Successfully reported this slideshow.
Your SlideShare is downloading. ×

WANTED – People Committed to Solving our Information Security Language Problem

Oct. 09, 2019
0 likes 227 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
Loading in …3
×

Check these out next

Mind the gap
Roger Hagedorn
Data Security: What Every Leader Needs to Know
Roger Hagedorn
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
Keynote : CODE BLUE in the ICU! by Jeff Moss
CODE BLUE
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
Top 12 Threats to Enterprise
Argyle Executive Forum
Marcus Ranum on Bad Idea Zombies
David Strom
1 of 63 Ad

WANTED – People Committed to Solving our Information Security Language Problem

Oct. 09, 2019
0 likes 227 views

Download to read offline

Business

The information security industry is broken. It's our duty to fix it, and it starts with getting on the same page. The model isn't broken, but our application is. How do we apply the basics and fundamentals on a wider scale? It starts with defining a common language and a common approach. Next, make it all free.

The information security industry is broken. It's our duty to fix it, and it starts with getting on the same page. The model isn't broken, but our application is. How do we apply the basics and fundamentals on a wider scale? It starts with defining a common language and a common approach. Next, make it all free.

Business
Advertisement

Recommended

WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
Harrisburg BSides Presentation - 100219
Evan Francen
How to Secure America
SecurityStudio
WANTED – People Committed to Solving our Information Security Language Problem
SecurityStudio
Managing Risk or Reacting to Compliance
Evan Francen
Cultivating security in the small nonprofit
Roger Hagedorn
Security initiatives here and down under
Roger Hagedorn
Advertisement

More Related Content

Slideshows for you (20)

Mind the gap
Roger Hagedorn
Data Security: What Every Leader Needs to Know
Roger Hagedorn
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
Keynote : CODE BLUE in the ICU! by Jeff Moss
CODE BLUE
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
Top 12 Threats to Enterprise
Argyle Executive Forum
Marcus Ranum on Bad Idea Zombies
David Strom
Evolving it security Threats and Solutions
University of Suffolk
Be More Secure than your Competition: MePush Cyber Security for Small Business
Art Ocain, MCSE, VCP, CCNA
2015 Atlanta CHIME Lead Forum
Carolyn Slade, MS-HIM
Stay Safe and Healthy with Computer Vision
Institute of Systems Science, National University of Singapore
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Sandra (Sandy) Dunn
Jason Samide - State of Security & 2016 Predictions
centralohioissa
Tim Nolan
timnolan1961
Security First - Adam Baldwin
Adam Baldwin
Business-Critical Backup: Preparing for a Disaster
NetWize
Demonstrating Information Security Program Effectiveness
Doug Copley
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Steve Werby
LIFARS - Financial Cybercrime
LIFARS
Mind the gap
Roger Hagedorn
Data Security: What Every Leader Needs to Know
Roger Hagedorn
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...
Dana Gardner
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
Keynote : CODE BLUE in the ICU! by Jeff Moss
CODE BLUE
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council

Similar to WANTED – People Committed to Solving our Information Security Language Problem (20)

Cyber security
Rishav Sadhu
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
Security Awareness Training Summary
SNP Technologies, Inc.
Quality in Cyber security Awareness
Fadi Abdulwahab
ISACA talk - cybersecurity and security culture
Craig McGill
Contextual Cyber Security for IoT
MONICA-Project
Microsoft power point closing presentation-greenberg
ISSA LA
Information Security is NOT an IT Issue
Evan Francen
Allianz Global CISO october-2015-draft
Eoin Keary
How to Spend Your Cloud Security Dollar
Hostway|HOSTING
Cybrary's navigating a security wasteland
Devendra kashyap
11 19-2015 - iasaca membership conference - the state of security
Matthew Pascucci
Managing Corporate Information Security Risk in Financial Institutions
Mark Curphey
Security For Free
gwarden
An Introduction To IT Security And Privacy In Libraries
Blake Carver
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Rishi Singh
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
The Future of Advanced Analytics
Haystax Technology
Will there be an IT Risk Management 2.0?
Luke O'Connor
OSB50: Operational Security: State of the Union
Ivanti
Cyber security
Rishav Sadhu
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
Security Awareness Training Summary
SNP Technologies, Inc.
Quality in Cyber security Awareness
Fadi Abdulwahab
ISACA talk - cybersecurity and security culture
Craig McGill
Contextual Cyber Security for IoT
MONICA-Project
Advertisement

