The title is "Cybersecure Schools, Parents, and Kids. The talk was delivered to ~250 people attending the summit. Tackling information security at school and at home requires us to agree to and apply the fundamentals. The S2Org is helping schools become more secure, and the S2Me is helping at home.

1. Cybersecure Schools, Parents,
and Kids
Evan Francen, CEO, SecurityStudio

2. Agenda - Format
Cybersecure Schools, Parents, and Kids

3. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
I do a lot of security stuff…
• Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor,
S²Team, and S²Me
• 25+ years of “practical” information security experience
(started as a Cisco Engineer in the early 90s)
• Worked as CISO and vCISO for hundreds of companies.
• Developed the FRSecure Mentor Program; six students in
2010/500+ in 2018
• Advised legal counsel in very public breaches (Target, Blue
Cross/Blue Shield, etc.)
Cybersecure Schools, Parents, and Kids
AKA: The “Truth”
AKA: The “Preacher”

4. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
Cybersecure Schools, Parents, and Kids

5. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/

6. A simple CTF challenge in Robby’s Memory.
qr fbir ygdblcg yafr erodkganc hbd oneqrde oe yb ygr zrcannanc bh ygr kbefbe.
oe qr kgoncrj pwonre qoayanc hbd yafr yb kbfr onj cby bhh ygae powr zwlr jby hbd o
kbefak zwans bh on rmr,
qr kolcgy o cwafper bh ebfryganc jrrprd / fbdr fronanchlw ygon oneqrde; pldr zrolym:
glfonaym.
qgawr eyaww kopyaioyrj onj rnygdowwrj zm ygae jaekbirdm,
qr zoes an bld lybpao, ydmanc yb fosr ygance hoad onj rtlow,
eb ah qr qrdr yb jrpody onj cry zoks bn zbodj bld oadpwonr onj yafr hanowwm kofr yb cry
le,
qr qblwj goir frfbdare zwaeehlw rnblcg yb woey le lnyaw bld nrvy oddaiow onj cair ygrf
yb
ygr hlyldr, hbd ydlwm mbl snbq grd, zly ah nby, a oeeldr mbl, egr oweb goe o zrolyahlw
eblw.
-dbzzm onjdrq qowwrnzrdc zdocc mbld hwoc ae drfrfzrdancwbeygoksrde
One way to get a free book.
Solve this and email me; efrancen@securitystudio.com.

7. The #Truth
1. Information security isn’t about information or
security as much as it is about people.
2. You cannot separate information security,
privacy, and safety.
3. Everybody has something that somebody wants.
4. We are all in this together.
Security people and
“normal” people.

8. You know we have an
language problem in
our industry, right?
Our Industry
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
Cybersecurity
BCDR
Malware
Trojan
Spoofing UTM
Phishing
Vishing
DDoS Worm
Botnet ML
Vulnerability
Zero-Day
Layered
Exploit
Threat Actor
Attribution
Kali
OSCP
CISSP
NIST CSF
How many of you
are security people
(my tribe)?

9. You know we have an
language problem in
our industry, right?
Normal
People See
Us Like
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
Cybersecurity
BCDR
Malware
Trojan
Spoofing UTM
Phishing
Vishing
DDoS Worm
Botnet ML
Vulnerability
Zero-Day
Layered
Exploit
Threat Actor
Attribution
Kali
OSCP
CISSP
NIST CSF

10. Why?
Because we
don’t agree on a
language
Their Language
FIX: Fundamentals and
simplification.
Translation/Communication
Let’s test this…

11. Information Security is

12. Managing RiskInformation Security is

13. Eliminating RiskInformation Security is
NOT

14. ComplianceInformation Security is
NOT

15. Managing RiskInformation Security is
of what?

16. Managing RiskInformation Security is
unauthorized disclosure,
alteration, and/or
destruction of information.
of

17. Managing RiskInformation Security is
in what?
unauthorized disclosure,
alteration, and/or
destruction of information.
of

18. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
unauthorized disclosure,
alteration, and/or
destruction of information.
of
in

19. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Easier to go through your
secretary than your firewall
Firewall doesn’t help when
someone steals your server
YAY! IT stuff
unauthorized disclosure,
alteration, and/or
destruction of information.
of
in

20. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
What’s risk?
unauthorized disclosure,
alteration, and/or
destruction of information.
of
in

21. Managing Risk
Likelihood
Impact
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Of something
bad happening.
If it did.
unauthorized disclosure,
alteration, and/or
destruction of information.
of
in

22. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of
Likelihood
Impact
How do you figure out
likelihood and impact?

23. Managing Risk
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Start with vulnerabilities.
Likelihood
Impact
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of

24. Managing Risk
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Start with vulnerabilities.
• Vulnerabilities are weaknesses.
• A fully implemented and
functional control has no
weakness.
• Think CMMI, 1 – Initial to 5 –
Optimizing.
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of
Likelihood
Impact

25. Managing Risk
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
OK, but there’s no risk
in a weakness by itself,
right?
Likelihood
Impact
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of

26. Managing Risk
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
OK, but there’s no risk
in a weakness by itself,
right?
That’s right! We need threats too.
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of
Likelihood
Impact

27. Managing Risk
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Likelihood
Impact
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of

28. Managing Risk
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Likelihood
Impact
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of
There is NO risk
• For vulnerabilities
without a threat.
• For threats without
a vulnerability.

