The document is a presentation by Rafaebhatti on improving security and privacy practices within organizations, focusing on practical approaches to overcoming challenges in operationalizing security. It discusses the importance of strategic decision-making, ally identification, and resource management while highlighting the gap between theoretical advice and real-world implementation. Key recommendations include making selective trade-offs, understanding risk profiles, and balancing solutions through a combination of buying and building resources.

1. Rafae Bhatti
Head of Security and Privacy, HealthTap
LinkedIn: rafaebhatti
Twitter: @privacyphd
Overcoming obstacles in operationalizing security:
A tale from the trenches

2. Outline
Introduction <5 mins
● About Me
● Why This Talk
Problem Statement 5 mins
● “Textbook” approach
● Why it doesn’t work
Overcoming Obstacles 15 mins
● Pick Your Battles Wisely
● Identify Your Allies/Gaps Early
● Tension between Advice and Practice
● Buy what you must, Build what you can
Q&A 5 mins

3. About Me
Why This Talk
Introduction

4. Outline
Introduction 5 mins
● About Me
● Why This Talk
Problem Statement 5 mins
● “Textbook” approach
● Why it doesn’t work
Overcoming Obstacles 15 mins
● Pick Your Battles Wisely
● Identify Your Allies/Gaps Early
● Tension between Advice and Practice
● Buy what you must, Build what you can
Q&A 5 mins

5. Problem Statement
Variables
1. Risk surface (Threat Model)
2. Resources (Budget, Teams, Tools)
3. Capabilities (Skills, Frameworks)
Rate of Change
Assumptions in Rate of Change
1. Linear
2. Non-linear

6. Assumption: Linear

7. How Linear Assumption Works
1. The resource availability adjusts in response to higher risk
a. Present the risk report to management
b. Walk away with $$
c. You hire employees
1. The capabilities improve in response to additional resources
a. Adequate skills on the team
b. Solutions aligned to framework (DevOps, etc.)

8. Reality: Non-Linear

9. Why Linear Assumption Fails?
1. The risk profile may not result in adequate resource availability
a. Inherit a negative slope
b. First zero out and then enter a positive slope
1. The available resources may not provide the needed capabilities
a. Funding alone does not ensure capabilities
b. Mix of talent and tools in response to capability gaps

10. Is this Scary?
1. We hear about
a. the coolest offensive techniques to be aware of
b. the frameworks for creating defensive capabilities
c. best practices to create security awareness
BUT
1. We don’t hear enough about
a. Challenges people faced when putting this together
b. Getting a sense of how far behind can be very scary
c. Knowing where you are on the relative curve is important

11. Get Your Engines Started!
Nice to have Ferrari of security (large enterprises)
Or build your own Tesla (Facebook, Google, Netflix)
But when faced with resource constraints:
Start with a Prius
Downside: Big gap in terms of effort required to lay proper
foundation
Upside: You don't get a greenfield every day, and that is
where rubber meets the road !

12. Introduction 5 mins
● About Me
● Why This Talk
Problem Statement 5 mins
● “Textbook” approach
● Why it doesn’t work
Overcoming Obstacles 15 mins
● Pick Your Battles Wisely
● Identify Your Allies/Gaps Early
● Tension between Advice and Practice
● Buy what you must, Build what you can
Q&A 5 mins
Outline

13. Pick Your Battles Wisely
1. You win some, you lose some
a. Real world demands compromise.
b. Competing priorities would require that you make
trade-offs
1. Hype alone may get you money but not the results
a. Separate sales pitch from actual security need, understand your
risk surface
i. Equifax, Uber, ...
ii. GDPR
b. Is that problem an immediate priority for you?
c. Is there a simpler solution you can adopt?
d. Are you ignoring the low-hanging fruit?

14. Pick Your Battles Wisely:
Examples of Tradeoffs
1. Attack Simulation / Red Teaming / Bug Bounty
a. When and when not?
1. DoS Protection / WAF
a. Why and why not?
1. Endpoint Protection
a. What is your fit?
1. Awareness Training
a. What is your approach?

15. Identify Your Allies/Gaps Early
1. You cannot go the whole nine yards alone
a. Identify any dependencies on teams
i. When the department doesn’t exist, what you do?
1. Do more, expect less (To be done for you)
a. Hands on yes- enabler yes
i. Doesn't always mean getting your way
a. “Buy-in”- what does it mean?
i. No one size fits all- adapt to your environment
ii. Impress them with your judgement- money will
follow

16. Identify Your Allies/Gaps Early:
Examples of Tradeoffs
1. HR processes
a. No HR? Create simplified workflows
1. IT processes
a. No IT? Don’t wait for Workday
1. Security/privacy by design
a. No PM? Keep pushing the product team.
1. Procurement processes
a. No GA? Learn to negotiate.

17. Tension btw Advice and Practice
1. When training is not enough
a. Advice: Education is cheapest to do- the further you go into the
dev lifecycle, the more expensive it is to fix defects
b. Practice: ?
1. When specifications lag development
a. Advice: Write detailed specifications, get them reviewed and
approved, before code is written
b. Practice: ?
i. Specs are guideposts, not gospel- deviation may be expected
1. When you can’t ignore or apply a patch
a. Advice: Don’t ignore a high severity CVE
b. Practice: ?

18. Tension btw Advice and Practice:
Examples of Tradeoffs
1. Balance training with SDLC tools
a. Set up a feedback loop
1. Nudge your teams
a. Use the power of nudge
1. Push vs Pull
a. Provide unsolicited advice
1. Add compensating controls
a. When cannot fix, monitor

19. Buy what you Must, Build what you Can
1. Combination of Tools- Talent- Training
a. Few good vendors together with few good people- strike a
balance.
1. DIY vs. BUY buckets
a. Dictated by not just budget and resources but practical reasons
i. Does it involve strategic planning?
ii. Open source vs. commercial tools?
1. Hire right
a. Define the need gap- where can tools help?

20. Buy what you Must, Build what you Can:
Examples of Tradeoffs
1. Intrusion Detection System (IDS)
a. How to set up a cost-efficient SOC?
1. Mobile Device Management (MDM)
a. How to avoid getting (and paying) more than you
need?
1. Identity Management (IdM)
a. Resist AD?
b. Costly deployment?

21. Introduction 5 mins
● About Me
● Why This Talk
Problem Statement 5 mins
● “Textbook” approach
● Why it doesn’t work
Overcoming Obstacles 15 mins
● Pick Your Battles Wisely
● Identify Your Allies/Gaps Early
● Tension between Advice and Practice
● Buy what you must, Build what you can
Q&A 5 mins
Outline

22. Thankyou!