from over 15 years of combined experience in the government INFOSEC space. It’s interspersed with some humor – security presentations can be pretty dry without it. We hope that this presentation will provide you with the impetus to reemphasize security within your organization, and feel good about doing so. The subtitle means “Automatic, Practical, Good!” and is a play on the Ritter Sport tagline “Quadratisch, Praktish, Gut!” which translates as “Square, Practical, Good!” http://www.ritter-sport.de/
  • #3 Mike’s blog is at http://www.guerilla-ciso.com/ Mike teaches for Potomac Forum http://www.potomacforum.org/ Contact information for Mike is at the end of this presentation.
  • #6 Artwork by Melanie Smith
  • #7 Artwork by Melanie Smith
  • #8 Artwork by Melanie Smith
  • #9 Artwork by Melanie Smith
  • #10 Artwork by Melanie Smith
  • #11 Artwork by Melanie Smith
  • #12 Artwork by Melanie Smith
  • #13 Artwork by Melanie Smith
  • #14 Artwork by Melanie Smith
  • #15 Artwork by Melanie Smith
  • #16 Artwork by Melanie Smith
  • #17 Artwork by Melanie Smith
  • #18 Artwork by Melanie Smith
  • #48 If you would like us to speak for your event or group, please ask. If you would like to learn more and to keep up-to-date on groundbreaking Government security news, subscribe to the guerilla-ciso blog feed. Presentation released under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License. More information available at http://creativecommons.org/licenses/by-nc-sa/3.0/