Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mind over MatterAndy EllisChief Security Officer@csoandy      #RSAkamai
The Problem: A Typical Business Risk Conversation        Business Owner                                     Security      ...
The Goal: Increasing Value
Steady State: Security Value Balances Perceived Risk                                                                      ...
Peltzman Effect          What your organization thinks it can get away with                       organization            ...
People What Do Organizations Consider Risk?            Lizards    Business OwnerIs my P/L good? Will                      ...
Set-Point Theory Of Risk Tolerance                                     SECURITY VALUE  PERCEIVED RISK
Unmitigated Risk Psychosis                                                                                                ...
Training Lizards                                                                                                SECURITY V...
Where Is Your Residual Risk?     Business Owner                              CEOCompetitors are gaining.                  ...
Success: A Better Business Risk Conversation        Business Owner                                Security        Here is ...
An Approach: How Do You Get Better?
Takeaway: Improve Security Value   Goal of any security program: dv/dt > 0   Beating your head against the wall: focusing ...
Questions, Answers, and Pontifications                         Andy Ellis                   aellis@akamai.com             ...
Upcoming SlideShare
Loading in …5
×

Akamai CSO Andy Ellis Keynotes RSA Conference 2013

1,499 views

Published on

View Andy's keynote slides or watch the video at the end: Mind over Matter: Managing Risk with Psychology Instead of Brute Force

Learn more about Kona Security Solutions: http://www.akamai.com/html/solutions/kona-solutions.html

Learn more about Akamai's presence at RSA Conference 2013: http://www.akamai.com/html/ms/rsa_conference_2013.html

Published in: Technology
  • Be the first to comment

Akamai CSO Andy Ellis Keynotes RSA Conference 2013

  1. 1. Mind over MatterAndy EllisChief Security Officer@csoandy #RSAkamai
  2. 2. The Problem: A Typical Business Risk Conversation Business Owner Security Here is my project. Here’s our ISO 27002 checklist of Is it safe? every mistake anyone’s ever made. Prove you haven’t. That’s really long. Can you fill it out for me? Sure. You have a bunch of esoteric risk here. Really? Is that a showstopper? If I say yes, you’re going to override me, aren’t you? And if I say no, I’m in trouble if this goes wrong...
  3. 3. The Goal: Increasing Value
  4. 4. Steady State: Security Value Balances Perceived Risk SECURITY VALUE PERCEIVED RISK Low perceived risk leads to lower resource investment! Low perceived capability leads to lower perceived risk!
  5. 5. Peltzman Effect What your organization thinks it can get away with organization thinks Organizations People do. don’t think:
  6. 6. People What Do Organizations Consider Risk? Lizards Business OwnerIs my P/L good? Will CEO I gain market share? Is this profitable? Sales CFO Can I meet my Is this a good allocation quota with this? of resources? Employees Security Will I have a job? Is this safe?
  7. 7. Set-Point Theory Of Risk Tolerance SECURITY VALUE PERCEIVED RISK
  8. 8. Unmitigated Risk Psychosis SECURITY VALUE PERCEIVED RISKA C T U A L R I S K* *not actually actual risk Attempts to leave residual risk may result in new risk budgets!
  9. 9. Training Lizards SECURITY VALUE PERCEIVED RISKA C T U A L R I S K* Risk Management can be trained like any other muscle.
  10. 10. Where Is Your Residual Risk? Business Owner CEOCompetitors are gaining. Products A & B are high Have to move faster! risk. C should be safer. Sales CFO That last product didn’t sell. You came in over budget. Are your I’ll sell something else. numbers accurate? Employees Security This business is unprofitable. Here’s our ISO 27002 checklist of Update my resume! every mistake anyone’s ever made. Prove you haven’t.
  11. 11. Success: A Better Business Risk Conversation Business Owner Security Here is my project. I don’t know. Is it? Is it safe? Here’s how to think about Wait, what? safety. Do you think your product is safe? Ummm.... Great, glad to hear it. Here’s my assessment of Can you fix those outliers my risk. in your next release? I think this is reasonably safe.
  12. 12. An Approach: How Do You Get Better?
  13. 13. Takeaway: Improve Security Value Goal of any security program: dv/dt > 0 Beating your head against the wall: focusing on increasing resources. Goal: dr/dt > 0 A good security program wants to create surplus. Goal: dc/dt > 0
  14. 14. Questions, Answers, and Pontifications Andy Ellis aellis@akamai.com @csoandy http://www.csoandy.com/

×