Running with Scissors
Security Hurts No Matter What
• Certified CISO
• Sold First Software Package in 1971
• Debugged UBASIC for FAU/FIU in 1973
• Member of FreeBSD Developme...
Agenda
Running with Scissors
Massive Security Breaches
Failed Policies
Good Security Enhances Privacy
Change the way ...
Security and Privacy Success ?
Running With Scissors
Where else except in Security and Weather can you be
wrong so many ti...
Running with Scissors
Running with Scissors: Down
Budget cuts reduce security
Systems hacked
Customer data lost
Unauthori...
Sony: #1 Again 77 million play station network users
Sega: Striving to be #2: 1.3 Million online gaming subscribers
Epsilo...
Running With Scissors
•Most talked about security and privacy failures
•Simple security mistakes, programming, carelessnes...
South Carolina Department of Revenue, 6.8 Million Tax payers
 Looking for a CISO for over a year
 Could not find qualifi...
Running with Scissors
Running with Scissors: UP
Spending Too much on Security
Money is wasted
No measurable effect
Ineffe...
Running With Scissors
What major systemic failure can you think of
in Security and Privacy?
Where has too much Security el...
Security Without Privacy
$8 Billion Dollar Budget in 2012
$88 Billion Dollars since 2001
• Mission: The TSA protects the nation’s
transportation systems to ensure freedom
of movement for people and commerce
• Vi...
Security Without Privacy
$80 Million, and now $245 Million
Enhanced Security
What did the TSA Find?
Enhanced Security
What did the TSA Find?
Enhanced Security
What did the TSA Find?
Show of hands: Who feels more Secure?PART
TWO – YES/NO
Less Secure ?
Running with Scissors
Core Problems
• More Hardware?
• More People?
• Better Processes?
• Hire a CISO for $100K a year?
• ...
3D SLIDE MAN – EMOTIONS PART TWO – YES/NO
Block The Hackers
What do we Really Need?
Full Speed Ahead!
Don’t Touch Anything...
Educate the Board
APT, SQL Injection, Cross Site Scripting,
Split Tunnel, VPN, WPA2, SSL v2, TLS v1,
SDN, SaaS, PaaS, IaaS...
What do we Really Need?
CISO
CISO Responsibilities
• Policies
• Guidelines
• Directives
• Procedures
• Standards
Balance Sheet, CAPX, Derivatives, GAAP, IFRS,
FASB, FIN, EBIDA
What do we Really Need?
CISO
What the CISO needs to know
What do we Really Need?
CEO
• Vision
• Mission
• Objectives
• Goals
• Strategies
• Results
Isolated and conflicting responsibilities
Executive Management Team
Financial Management Team
CEO
Network Engineers
Securi...
Decision Time: Who is Responsible?
Who has Authority ?TWO – YES/NO
3D SLIDE MAN – EMOTIONS PART TWO – YES/NO
Not My Job
CEO is responsible for final decision
What do we really need?
CEO, CFO, CIO, CSO must agree
It is the
CIO/CFO/CTO/CSO’s
fault
What if we don’t agree?
Ultimately responsible
Example text
Go ahead and replace it with your own text. This is an
example text. Go ahead and repl...
What do we really need?
Running with Scissors
Keep the Main Thing The Main Thing
A successful organization understands the risks of
not only imple...
• Cloud Security Alliance (CSA)
• Information Systems Audit and Control
Association (ISACA)
• Information Systems Security...
Involve Everyone:
•Business case & Budget
•Contractual agreement
•Vision
•Initial product backlog
•Initial release plan
•S...
Everyone is
Happy
Company is secure, privacy maintained
CEO CFO
CTOCSO Programmers Users
CIO
CEO Happy: Board of Directors
Happy, got his 2MM bonus
1
CFO Happy: Reduced Operating Expense
No CAP Ex, Reduced Overhead
...
THANK YOU!
Michael Scheidell, Managing Director, CISO
Security Privateers
www.securityprivateers.com
+1.561.948.1305 / mic...
Upcoming SlideShare
Loading in …5
×

Running with Scissors: Balance between business and InfoSec needs

1,360 views

Published on

Presentation slides from a presentation given by Michael Scheidell, CISO Security Privateers at South Florida Chapter ISSA meeting in 2012.


