Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done

59 views

Published on

Video: https://www.youtube.com/edit?o=U&video_id=k4jKZ8dUL6M

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done

  1. 1. Eugene Pilyankevich Chief Technical Officer, Cossack Labs GETTING SECURE AGAINST CHALLENGES OR GETTING SECURITY CHALLENGES DONE
  2. 2. # whoami (1997) -> #sprintnet, #x25zine, ru.nethack ;) (2002) -> security & network engineer. (2008) -> CTO in finance. (2012) -> C*O in software dev company. (2015) -> founder, CTO @ cossacklabs.com
  3. 3. Why security projects fail? ?
  4. 4. Problem 1
  5. 5. SOME STORIES TO START WITH Finnish SNAFU
  6. 6. SOME STORIES TO START WITH How to be smart and fail miserably.
  7. 7. CONCLUSIONS?
  8. 8. CONCLUSIONS? Clients are dumb!
  9. 9. CONCLUSIONS? So are engineers!
  10. 10. Nope.
  11. 11. ROOT CAUSE?
  12. 12. VALUES. ROOT CAUSE?
  13. 13. VALUES. LANGUAGE. ROOT CAUSE?
  14. 14. VALUES. LANGUAGE. REALITY MAPS. ROOT CAUSE?
  15. 15. ROOT CAUSE –
  16. 16. ROOT CAUSE –
  17. 17. ( ) ROOT CAUSE – ? ? ? ? ? ?
  18. 18. ROOT CAUSE – ? ? ? ? ? ? ? ? ?
  19. 19. ROOT CAUSE – ? ? ? ? ? ? ? ? ?
  20. 20. 
 People frequently suck at 
 making risk decisions under
 pressure and uncertainty. Problem 1
  21. 21. Problem 2?
  22. 22. TWO MORE STORIES Banking fraud prevention.
  23. 23. TWO MORE STORIES Managing risk for real.
  24. 24. Business risk is the possibility a company will have lower than anticipated profits or experience  a loss rather than taking a profit. 
  25. 25. Problem 2
 If you’re in an ivory tower,
 no one will bother listening.
  26. 26. Let’s take a closer look: client.
  27. 27. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-specific.
  28. 28. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-specific. - Knowledge is not distributed evenly.

  29. 29. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-specific. - Knowledge is not distributed evenly.
 - FUD doesn’t work.

  30. 30. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-specific. - Knowledge is not distributed evenly.
 - FUD doesn’t work. - Speaking in business risk - helps.
  31. 31. TRY WALKING IN CLIENT’S SHOES Auditing crypto libraries for fun and profit.
  32. 32. Domain-specific thinking High-level complex skills do not distribute across all behavior, and get reinforced locally.
  33. 33. FUD counteracts good decisions Scaring customer who’s facing the unknown leads to significant decrease in quality of decision-making.
  34. 34. Double-layered risk aversion Instead of mitigating technological risks (proper risk aversion), people avoid making decisions about technological risks they don’t understand.
  35. 35. Compliance and forget Avoiding substance of compliance to mitigate risks?
  36. 36. Quid faciam?
  37. 37. Let’s take a closer look: supplier.
  38. 38. supplier client
  39. 39. Who has to cross the gap?
  40. 40. You are to cross the gap.
  41. 41. Misalignment and misunderstanding is default state anyway. You are to cross the gap.
  42. 42. Own the problems
  43. 43. Ownership: example
  44. 44. Communicate risk properly
  45. 45. Communicate risk properly Technical risk, financial impact.
  46. 46. Communicate risk properly Technical risk, compliance impact.
  47. 47. Communicate risk properly Process risks with business impact.
  48. 48. Communicate risk properly Process risks with market impact.
  49. 49. Lead up the chain
  50. 50. Lead down the chain Lead up the chain
  51. 51. Leadership: Example
  52. 52. It’s actually fun!
  53. 53. Examples: talk to your manager
  54. 54. Examples: talk to your customer
  55. 55. Examples Manager is a passthru with process lubrication capabilities, if you take care of the hard details.
  56. 56. Examples. Manager is pain in the ass, if you don’t take care of technical details.
  57. 57. Examples are sad
  58. 58. Praxis.
  59. 59. Talk human. - Docs & business materials.

  60. 60. Talk human. - Docs & business materials. - Talk to customers soon.
  61. 61. Take over processes. - Self-learning processes. - Reinforce ownership.
  62. 62. Love compliance. - PCIDSS, HIPAA, oldschool. - GDPR.
  63. 63. Avoiding domain specificity. - Multi-skilled team. - Boring smoothie tech is relevant.
  64. 64. Talk real risk.
  65. 65. Ain’t no fun unless you find it.
  66. 66. web: cossacklabs.com mail: eugene@cossacklabs.com Thank you.

×