More from Evan Francen (17)

Managing Third-Party Risk Effectively
Evan Francen
Step Up Your Data Security Against Third-Party Risks
Evan Francen
Information Security & Manufacturing
Evan Francen
Simple Training for Information Security and Payment Fraud
Evan Francen
MHTA Social Engineering Presentation - 050917
Evan Francen
People. The Social Engineer's Dream - TechPulse 2017
Evan Francen
AFCOM - Information Security State of the Union
Evan Francen
TIES 2013 Education Technology Conference
Evan Francen
Mobile Information Security
Evan Francen
Information security challenges in today’s banking environment
Evan Francen
Information Security in a Compliance World
Evan Francen
Information Security For Leaders, By a Leader
Evan Francen
People are the biggest risk
Evan Francen
FRSecure's Ten Security Principles to Live (or die) By
Evan Francen
Meaningful Use and Security Risk Analysis
Evan Francen
An Introduction to Information Security
Evan Francen
FRSecure Sales Deck
Evan Francen
Managing Third-Party Risk Effectively
Evan Francen
Step Up Your Data Security Against Third-Party Risks
Evan Francen
Information Security & Manufacturing
Evan Francen
Simple Training for Information Security and Payment Fraud
Evan Francen
MHTA Social Engineering Presentation - 050917
Evan Francen
People. The Social Engineer's Dream - TechPulse 2017
Evan Francen

Featured (20)

Understanding Artificial Intelligence - Major concepts for enterprise applica...
APPANION
Four Public Speaking Tips From Standup Comedians
Ross Simmonds
Different Career Paths in Data Science
Roger Huang
How to Fortify a Diverse Workforce to Battle the Great Resignation
Aggregage
5 Tips for Embracing Change at Work
O.C. Tanner
Six Business Lessons From 10 Years Of Fantasy Football
Ross Simmonds
The Power of Gratitude
INSEAD
Irresistible content for immovable prospects
Velocity Partners
How To Build Amazing Products Through Customer Feedback
Product School
Bridging the Gap Between Data Science & Engineer: Building High-Performance T...
ryanorban
Intro to user centered design
Rebecca Destello
How to Master Difficult Conversations at Work – Leader’s Guide
Piktochart
How to Land that First Customer
Floown
How to think like a startup
Loic Le Meur
What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
Understanding Artificial Intelligence - Major concepts for enterprise applica...
APPANION
Four Public Speaking Tips From Standup Comedians
Ross Simmonds
Different Career Paths in Data Science
Roger Huang
How to Fortify a Diverse Workforce to Battle the Great Resignation
Aggregage
5 Tips for Embracing Change at Work
O.C. Tanner
Six Business Lessons From 10 Years Of Fantasy Football
Ross Simmonds
Advertisement

Recently uploaded (20)

time value of money.ppt
ZSMusic
Amit Final PPT MJ.pptx
depakmechanical
Men's Gold Opal Rings.docx
Australian opalDirect
Cyberthreats in the Construction Industry
AmeliaKelly7
Brand Mgt.pdf
SunilPatel387007
Dog Trainers In Chennai.pdf
technest5
ppt of time.ppt
OmkarBhalerao21
Wshop Payroll & Compliance - Day 2 (1).pptx
AnuradhaSharma804421
Nelson Morales - Leradership development in the boardroom.docx
NelsonMorales88
bussness-idea.pptx
paramhimalaya
Accolade Sports Media - Explainer Deck.pptx
HassanMoore
ThirdPartyLegalNotices.doc
ChalilMansyur
Research in Innovative Management.pptx
EloizaFulay1
The Value of College- its Not Just Correlation By David Leonhardtt (1).pptx
AnatMarcus
The Five Types of Influencer influglue Canada.pdf
SandiKar2
The_Cost_of_Poor_Quality.pdf
MarinaSweidan1
how to make 1 million in 5 steps LOOK DESCRIPTION
MezoAyed
Branding.pdf
SunilPatel387007
Vídeos for motivation.
ValdinarCardoso
Sexton7e_Chapter 01.pptx
AnatMarcus
time value of money.ppt
ZSMusic
Amit Final PPT MJ.pptx
depakmechanical
Men's Gold Opal Rings.docx
Australian opalDirect
Cyberthreats in the Construction Industry
AmeliaKelly7
Brand Mgt.pdf
SunilPatel387007
Dog Trainers In Chennai.pdf
technest5

