3. Myth #1: Security doesn't need to
know a company's business
Today, not only the consumer
but everyone in the world
(potentially) has access to a
company's data and
applications.
security and legal have more
in common than IT and
security
security is part of your
business because criminals
want part of your business
4. Myth #2: Security prevents break-
ins
the 'right' amount of security
will prevent a break-in
doctor's role in preventing a
cold
security is responsible for
monitoring the health of a
company
5. Myth #3: Security makes your
company safer
Seat belts actually enable you
to drive faster
lets the company take bigger
risks
Lawyers don't decide if a
company's marketing strategy
should target the 20-25
demographic but they will tell
you what the legal risks are
6. Myth #4: What you don't know won't
hurt you
breaking their supposedly
unbreakable code
you locked the door to your
house but did you know your
back door was unlocked -
Security is both a feeling and
a reality. And they're not the
same.
Ignorantia juris non excusat
7. Myth #5: I'm not a target because
[insert a reason]
It doesn't matter what you
think you have or don't have
it's what the attacker thinks
you have or could do for them
what would happen if every
computer in your company
became a brick because the
attacker encrypted the hard
drive of every computer
ramifications might be if a
company's computers were
used to break into another
company's computers? How
8. Myth #6:Security is something you
can complete
Since things in IT have end
dates and can be delivered
many think security has the
same criteria
“Why do the police wear
kelvar vests today and they
didn't in the 60's?” The
answer is, “Because the
criminals have bigger guns
then they did in the 60's.”
Attackers aren't static
9. Myth #7: We are better than
attackers because [insert reason]
young naive teenagers
who have pasty skin
and live with their
mothers
They can have teams
who have distinct
purposes and are
managed like any
project in a corporation
#3
− Sternberg Arabians,
L.L.C
10. Myth #8: Security insurance will
solve security
I'll just buy security insurance
instead of paying for a
security program
Insurance companies may
sell protection but they're in
the game to make a profit.
And they don't make a profit
by paying for breaches
Insurance can't pay for
everything
Does your company have to
pockets of Sony (or Target or
*Apologies to Travelers
11. Myth #9: Compliance = security
PCI compliant with
passwords like
'Passw0rd!'
HITECH doesn't prevent
employees from phishing
attacks
No compliance
regulations will protect a
company from a zero day
attack
PCI 2.0 was released in
12. Myth #10: The job of security is
security
CFO a corporate officer
primarily responsible for
managing the financial
risks of the corporation
CLO: In a company, the
person holding the
position typically reports
directly to the CEO, and
their duties involve
overseeing and identifying
the legal issues in all
departments and their
13. Myth #10: The job of security is
security
CSO description (from
investopedia):
The company executive
responsible for the
security of personnel,
physical assets and
information in both
physical and digital form.
The importance of this
position has increased in
the age of information
technology as it has
14. Myth #10: The job of security is
security
CSO description (from
investopedia):In a
company, the CSO duties
involve overseeing and
identifying the security
and privacy issues in all
departments and their
interrelation, including
engineering, design,
marketing, sales,
distribution, credit,
finance, human
Myth: “a popular belief or tradition that has grown up around something or someone; especially: one embodying the ideals and institutions of a society or segment of society“
Even though banana plants can grow to be 30 feet in height, they’re not technically trees: their stems are sturdy, but contain no woody tissue. They’re not trunks, but “pseudostems,” made of densely packed leaves.
So a banana plant is actually a perennial herb, like a lily or an orchid.
Technically, the banana fruit is the berry of the plant—it may not look much like one, but it contains seeds and pulp from a single ovary, so it’s often classified as an “epigynous berry.”
Today company data and applications are running on devices which are not owned by the company and probably don't even know about
Neither legal or security would be needed if people could be trusted
Security is part of your business because criminals want part of your business
Keeping security disconnected from the workings of your business doesn't keep criminals from your business
Like legal:
Security needs to understand what risks might arise with a particular course of action
Security must work across and with all departments to understand what physical and logical assets need to be protected
Security must understand the financial resources of a company as well so it can provide decision makers with an appropriate set of risk mitigation choices
A dangerous one we sometimes believe
Consider we've spent thousands of years trying to protect houses from break-ins but if someone wants into a house bad enough there's little that can be done to prevent it
And that's ignoring when your children leave the house and forget to lock the door
Security provides a appropriate set of procedures to follow and presents a list of appropriate choices to the company
Which you can ignore like your doctor's advice
Like you are responsible for monitoring your own symptoms and telling your doctor if you've stopped breathing
Dangerous because it's partially true
Security is more like the seat belts in your car
So what are seat belts for?
