1. How do we secure
America?

2. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/

3. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
I do a lot of security stuff…
• Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor,
S²Team, and S²Me
• 25+ years of “practical” information security experience
(started as a Cisco Engineer in the early 90s)
• Worked as CISO and vCISO for hundreds of companies.
• Developed the FRSecure Mentor Program; six students in
2010/500+ in 2018
• Advised legal counsel in very public breaches (Target, Blue
Cross/Blue Shield, etc.)
How do we secure America?
AKA: The “Truth”

4. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
How do we secure America?

5. Resources & Contact
Want to participate?
Want to partner?
Want these slides?
LET’S WORK TOGETHER!
• Email: efrancen@securitystudio.com
• @evanfrancen
• @StudioSecurity
#S2Roadshow
• Blog - https://evanfrancen.com
• Podcast (The UNSECURITY Podcast)
Thank you!

6. How do we secure
America?

7. How do we secure
America?
Show of hands.

8. How do we secure
America?
Show of hands.
An idea, but we need to start
somewhere and we need to start
now.
Before we get there…

9. How do we secure
America?
Show of hands.
An idea, but we need to start
somewhere and we need to start
now.
Before we get there…
What is “Secure”?
We sort of need to agree on
this first.

10. How do we secure
America?
Show of hands.
An idea, but we need to start
somewhere and we need to start
now.
Before we get there…
What is “Secure”?
We sort of need to agree on
this first.
How many of you are
security people (my
tribe)?

11. You know we have an
language problem in
our industry, right?
Our Industry
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
Cybersecurity
BCDR
Malware
Trojan
Spoofing UTM
Phishing
Vishing
DDoS Worm
Botnet ML
Vulnerability
Zero-Day
Layered
Exploit
Threat Actor
Attribution
Kali
OSCP
CISSP
NIST CSF

12. You know we have an
language problem in
our industry, right?
Normal
People See
Us Like
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
Cybersecurity
BCDR
Malware
Trojan
Spoofing UTM
Phishing
Vishing
DDoS Worm
Botnet ML
Vulnerability
Zero-Day
Layered
Exploit
Threat Actor
Attribution
Kali
OSCP
CISSP
NIST CSF

13. Why?
Because we
don’t agree on a
language
Their Language
FIX: Fundamentals and
simplification.
Translation/Communication
WARNING – It’s work and
it’s NOT sexy.

14. Why?
Because we
don’t agree on a
language
Their Language
FIX: Fundamentals and
simplification.
Translation/Communication
WARNING – It’s work and
it’s NOT sexy.
So, let’s listen…
Let’s demonstrate
our own language
problem 1st.

15. Information Security is

16. Managing RiskInformation Security is

17. Eliminating RiskInformation Security is
NOT

18. ComplianceInformation Security is
NOT

19. Managing RiskInformation Security is
in what?

20. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is

21. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Easier to go through your
secretary than your firewall
Firewall doesn’t help when
someone steals your server
YAY! IT stuff

22. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
What’s risk?

23. Managing Risk
Likelihood
Impact
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Of something
bad happening.
If it did.

24. Managing Risk
Likelihood
Impact
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
How do you figure out
likelihood and impact?

25. Managing Risk
Likelihood
Impact
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Start with vulnerabilities.

26. Managing Risk
Likelihood
Impact
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Start with vulnerabilities.
• Vulnerabilities are weaknesses.
• A fully implemented and
functional control has no
weakness.
• Think CMMI, 1 – Initial to 5 –
Optimizing.

27. Managing Risk
Likelihood
Impact
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
OK, but there’s no risk
in a weakness by itself,
right?

28. Managing Risk
Likelihood
Impact
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
OK, but there’s no risk
in a weakness by itself,
right?
That’s right! We need threats too.

29. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is

30. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
There is NO risk
• For vulnerabilities
without a threat.
• For threats without
a vulnerability.

31. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
There is NO risk
• For vulnerabilities
without a threat.
• For threats without
a vulnerability.
So, what is information
security?

32. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is

33. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.

34. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
You cannot build an effective
security program or strategy without
an assessment.

35. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
You cannot build an effective
security program or strategy without
an assessment.
Most organizations (public and
private) FAIL to do fundamental
information security risk
assessments.
WHY? Reason #1: Complexity

36. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Fine for our tribe, but
what about the others?

37. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
What if we made a
simple score to
represent this?

38. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
We call it the S2Score.
We did.

39. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
The S2Score is a simple and effective language to
communicate information security to everyone (citizens,
city councils, county boards, other security people,
auditors, regulators, etc.).
Information Security is

40. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Most organizations (public and
private) FAIL to do fundamental
information security risk
assessments.
Reason #2: Cost

41. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
free.
The assessment that creates the S2Score is
available at no cost to anyone.

42. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
free.
The assessment that creates the S2Score is
available at no cost to anyone.
There’s no
catch.

43. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
free.
The assessment that creates the S2Score is
available at no cost to anyone.
There’s no
catch.
For those who like our snazzy
standards and acronyms, the S2Org
is derived from and mapped to:
• NIST CSF
• NIST SP 800-53
• NIST SP 800-171
• ISO 27002
• COBIT
• Others…

44. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Cool. Speaking the same language should be free.
Now that we agree on security (or “secure”) and
have removed the two most common and
significant barriers…
What’s next to Secure
America?
Simple. Adoption.
Let’s do a demonstration to
show what I mean.

45. I live in Waconia, Minnesota.
A town in Carver County.

46. Carver County is one of 87
counties in Minnesota.

47. Minnesota is one state
amongst 49 other beautiful
states.

48. Minnesota is one state
amongst 49 other beautiful
states.
Are you troubled having the U.S. Flag
anywhere near the word “Poor”?
I am.

49. How do we secure America?
By speaking a common language we can work on what really matters (our most
significant risks).
What we’re going to do:
• Keep preaching.
• Work politically.
• Keep improving (by listening). What you need to do:
• Get your free S2Org Assessment and do it!
• Help us preach.
• Help us work politically.
• Help us improve (by talking).

50. Your Tasks:
1. Do your S2Org Assessment:
https://app.securitystudio.com/organization/signup
2. Help us preach by telling everyone.
3. Help us politically by telling your leadership.
4. Help us improve by telling us:
• Contact within the tool or here:
https://securitystudio.com/contact/
• Twitter: @evanfrancen or @StudioSecurity
How do we secure America?
Thank you!