Talks about the balance between business needs and information security and privacy needs.

If you don't have good security and privacy your business will get hacked and cost you. If you don't have good business sense, you spend too much on security and lock your clients and users out. and that will cost you.
See a whitepaper based on the presentation here:
http://www.net-security.org/article.php?id=1868

Running with scissors.Up or down.

  • Be the first to comment

  • Be the first to like this

Running with Scissors: Balance between business and InfoSec needs

  1. 1. Running with Scissors Security Hurts No Matter What
  2. 2. • Certified CISO • Sold First Software Package in 1971 • Debugged UBASIC for FAU/FIU in 1973 • Member of FreeBSD Development Team • Finalist EE Times Innovator of the Year • Holder, US Patent Number 7603711 • Founded Florida Datamation in 1982 – Largest QNX Distributor in the World – Clients: NSA, VISA, Nortel, SAIC, NOAA, DOD, IBM, 3Com, HP • Founded SECNAP Network Security in 2001 – Designed IT Risk and Compliance Audit Practice – Developed and Patented SECNAP’s ID/PS Appliance, core of MSSP Practice – Clients: SAP, Bank United, City National Bank • Founded Security Privateers in 2012 Michael Scheidell, CISO Security Privateers
  3. 3. Agenda Running with Scissors Massive Security Breaches Failed Policies Good Security Enhances Privacy Change the way you think Core Problems Support Industry Initiatives Take responsibility
  4. 4. Security and Privacy Success ? Running With Scissors Where else except in Security and Weather can you be wrong so many times and still keep your job?
  5. 5. Running with Scissors Running with Scissors: Down Budget cuts reduce security Systems hacked Customer data lost Unauthorized bank transfers Identify theft Industrial espionage Focused on the wrong objectives
  6. 6. Sony: #1 Again 77 million play station network users Sega: Striving to be #2: 1.3 Million online gaming subscribers Epsilon: 60 Million customer’s data breached South Carolina Department of Revenue: 6.8 Million tax payers Running With Scissors Massive Security Breaches 1 2 3 4 5 RSA: Everyone who used RSA key fobs
  7. 7. Running With Scissors •Most talked about security and privacy failures •Simple security mistakes, programming, carelessness •When too much security caused failures? •You can’t have privacy without security •But, you CAN have security without privacy Failed Policies
  8. 8. South Carolina Department of Revenue, 6.8 Million Tax payers  Looking for a CISO for over a year  Could not find qualified candidate for $100K job  Programmers didn’t follow best practices  Network Administrator violated policies  No one tested the application  Dog ate my homework
  9. 9. Running with Scissors Running with Scissors: UP Spending Too much on Security Money is wasted No measurable effect Ineffective Focused on the wrong objectives
  10. 10. Running With Scissors What major systemic failure can you think of in Security and Privacy? Where has too much Security eliminated Privacy and did nothing for Security? Have you experienced too much security? Good Security Enhances Privacy EU Data Privacy laws vs. US Data Protection
  11. 11. Security Without Privacy $8 Billion Dollar Budget in 2012 $88 Billion Dollars since 2001
  12. 12. • Mission: The TSA protects the nation’s transportation systems to ensure freedom of movement for people and commerce • Vision: Continuously set the standard for excellence in transportation security through its people, processes, and technology Failed Policies? TSA: Mission, Vision, Core Values
  13. 13. Security Without Privacy $80 Million, and now $245 Million
  14. 14. Enhanced Security What did the TSA Find?
