SlideShare a Scribd company logo

Cornerstones of Trust - Hacking the CEO: Ninja Mind Tricks and other Ruses to Get Security Dollars

Download as PPTX, PDF
Denim Group
Denim Group

If you’ve ever had your security budget eviscerated, this is your session! CEOs have become more wary of scare tactics. What are the tricks to get more security dollars? Discover how to get inside the CEO’s head to get exec support and how to use pet projects to pry scarce resources from budgets. I will share common data points from interviews with over 40 CISOs that have been there and done that.

Technology
1 of 25
June 16, 2015 – The World Ahead John B. Dickson, CISSP john@denimgroup.com | @johnbdickson 844.572.4400 Denim Group
Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 16, 2015 – The World Ahead
John B. Dickson, CISSP June 16, 2015 – The World Ahead
Agenda  Background  The Very Real Problem with Security  How CEOs Think  Ninja Mind Tricks & Ruses  Questions and Answers June 16, 2015 – The World Ahead
I Wear Two Hats – #1 The Security Guy Hat  Armored “hat” (i.e., helmet) of a security guy  Ex-Air Force guy  20+ years in the field  World view heavily influenced by security mindset June 16, 2015 – The World Ahead
I Wear Two Hats - #2 Business Guy Hat  Serial Entrepreneur & MBA  Interact with other business leaders and execs  Understand how much fun the “onus of responsibility” can be  Fully aware of across-the-board risk issues. June 16, 2015 – The World Ahead
Background: Getting Your Security Budget Approved Without FUD  Exploit Pet Projects  Account for Culture  Tailor to Your Specific Vertical  Consciously Cultivate Credibility and Relationships  Capitalize on Timely Events  Capture Successes & Over-Communicate Source: RSA 2014 “Getting Your Security Budget Approved Without FUD June 16, 2015 – The World Ahead
Two Concepts that We’ll Talk More about…  Exploit Pet Projects  Account for Culture  Tailor to Your Specific Vertical  Consciously Cultivate Credibility and Relationships  Capitalize on Timely Events  Capture Successes & Over-Communicate June 16, 2015 – The World Ahead
Security Budgets: The Starting Point  Some have lost the game before getting on the field  Competing Against:  Line of business pet projects – expansion of production  Executive level visibility or utility – e.g., new corporate jet  Things that product more tangible ROI  Information security as the “silent service” – Rich Baich, Wells Fargo CISO  Source: “Winning as a CISO,” Rich Baich Source: RSA 2014 Podcast The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources June 16, 2015 – The World Ahead
CEO CFO CIO VP Development Development CISO Security Leaders Are at a Structural Disadvantage  They have a staff advisory role and not a “line” operator role  They have different world views that drive their perspective  They talk differently  They have less power June 16, 2015 – The World Ahead
CEO’s, Though Worried, Are FUD Resistant  Is it like selling insurance?  The security industry is struggling for parallel models and metaphors  FUD Distorts the Process June 16, 2015 – The World Ahead
CEO Concerns  Talent Management  Operating in a Global Marketplace  Regulation and Legislation  Keeping Energy Costs Under Control  Implementation of Healthcare Reform  Regulatory Uncertainty  Consumer Spending  Currency Risk Sources: WSJ and HBR Reports June 16, 2015 – The World Ahead
CEO Concerns (Continued)  Airplanes Falling out of the Sky  Terrorism  Oil Workers Getting Kidnapped in Nigeria  North Korea (kind of…)  Netflix if you were Blockbuster  You Get the Picture June 16, 2015 – The World Ahead
CEO’s Stakeholders (Field of Play) Inside  Management Team  Employees  Unions Outside  Board of Directors  Shareholders  Public Opinion  Auditors  Regulators  Unions  Vendor Partners June 16, 2015 – The World Ahead
Ninja Mind Trick #1 – Exploit CEO Pet Projects  Key Strategy Concepts  Identify key corporate projects and bake in security  CEO-level sponsorship  Less scrutiny than “out year” operational budgets  Numbers are big  Potential Success Patterns  Merger or acquisitions  Entry into new markets  New products June 16, 2015 – The World Ahead
Ninja Mind Trick #2 - Consciously Cultivate Credibility and Relationships  Key Strategy Concepts  Meet with your CEO when you don’t need to…  Regular meetings without “asks”  Clarification for Audit Committee or Board of Directors  Build up a Surplus of Credibility, then ask for $$$’s  Potential Success Patterns  Providing clarity on risk issues CEOs rarely understand  Providing voice of sanity on compliance matters  Pushing back on overzealous 3rd parties June 16, 2015 – The World Ahead
Ninja Mind Trick #3 – Shine at the Board of Directors Meeting  Key Strategy Concepts  The Board of Directors is the CEO’s domain  Boards of Directors are now most interested in cyber security issues  Security is an issue CEO’s are largely ill-equipped to address  Score cool points for your CEO with her board  Regularly address the Board on a recurring basis  Potential Success Patterns  Defusing a tough security question from thorny board members  Providing security context for potential new business ventures June 16, 2015 – The World Ahead
Ninja Mind Trick #4 – Enable New Markets or Products  Key Strategy Concepts  I abhor terms like “alignment” or “enabling the business” however….  Providing enough confidence to conduct commerce or enter new markets allows CEO to expand top line  Security context allows CEOs to make calculated risks in new markets or products  Can communicate these calculated risks to internal and external stakeholders, raising level of confidence  Consistently helps June 16, 2015 – The World Ahead
Ninja Mind Trick #4 – Enable New Markets or Products (Continued)  Potential Success Patterns  Will privacy controls allow me to directly sell to end customers and cut out the middle man increasing our profit per transaction?  Will fraud detection tool allow me to better understand patterns of buy behavior so we can optimize their experience and cross-sell them more products?  Will security baked in to our mobile applications allow our clients to conduct more transactions and increase loyalty to our brand?  Will encryption and security controls allow me to sell into China and not worry about my intellectual property issues? June 16, 2015 – The World Ahead
Ninja Mind Trick #4 – Enable New Markets or Products – Security Guy Perspective  Potential Success Patterns  Will privacy controls allow me to directly sell to end customers and cut out the middle man increasing our profit per transaction?  Will fraud detection tools allow me to better understand patterns of buying behavior so we can optimize their experience and cross-sell them more products?  Will security baked in to our mobile applications allow our clients to conduct more transactions and increase loyalty to our brand?  Will encryption and security controls allow me to sell into China and not worry about my intellectual property issues? June 16, 2015 – The World Ahead
Ninja Mind Trick #4 – Enable New Markets or Products – CEO Perspective  Potential Success Patterns  Will privacy controls allow me to directly sell to end customers and cut out the middle man increasing our profit per transaction?  Will fraud detection tools allow me to better understand patterns of buying behavior so we can optimize their experience and cross-sell them more products?  Will security baked in to our mobile applications allow our clients to conduct more transactions and increase loyalty to our brand?  Will encryption and security controls allow me to sell into China and not worry about my intellectual property issues? June 16, 2015 – The World Ahead
Ninja Mind Trick #5 – Positively Influence Share Price  Key Strategy Concepts  If publicly traded…  Potential Success Patterns  Confidence around a stream of new projects, products, and markets that create new and large revenue streams  Keeping your company out of the news  When public incidents do occur, reacting with confidence to stabilize the stock price June 16, 2015 – The World Ahead
Ninja Mind Trick #6 – Prevent the CEO from Getting Fired  Truism - A truism is a claim that is so obvious or self- evident as to be hardly worth mentioning, except as a reminder or as a rhetorical or literary device, and is the opposite of falsism. Source: Wikipedia June 16, 2015 – The World Ahead
Resources  Source: RSA 2014 “Getting Your Security Budget Approved Without FUD,” http://www.rsaconference.com/writable/presentations/file_upload/ciso-w04a-getting-your-security- budget-approved-without-fud.pdf  “The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources,” RSA Podcast http://www.rsaconference.com/media/the-savvy-security-leader-using-guerrilla-tactics-to-id-security- program-resources  “The 3 Things CEOs Worry About the Most,” Harvard Business Review, https://hbr.org/2015/03/the-3- things-ceos-worry-about-the-most  “5 Things CEOs are worried about in 2014”, Wall Street Journal, http://blogs.wsj.com/briefly/2014/01/03/5- things-ceos-are-worried-about-in-2014/  “Winning as a CISO,” Baich, Rich  Wikipedia June 16, 2015 – The World Ahead
June 16, 2015 – The World Ahead Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you John B. Dickson, CISSP | Principal john@denimgroup.com | @johnbdickson 844-572-4400 Denim Group

