The document discusses solving the language problem in information security. It begins by explaining that information security is about managing risk by assessing threats and vulnerabilities, and using administrative, physical, and technical controls. It then introduces the S2Score as a simple scoring system to communicate security in a common language. The document advocates for making security assessments free and accessible to all, and developing translation tools to map different organizations' risk scoring systems to a common scale. The overall goal is to establish a shared security language to improve understanding and coordination across the industry.
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Solving Information Security Language Problem
1. WANTED – People Committed to
Solving our Information Security
Language Problem
Evan Francen, CEO, SecurityStudio
2. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/
3. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/
4. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
I do a lot of security stuff…
• Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor,
S²Team, and S²Me
• 25+ years of “practical” information security experience
(started as a Cisco Engineer in the early 90s)
• Worked as CISO and vCISO for hundreds of companies.
• Developed the FRSecure Mentor Program; six students in
2010/500+ in 2018
• Advised legal counsel in very public breaches (Target, Blue
Cross/Blue Shield, etc.)
Solving our Information Security Language Problem
AKA: The “Truth”
5. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
Solving our Information Security Language Problem
6. Resources & Contact
Want to participate?
Want to partner?
Want these slides?
LET’S WORK TOGETHER!
• Email: efrancen@securitystudio.com
• @evanfrancen
• @StudioSecurity
#S2Roadshow
• Blog - https://evanfrancen.com
• Podcast (The UNSECURITY Podcast)
Thank you!
7. You know we have an
language problem in
our industry, right?
Our Industry
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
Cybersecurity
BCDR
Malware
Trojan
Spoofing UTM
Phishing
Vishing
DDoS Worm
Botnet ML
Vulnerability
Zero-Day
Layered
Exploit
Threat Actor
Attribution
Kali
OSCP
CISSP
NIST CSF
8. You know we have an
language problem in
our industry, right?
Normal
People See
Us Like
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
9. Why?
Because we
don’t agree on a
language
Their Language
FIX: Fundamentals and
simplification.
Translation/Communication
WARNING – It’s work and
it’s NOT sexy.
28. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
29. Some truth about information security
Must be put on a scale (degrees of security)
Must master the fundamentals
Must measure it.
Must do risk assessments.
Keep it simple!
As much as 90% of
organizations fail to do
fundamental information
security risk assessments.
WHY? Reason #1: Complexity
30. Though about this today. SecurityStudio makes “simple buttons”
for information security (not “easy buttons” because those don’t
exist). Simple ain’t sexy, but it’s super effective.
There is always a tough balance between security
and convenience!
True. Simple, convenient, and easy are all different things. Simple
security works better than complicated security. Simple things
also better enable convenience. This understanding is critical to
finding the right balance. None of it is necessarily easy though.
31. Some truth about information security
Must be put on a scale (degrees of security)
Must master the fundamentals
Must measure it.
Must do risk assessments.
Keep it simple!
As much as 90% of
organizations fail to do
fundamental information
security risk assessments.
WHY? Reason #1: Complexity
45. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
FISASCORE® is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.
We built VENDEFENSE
to be a translator.
What’s the
point?
Information security language and
translations are the point!
People are the point! People within our industry and
people who work with us are confused and we’re wasting
valuable resources on a 1,000 different solutions to the
same problems, all using different languages.
46. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
FISASCORE® is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.
We built VENDEFENSE
to be a translator.
What’s the
point?
Information security language and
translations are the point!
People are the point! People within our industry and
people who work with us are confused and we’re wasting
valuable resources on a 1,000 different solutions to the
same problems, all using different languages.
OK, I get it. Two last
questions.
1. What does the future of
S2Score look like?
2. What should I do now?
47. What does the future hold for the S2Score Language?
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Other
tools/integrations
These are things that
are coming:
• The roadshow.
• Community
involvement
program.
• Vendor/product
incorporation.
• Integration with
any/all.
48. What should you do now?
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Other
tools/integrations
Simple.
• Get your S2Score.
• Participate with us; give
us feedback, help us solve
problems.
• The S2Score is mapped to
NIST CSF, ISO 27002, NIST
SP 800-53, CIS, and COBIT.
More to come.
• SIMPLE. FUNDAMENTAL.
COMPLIANT.