Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WANTED - People Committed to Solving Our Information Security Language Problem

21 views

Published on

Our industry has plenty of problems to solve. The language we use shouldn’t be one of them, and now it’s not. SecurityStudio, a Minnesota-based security SaaS company committed to solving information security problems for our industry has developed a common, easily-understood information security risk assessment that’s comprehensive, foundational, and completely free for all to use.

Today, more than 1,500 organizations are speaking the language. We invite you to do the same.

Published in: Business
  • Be the first to comment

  • Be the first to like this

WANTED - People Committed to Solving Our Information Security Language Problem

  1. 1. WANTED – People Committed to Solving our Information Security Language Problem Evan Francen, CEO, SecurityStudio
  2. 2. IMPORTANT! Before I get started… • The World Health Organization states that over 800,000 people die every year due to suicide, and that suicide is the second leading cause of death in 15-29-year-olds. • 5 percent of adults (18 or older) experience a mental illness in any one year • In the United States, almost half of adults (46.4 percent) will experience a mental illness during their lifetime. • In the United States, only 41 percent of the people who had a mental disorder in the past year received professional health care or other services. • https://www.mentalhealthhackers.org/resources-and-links/
  3. 3. IMPORTANT! Before I get started… • The World Health Organization states that over 800,000 people die every year due to suicide, and that suicide is the second leading cause of death in 15-29-year-olds. • 5 percent of adults (18 or older) experience a mental illness in any one year • In the United States, almost half of adults (46.4 percent) will experience a mental illness during their lifetime. • In the United States, only 41 percent of the people who had a mental disorder in the past year received professional health care or other services. • https://www.mentalhealthhackers.org/resources-and-links/
  4. 4. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio I do a lot of security stuff… • Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor, S²Team, and S²Me • 25+ years of “practical” information security experience (started as a Cisco Engineer in the early 90s) • Worked as CISO and vCISO for hundreds of companies. • Developed the FRSecure Mentor Program; six students in 2010/500+ in 2018 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) Solving our Information Security Language Problem AKA: The “Truth”
  5. 5. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry? Published January, 2019 Solving our Information Security Language Problem
  6. 6. Resources & Contact Want to participate? Want to partner? Want these slides? LET’S WORK TOGETHER! • Email: efrancen@securitystudio.com • @evanfrancen • @StudioSecurity #S2Roadshow • Blog - https://evanfrancen.com • Podcast (The UNSECURITY Podcast) Thank you!
  7. 7. You know we have an language problem in our industry, right? Our Industry AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT Cybersecurity BCDR Malware Trojan Spoofing UTM Phishing Vishing DDoS Worm Botnet ML Vulnerability Zero-Day Layered Exploit Threat Actor Attribution Kali OSCP CISSP NIST CSF
  8. 8. You know we have an language problem in our industry, right? Normal People See Us Like AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT
  9. 9. Why? Because we don’t agree on a language Their Language FIX: Fundamentals and simplification. Translation/Communication WARNING – It’s work and it’s NOT sexy.
  10. 10. Information Security is
  11. 11. Managing RiskInformation Security is
  12. 12. Eliminating RiskInformation Security is NOT
  13. 13. ComplianceInformation Security is NOT
  14. 14. Managing RiskInformation Security is in what?
  15. 15. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is
  16. 16. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is Easier to go through your secretary than your firewall Firewall doesn’t help when someone steals your server YAY! IT stuff
  17. 17. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is What’s risk?
  18. 18. Managing Risk Likelihood Impact Administrative Controls Physical Controls Technical Controls Information Security is Of something bad happening. If it did.
  19. 19. Managing Risk Likelihood Impact Administrative Controls Physical Controls Technical Controls Information Security is How do you figure out likelihood and impact?
  20. 20. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities.
  21. 21. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities. • Vulnerabilities are weaknesses. • A fully implemented and functional control has no weakness. • Think CMMI, 1 – Initial to 5 – Optimizing.
  22. 22. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right?
  23. 23. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right? That’s right! We need threats too.
  24. 24. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is
  25. 25. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability.
  26. 26. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability. So, what is information security?
