3. Why do you need it?
• To get theresourcesyou need
• To ensureyour initiatives“stick”
• To ensureenterprise-widecooperation
• To get thingsdonequickly
• To remain relevant
4. It’s a crowded space…
Many arecompeting for attention…
• Innovation
• Marketing & Digital
• Lineof business
• Projects
• HR & Change
• Audit & Risk
5. Why don’t they pay attention?
Trigger
Peak of expectations
Trough of disillusionment
Ravine of demise
Valley of oblivion
Plateau of productivity
6. The things we do…
• Focuson thesubject abovecontext
• Respond to security trendsinstead of fundamentals
• Loseperspective
• Becomean obstacle
• Fulfil thewrong role
• Taketoo many shortcuts
7. We have too many resources at
our disposal…
• COBIT
• ITIL
• ISO 2700x
• SANSTop 20
• OWASP
• CIS/NIST
8. The trouble is…
• Too broad, resourceintensive
• Idealistic
• Driveacompliancemindset
• Makeuslazy
• Put together by acommitteewho arepassionate
about their subject
“You cannot answer aquestion about aproblem
outsideof itscontext”
9. An alternate approach
“…get to ashared understanding of aproblem before
attempting to solveit”
• Corporatestrategy (thefuture)
• Businesspriorities(thepresent)
• Addressrisks& opportunities
• Measure& reassure
10. Corporate strategy
• Gain insight on thefutureof thebusiness
• Identify thosewho know
• Keep an ear to theground
• Review annual reports
• Test your assumptions
• Structureyour security programmeto support
realisation of objectives
11. Get “on board”
“ The bo ard and each individual
directo r sho uld have a wo rking
understanding o f the effect o f the
applicable laws, rules, co des and
standards o n the co mpany and its
business”
Usetraining and awarenessasan excuse
to get air time…
15. Keep it simple
• Do alittlewell, rather than alot badly
• Accesscontrol
• Leak management
• Patch & vulnerability state
• Malwarecontrol
16. Measure and provide assurance
• Report against drivers
- Risk
- Compliance
- Strategic context
Operational status
• Avoid statistics
• Show trends& improvements
Those annoying glitches in our thinking that cause us to make questionable decisions and reach erroneous conclusions. Some help us process information more efficiently, especially in dangerous situations but they may also lead us to make grave mistakes.
Confirmation bias - We love to agree with people who agree with us while at the same time ignoring or dismissing opinions — no matter how valid — that threaten our world view
Neglecting probability - leads us to overstate the risks of relatively harmless activities, while forcing us to overrate more dangerous ones
Observational selection - the effect of suddenly noticing things we didn't notice that much before — but we wrongly assume that the frequency has increased.
Status-quo bias - which often leads us to make choices that guarantee that things remain the same, or change as little as possible
Bandwagon effect - though we're often unconscious of it, we love to go with the flow…
Projection bias - we tend to believe that people not only think like us, but that they also agree with us. It's a bias where we overestimate how typical and normal we are, and assume that a consensus exists on matters when there may be none.
Current moment bias - most of us would rather experience pleasure in the current moment, while leaving the pain for later…