WANTED – People Committed to Solving our Information Security Language Problem

  1. 1. WANTED – People Committed to Solving our Information Security Language Problem Evan Francen, CEO, SecurityStudio
  2. 2. IMPORTANT! Before I get started… • The World Health Organization states that over 800,000 people die every year due to suicide, and that suicide is the second leading cause of death in 15-29-year-olds. • 5 percent of adults (18 or older) experience a mental illness in any one year • In the United States, almost half of adults (46.4 percent) will experience a mental illness during their lifetime. • In the United States, only 41 percent of the people who had a mental disorder in the past year received professional health care or other services. • https://www.mentalhealthhackers.org/resources-and-links/
  3. 3. IMPORTANT! Before I get started… • The World Health Organization states that over 800,000 people die every year due to suicide, and that suicide is the second leading cause of death in 15-29-year-olds. • 5 percent of adults (18 or older) experience a mental illness in any one year • In the United States, almost half of adults (46.4 percent) will experience a mental illness during their lifetime. • In the United States, only 41 percent of the people who had a mental disorder in the past year received professional health care or other services. • https://www.mentalhealthhackers.org/resources-and-links/
  4. 4. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio I do a lot of security stuff… • Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor, S²Team, and S²Me • 25+ years of “practical” information security experience (started as a Cisco Engineer in the early 90s) • Worked as CISO and vCISO for hundreds of companies. • Developed the FRSecure Mentor Program; six students in 2010/500+ in 2018 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) Solving our Information Security Language Problem AKA: The “Truth”
  5. 5. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry? Published January, 2019 Solving our Information Security Language Problem
  6. 6. You know we have an language problem in our industry, right? Our Industry AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT multifactor authentication behavioral analytics deception technology
  7. 7. You know we have an language problem in our industry, right? Normal People See Us Like AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT
  8. 8. You know we have an language problem in our industry, right? Normal People See Us Like AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT
  9. 9. You know we have an language problem in our industry, right? Normal People See Us Like AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT B.S. The model isn’t broken, the application of the model is!
  10. 10. Why? Because we don’t agree on a language Their Language FIX: Fundamentals and simplification. Translation/Communication WARNING – It’s work and it’s NOT sexy.
  11. 11. Information Security is
  12. 12. Managing RiskInformation Security is
  13. 13. ComplianceInformation Security is NOT
  14. 14. Managing RiskInformation Security is in what?
  15. 15. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is
  16. 16. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is Easier to go through your secretary than your firewall Firewall doesn’t help when someone steals your server YAY! IT stuff
  17. 17. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is What’s risk?
  18. 18. Managing Risk Likelihood Impact Administrative Controls Physical Controls Technical Controls Information Security is Of something bad happening. If it did.
  19. 19. Managing Risk Likelihood Impact Administrative Controls Physical Controls Technical Controls Information Security is How do you figure out likelihood and impact?
  20. 20. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities.
  21. 21. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities. • Vulnerabilities are weaknesses. • A fully implemented and functional control has no weakness. • Think CMMI, 1 – Initial to 5 – Optimizing.
  22. 22. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right?
  23. 23. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right? That’s right! We need threats too.
  24. 24. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is
  25. 25. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability.
  26. 26. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability. So, what is information security?
  27. 27. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is
  28. 28. Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy.
  29. 29. Some truth about information security Must be put on a scale (degrees of security) Must master the fundamentals Must measure it. Must do risk assessments. Keep it simple! As much as 90% of organizations fail to do fundamental information security risk assessments. WHY? Reason #1: Complexity
  30. 30. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Fine for our tribe, but what about the others?
  31. 31. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is What if we made a simple score to represent this?
  32. 32. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is We call it the S2Score. We did.
  33. 33. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical ControlsThe S2Score is a simple and effective language to communicate information security to everyone (executives, other security people, auditors, regulators, etc.). Information Security is
  34. 34. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is As much as 90% of organizations fail to do fundamental information security risk assessments. Reason #2: Cost