  27. 27. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is
  28. 28. Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy.
  29. 29. Some truth about information security Must be put on a scale (degrees of security) Must master the fundamentals Must measure it. Must do risk assessments. Keep it simple! As much as 90% of organizations fail to do fundamental information security risk assessments. WHY? Reason #1: Complexity
  30. 30. Though about this today. SecurityStudio makes “simple buttons” for information security (not “easy buttons” because those don’t exist). Simple ain’t sexy, but it’s super effective. There is always a tough balance between security and convenience! True. Simple, convenient, and easy are all different things. Simple security works better than complicated security. Simple things also better enable convenience. This understanding is critical to finding the right balance. None of it is necessarily easy though.
  31. 31. Some truth about information security Must be put on a scale (degrees of security) Must master the fundamentals Must measure it. Must do risk assessments. Keep it simple! As much as 90% of organizations fail to do fundamental information security risk assessments. WHY? Reason #1: Complexity
  32. 32. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Fine for our tribe, but what about the others?
  33. 33. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is What if we made a simple score to represent this?
  34. 34. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is We call it the S2Score. We did.
  35. 35. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical ControlsThe S2Score is a simple and effective language to communicate information security to everyone (executives, other security people, auditors, regulators, etc.). Information Security is
  36. 36. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is As much as 90% of organizations fail to do fundamental information security risk assessments. Reason #2: Cost
  37. 37. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s free. The assessment that creates the S2Score is available at no cost to anyone.
  38. 38. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Cool. Speaking the same language should be free. We have another language problem What about the language between organizations? We can use the S2Score to communicate 3rd-party information security risk too.
  39. 39. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is If two organization’s use S2Score as their language, just share the scores. SIMPLE!
  40. 40. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Or through translation. Here’s you.
  41. 41. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Or through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Here’s you. Here are your 3rd- parties.
  42. 42. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties.
  43. 43. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties. We built a translator.
  44. 44. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls FISASCORE® is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties. We built a translator. What’s the point?
  45. 45. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls FISASCORE® is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties. We built VENDEFENSE to be a translator. What’s the point? Information security language and translations are the point! People are the point! People within our industry and people who work with us are confused and we’re wasting valuable resources on a 1,000 different solutions to the same problems, all using different languages.
  46. 46. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls FISASCORE® is Through translation. Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way. Let’s say each company has there own way, their own language. Here’s you. Here are you’re 3rd- parties. We built VENDEFENSE to be a translator. What’s the point? Information security language and translations are the point! People are the point! People within our industry and people who work with us are confused and we’re wasting valuable resources on a 1,000 different solutions to the same problems, all using different languages. OK, I get it. Two last questions. 1. What does the future of S2Score look like? 2. What should I do now?
  47. 47. What does the future hold for the S2Score Language? Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Other tools/integrations These are things that are coming: • The roadshow. • Community involvement program. • Vendor/product incorporation. • Integration with any/all.
  48. 48. What should you do now? Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Other tools/integrations Simple. • Get your S2Score. • Participate with us; give us feedback, help us solve problems. • The S2Score is mapped to NIST CSF, ISO 27002, NIST SP 800-53, CIS, and COBIT. More to come. • SIMPLE. FUNDAMENTAL. COMPLIANT.
  49. 49. Fixing the broken industry starts with speaking the same language.
  50. 50. Resources & Contact Want to participate? Want to partner? Want these slides? LET’S WORK TOGETHER! S2Org/S2Score – https://app.securitystudio.com • Email: efrancen@securitystudio.com • @evanfrancen • @StudioSecurity #S2Roadshow • Blog - https://evanfrancen.com • Podcast (The UNSECURITY Podcast) Thank you!

×