Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rapid7 on Ensuring Compliance (LDSC Cyber Themed Evening)


Published on

Cyber Themes 2018:

Use "#EnsuringCompliance" on Twitter to join in the conversation

Rapid7’s mission is to lead the emerging SecOps movement with our multi-product analytics and automation cloud and expertise.

We are a not for profit organisation, founded as a joint venture by the Mayor of London, the Metropolitan Police Service (MPS) and the City of London Police (CoLP). We work in partnership with private industry and academia to help businesses, primarily SME business (less than 249 employees), to embrace digital innovations and operate in a secure online environment protecting themselves against cyber criminals.

What is our purpose?
- To provide simple, measurable and effective digital security solutions to businesses.
- To enable businesses to operate in a secure digital environment.
- To target victims of cyber crime and provide support to prevent repeat victimisation.
- To evidence a positive shift in the digital security of businesses.

Find out more information via:

Website ▶
Twitter ▶
LinkedIn ▶
Instagram ▶

  • Be the first to comment

  • Be the first to like this

Rapid7 on Ensuring Compliance (LDSC Cyber Themed Evening)

  1. 1. Compliance ≠ Security Samantha Humphries Senior Manager, Global Markets & Compliance Rapid7
  2. 2. Introduction - Sam Senior Manager for Global Markets & Compliance Joined Rapid7 in July 2016 ~20 years in IT Security (previously @ McAfee) Sold, supported, fixed, apologised for, fed, built & marketed multiple security technologies @safesecs
  3. 3. Compliance?
  4. 4. Security?
  5. 5. Security & Compliance?
  6. 6. Well hello, PCI
  7. 7. OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data
  8. 8. Principle #4 OECD GOTPOPATFOPD Security Safeguards Principle Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
  9. 9. Happy Xmas 1982
  10. 10. OK, so GDPR
  11. 11. 6 Principles of Personal Data Processing (GDPR Art. 5) Processed lawfully, fairly and in a transparent manner Collected for specified, explicit, and legitimate purposes Adequate, relevant and limited to what is necessary Accurate, and where necessary, kept up to date Retained only for as long as is necessary Processed in an appropriate manner as to maintain security
  12. 12. But I need a checklist!
  13. 13. Not a checklist as such, but… Article 25: Data protection by design and by default Article 32: Requirement for Controllers and Processors to implement a level of security appropriate to the risk Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject
  14. 14. Dear ICO…
  15. 15. Industry Challenges Cloud, Web Apps, DevOps Endpoints, Assets, and Data Compliance/Regulations Alert/Portal Fatigue Attacker Sophistication & Reach Resources, Talent & Productivity Remediation and Visibility Collaboration and Communication
  16. 16. Industry Challenges 75% of legitimate websites contain unpatched vulnerabilities. ( Symantec) Attackers are in your network an average of 101 days before discovery. ( m-Trends 2018) Cybersecurity spend to hit $90B in 2018. (Bloomberg) Cyber crime cost expected to reach +$2 trillion by 2019. (Juniper Research) 80% of businesses think they’ll experience a cyber attack this year. ( ISACA)
  17. 17. No two networks are the same
  18. 18. Personal data has no obvious home
  19. 19. Risk is everywhere
  20. 20. By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches. - Gartner: “Shift Cybersecurity Investment to Detection,” dated 7 January 2016 Risk-Based Security Prevention-Based Security OLD MODEL: Risk-Based Security NEW MODEL: Prevention Detection Correction Correction Detection Data & Analytics Prevention
  21. 21. Three Takeaways
  22. 22. Beware of snake oil (and checklists)
  23. 23. Please read this…
  24. 24. We’re here to help