  15. 15. Enhanced Security What did the TSA Find?
  16. 16. Enhanced Security What did the TSA Find?
  17. 17. Show of hands: Who feels more Secure?PART TWO – YES/NO
  18. 18. Less Secure ?
  19. 19. Running with Scissors Core Problems • More Hardware? • More People? • Better Processes? • Hire a CISO for $100K a year? • Change Mission Statement? • Training? How do you fix it?
  20. 20. 3D SLIDE MAN – EMOTIONS PART TWO – YES/NO Block The Hackers What do we Really Need? Full Speed Ahead! Don’t Touch Anything Anything Lets just Wait and See
  21. 21. Educate the Board APT, SQL Injection, Cross Site Scripting, Split Tunnel, VPN, WPA2, SSL v2, TLS v1, SDN, SaaS, PaaS, IaaS What do we Really Need? CEO
  22. 22. What do we Really Need? CISO CISO Responsibilities • Policies • Guidelines • Directives • Procedures • Standards
  23. 23. Balance Sheet, CAPX, Derivatives, GAAP, IFRS, FASB, FIN, EBIDA What do we Really Need? CISO What the CISO needs to know
  24. 24. What do we Really Need? CEO • Vision • Mission • Objectives • Goals • Strategies • Results
  25. 25. Isolated and conflicting responsibilities Executive Management Team Financial Management Team CEO Network Engineers Security Engineers SEEMINLY CONFLICTING CEO vs CISO Budget vs Privacy Spend vs Invest Expand vs Secure CISO
  26. 26. Decision Time: Who is Responsible? Who has Authority ?TWO – YES/NO
  27. 27. 3D SLIDE MAN – EMOTIONS PART TWO – YES/NO Not My Job
  28. 28. CEO is responsible for final decision What do we really need? CEO, CFO, CIO, CSO must agree
  29. 29. It is the CIO/CFO/CTO/CSO’s fault What if we don’t agree?
  30. 30. Ultimately responsible Example text Go ahead and replace it with your own text. This is an example text. Go ahead and replace it with your own text. Go ahead and replace it with your own text Network Engineer Just trying to pay the mortgage and visa bill CISO Reports to CIO 400K budget CIO/CTO Reports to CEO 3MM budget CEO/President Reports to Board & Shareholders 13MM budget
  31. 31. What do we really need?
  32. 32. Running with Scissors Keep the Main Thing The Main Thing A successful organization understands the risks of not only implementing security and privacy measures, but the risks of NOT implementing them. Running with Scissors: “Its what we do” Keep Plenty of Bandaids. Put Running Shoes on. Keep Scissors Sharp.
  33. 33. • Cloud Security Alliance (CSA) • Information Systems Audit and Control Association (ISACA) • Information Systems Security Association (ISSA) • FBI’s InfraGard • Host users groups meetings Support Industry Initiatives Users Groups, Trade Groups, Share Information
  34. 34. Involve Everyone: •Business case & Budget •Contractual agreement •Vision •Initial product backlog •Initial release plan •Stakeholderbuy-in •Assemble team PREPARATION SCRUM PROCESS CTO CEO/President Stakeholders Sprint planning meeting Daily Cycle Sprint review Sprint retrospective Update product backlog RELEASE Product increment CIO and CSO Users CEO/CFO: Lets move everything to the cloud. We save on Capex, its more secure and gives us reduncancy. We don’t care if its Amazon, Oracle or HP
  35. 35. Everyone is Happy Company is secure, privacy maintained CEO CFO CTOCSO Programmers Users CIO
  36. 36. CEO Happy: Board of Directors Happy, got his 2MM bonus 1 CFO Happy: Reduced Operating Expense No CAP Ex, Reduced Overhead 2 CIO Happy: CEO give him his bonus 3 Users Happy: More services, faster user interface, reduced costs. 4 If it works: Name your bonus
  37. 37. THANK YOU! Michael Scheidell, Managing Director, CISO Security Privateers www.securityprivateers.com +1.561.948.1305 / michael@securityprivateers.com Copyright 2013, Security Privateers Portions Copyright Ron Leishman

×