Most say seat belts are there to make driving safer or reduce injury. Truth be told the best way to do that isn't to use seat belts at all but to drive at 10 MPH or not drive at all. Seat belts actually enable you to drive faster
Security lets the company take bigger risks.
The safest thing to do is not have a shopping portal since then attackers won't be able to break in and steal information
Security allows a company to take on that bigger risk at a level that is acceptable
Lawyers don't decide if a company's marketing strategy should target the 20-25 demographic but they tell you what the legal risks are.
Understanding the true risks in a business venture helps a company make appropriate decisions based on the risk tolerance and the potential gain.
Victory goes to the unexpected
Blitzkrieg, enigma machine,
Bruce Schneier once said that “Security is both a feeling and a reality. And they're not the same.”
Security can only protect and harden what it knows about.
Having developers keep computers under their desk to avoid dealing with the overhead of procurement and security may seem like a good business decision
Ignorantia juris non excusat - just because you didn't know about something or feel it was a concern doesn't mean you can't be fined, sued or suffer company damage.
Attackers don't care how much money or effort you saved.
Attackers break into 'Mom & Pop' HVAC shops so they can go after bigger retail fish.
Attackers troll social media for employee information so they can get access to a company through those employees.
Attacker don't even need to use a company's system
Attackers don't find one vulnerability and call it done. They'll download the same software you use (i.e. OpenSSL, Windows, ...), dig through the application and source code and try different types of attacks until they find one that works.
They continue to attack with that until the attack is blocked or they get in
They'll go back to the drawing boards and try again
Their code disguises itself and can run mostly unattended in hostile environments
Their code may run for days, months or even years without anyone noticing
They can have teams who have distinct purposes and are managed like any project in a corporation
Malware communicates back to their control server over secure connections using digital certificates, just like any secure corporate application does
It can perform online updates and may have hundreds or thousands of cooperating instances scattered across the globe
Besides, what's the worst that happens if their code doesn't work on your system the first time?
Try and try again
Apologies to Travelers
Don't pay if:
Don't have an existing security program
Didn't follow the recommendations (reasonable or not) of your security group
Didn't train your employees to not click on phishing links
Sony
hacked multiple times
their internal memos and other sensitive (a.k.a. embarrassing) items leaked
lost intellectual property (although it's a stretch calling “The Interview” intellectual)
became a pawn in a conflict between the US and North Korea
they unwittingly set a precedence when they caved in and didn't release “The Interview”
even when they did backpedal attackers are thinking that maybe, if they attack a smaller company who won't be noticed by the government they could direct that company to do their bidding.
Being compliant doesn't mean you're secure any more than getting a drivers license makes you a good driver.
Compliance only means you are following the dictates of an external entity who doesn't know the systems and the company
Compliance may give companies a false sense of security by making them think they are secure just because they followed a checklist
A company can be PCI compliant with passwords like 'Password1'
HITECH doesn't prevent employees from phishing attacks
No compliance regulations will protect a company from a zero day attack or a system that's improperly configured.
Compliance standards change slowly and require a committee to approve. It may take months, if not years, to change.
PCI 2.0 was released in 2010 and it took three years before 3.0 was released. It's 2015 now and you can be sure that malware has changed significantly since PCI 3.0 was released.
A compliance program can serve as a security foundation
That's right – focus. The first two are focused on company matters and the last two are focused on project or group matters - he first two need to know where the forest is and the last two need to know where the trees are.
doesn't focus on the company. But you're not a CSO, you say. If a programmer writes perfect code without any bugs that runs instantaneously then that's very good. If a manager keeps their projects on time and under budget then that's very good. Same with an HR generalist, if they hire perfect employees and keep them happy then that's very good too. Contrast that with security – the only way we can prevent breaches and data from being stolen is to put them on a single computer, power down the computer, encase it in concrete and drop it in the Marrenis trench. Problem is no one else can use it either.
Even the most hands-on of security practitioners needs to understand their affect on the company. Something as innocuous as changing passwords to be 32 characters may improve security but at the cost of employees not getting their job done and a massive increase in helpdesk tickets.
If we take 'legal' and substitute 'security' in the CLO definition (from Investopedia) we'll have a much better definition for a CSO, in specific, and security in general
Security isn't about maximizing shareholder value, spending a minimal amount and getting maximal gain, improving operational efficiencies, working with IT and technology to meet business needs- it's about ensuring that nothing, including security itself, gets in the way of those goals.