29. Managing Risk
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Likelihood
Impact
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of
There is NO risk
• For vulnerabilities
without a threat.
• For threats without
a vulnerability.
So, what is information
security?

30. Managing Risk
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Likelihood
Impact
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of

31. Some more #truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
The better you know yourself, the better you can
protect yourself.

32. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
You cannot build any effective
security program or strategy in a
school or at home without an
assessment.

33. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
You cannot build any effective
security program or strategy in a
school or at home without an
assessment.
As many as 90% of schools fail
to do fundamental information
security risk assessments.
WHY? Reason #1: Complexity

34. Managing Risk
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Likelihood
Impact
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of
Fine for our tribe, but
what about the others?

35. Managing Risk
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Likelihood
Impact
in
unauthorized disclosure,
alteration, and/or
destruction of information.
of
What if we made a
simple score to
represent this?

36. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
We call it the S²Score.
We did.

37. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
The S²Score is a simple and effective language to
communicate information security to everyone (parents,
students, school boards, other security people,
administration, regulators, etc.).

38. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
As many as 90% of schools fail
to do fundamental information
security risk assessments.
Reason #2: Cost

39. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
FREE!
The assessment that creates the S²Score is
available at no cost. No budget, no problem.

40. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
FREE!
The assessment that creates the S²Score is
available at no cost. No budget, no problem.
There’s no
catch.

41. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
FREE!
The assessment that creates the S²Score is
available at no cost. No budget, no problem.
There’s no
catch.
For those who like our snazzy
standards and acronyms, the S2Org
is derived from and mapped to:
• NIST CSF
• NIST SP 800-53
• NIST SP 800-171
• ISO 27002
• COBIT
• Others…

42. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
FREE!
The assessment that creates the S2Score is
available at no cost to anyone.
There’s no
catch.
For those who like our snazzy
standards and acronyms, the S2Org
is derived from and mapped to:
• NIST CSF
• NIST SP 800-53
• NIST SP 800-171
• ISO 27002
• COBIT
• Others…

43. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
FREE!
The assessment that creates the S2Score is
available at no cost to anyone.
There’s no
catch.
For those who like our snazzy
standards and acronyms, the S2Org
is derived from and mapped to:
• NIST CSF
• NIST SP 800-53
• NIST SP 800-171
• ISO 27002
• COBIT
• Others…
That’s for schools…
S2Org is free. https://securitystudio.com. ECMECC is a
trusted partner helping schools.

44. What about parents and kids?
(security is security, which is good)
People are creatures of habit.
We can’t address issues that we don’t know about.
The same people at home are the same people at work
and school.
This also requires an assessment.
The better you know yourself, the better you can
protect yourself.

45. What about parents and kids?
(security is security, which is good)
Motivation will come from understanding.
In information security, ignorance isn’t bliss!
If data security doesn’t motivate…
Surely safety will!
The default is risk ignorance.
DANGER! It’s breach.
Maybe privacy will. If privacy doesn’t motivate…

46. S2Me is also free. Always will be. https://s2me.io.
What about parents and kids?
Here’s what we’ll do…

47. S2Me is also free. Always will be. https://s2me.io.
What about parents and kids?
Here’s what we’ll do…
Eventually (maybe soon),
we create an S2Teen too.

48. What to do NOW!
By speaking a common language we can work on what really matters (our most
significant risks).
What we’re going to do:
• Keep preaching.
• Work politically.
• Keep improving (by listening). What you need to do:
• Get your S2Org Assessment and do it!
• Help us preach.
• Get your free S2Me Assessment.
• Get your family, friends, and parents to do
one too.
• Help us improve (by talking).
What’s the
point?

49. What to do NOW!
By speaking a common language we can work on what really matters (our most
significant risks).
What we’re going to do:
• Keep preaching.
• Work politically.
• Keep improving (by listening). What you need to do:
• Get your S2Org Assessment and do it!
• Help us preach.
• Get your free S2Me Assessment.
• Get your family, friends, and parents to do
one too.
• Help us improve (by talking).
What’s the
point?
People are the point!
Information security is not about information or security
as much as it is about people.
People within our industry and people who work with us
are confused and we’re wasting valuable resources.

50. What to do NOW!
By speaking a common language we can work on what really matters (our most
significant risks).
What we’re going to do:
• Keep preaching.
• Work politically.
• Keep improving (by listening). What you need to do:
• Get your S2Org Assessment and do it!
• Help us preach.
• Get your free S2Me Assessment.
• Get your family, friends, and parents to do
one too.
• Help us improve (by talking).
What’s the
point?
People are the point!
Information security is not about information or security
as much as it is about people.
People within our industry and people who work with us
are confused and we’re wasting valuable resources.
ECMECC is a trusted partner!
Ask them for help or more information.
Follow me/us on Twitter:
@evanfrancen
@StudioSecurity
Thank you!