  35. 35. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s free. The assessment that creates the S2Score is available at no cost to anyone. Cool. Speaking the same language should be free.
  36. 36. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s free. The assessment that creates the S2Score is available at no cost to anyone. Cool. Speaking the same language should be free. OK. You did an information security risk assessment. Now what?
  37. 37. The next thing after an information security risk assessment is?
  38. 38. The next thing after an information security risk assessment is? Doing something with it.
  39. 39. The next thing after an information security risk assessment is? Doing something with it. Risks
  40. 40. The next thing after an information security risk assessment is? Doing something with it. Risks Accept
  41. 41. The next thing after an information security risk assessment is? Doing something with it. Risks Accept Mitigate
  42. 42. The next thing after an information security risk assessment is? Doing something with it. Risks Accept Mitigate Transfer
  43. 43. The next thing after an information security risk assessment is? Doing something with it. Risks Accept Mitigate Transfer Avoid
  44. 44. The next thing after an information security risk assessment is? Doing something with it. Risks Accept Mitigate Transfer Avoid Who makes the decisions?
  45. 45. The next thing after an information security risk assessment is? Doing something with it. Risks Accept Mitigate Transfer Avoid Ignorance is not an option!
  46. 46. The next thing after an information security risk assessment is? Doing something with it. Risks Accept Mitigate Transfer Avoid When? Prioritize Ignorance is not an option!
  47. 47. The next thing after an information security risk assessment is? Doing something with it. Risks Accept Mitigate Transfer Avoid When? Prioritize Who? Prioritize Ignorance is not an option!
  48. 48. The next thing after an information security risk assessment is? Doing something with it. Risks Accept Mitigate Transfer Avoid When? Prioritize Who? Prioritize Ignorance is not an option! This is your roadmap.
  49. 49. Other Fundamentals? Risk management also requires communication. Now you can say: 1. Where we’re at. 2. Where we’re going. 3. When we’re going to get there. 4. How much it’s going to cost. Five minutes or less with the board.
  50. 50. Other Fundamentals? Everything should be driven from risk management. Including: • Governance • Asset Management • Hardware (lifecycle including configuration and vulnerability management) • Software (lifecycle including configuration and vulnerability management) • Data • Access Control • Change Control OK. Now back to language.
  51. 51. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is We have another language problem What about the language between organizations? We can use the S2Score to communicate 3rd-party information security risk too.
  52. 52. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is If two organization’s use S2Score as their language, just share the scores. SIMPLE!
  53. 53. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Or through translation. Here’s you.
  54. 54. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Or through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Here’s you. Here are your 3rd- parties.
  55. 55. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties.
  56. 56. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties. We built a translator.
  57. 57. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls FISASCORE® is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties. We built a translator. What’s the point?
  58. 58. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls FISASCORE® is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties. We built VENDEFENSE to be a translator. What’s the point? Information security language and translations are the point! People are the point! People within our industry and people who work with us are confused and we’re wasting valuable resources on a 1,000 different solutions to the same problems, all using different languages.
  59. 59. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls FISASCORE® is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties. We built VENDEFENSE to be a translator. What’s the point? Information security language and translations are the point! People are the point! People within our industry and people who work with us are confused and we’re wasting valuable resources on a 1,000 different solutions to the same problems, all using different languages. OK, I get it. Two last questions. 1. What does the future of S2Score look like? 2. What should I do now?
  60. 60. What does the future hold for the S2Score Language? Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Other tools/integrations These are things that are coming: • The roadshow. • Community involvement program. • Vendor/product incorporation. • Integration with any/all.
  61. 61. What should you do now? Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Other tools/integrations Simple. • Get your S2Score. • Participate with us; give us feedback, help us solve problems. • The S2Score is mapped to NIST CSF, ISO 27002, NIST SP 800-53, CIS, and COBIT. More to come. • SIMPLE. FUNDAMENTAL. COMPLIANT.
  62. 62. Fixing the broken industry starts with speaking the same language.
  63. 63. Resources & Contact Want to participate? Want to partner? Want these slides? LET’S WORK TOGETHER! S2Org/S2Score – https://app.securitystudio.com • Email: efrancen@securitystudio.com • @evanfrancen • @StudioSecurity #S2Roadshow • Blog - https://evanfrancen.com • Podcast (The UNSECURITY Podcast) Thank you!

×