Recommended

Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security DollarsHacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Achieving Software Assurance with Hybrid Analysis Mapping
Achieving Software Assurance with Hybrid Analysis Mapping Achieving Software Assurance with Hybrid Analysis Mapping
Achieving Software Assurance with Hybrid Analysis Mapping
Denim Group
 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 

Recommended

Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security DollarsHacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?Software Security: Is OK Good Enough?
Software Security: Is OK Good Enough?
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Achieving Software Assurance with Hybrid Analysis Mapping
Achieving Software Assurance with Hybrid Analysis Mapping Achieving Software Assurance with Hybrid Analysis Mapping
Achieving Software Assurance with Hybrid Analysis Mapping
Denim Group
 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
XSS Remediation
XSS RemediationXSS Remediation
XSS Remediation
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Denim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
Denim Group
 
Issala exec-forum-opening-150604
Issala exec-forum-opening-150604Issala exec-forum-opening-150604
Issala exec-forum-opening-150604
ISSA LA
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
CBIZ, Inc.
 
Tweet, Tweet, Ping, Ping Social Media Strategies For Insurance
Tweet, Tweet, Ping, Ping Social Media Strategies For InsuranceTweet, Tweet, Ping, Ping Social Media Strategies For Insurance
Tweet, Tweet, Ping, Ping Social Media Strategies For Insurance
St. Nick Media Services
 
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
Luca Moroni ✔✔
 
Smart content in insurance - Presentation from The Digital Insurer
Smart content in insurance - Presentation from The Digital InsurerSmart content in insurance - Presentation from The Digital Insurer
Smart content in insurance - Presentation from The Digital Insurer
The Digital Insurer
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in Cybersecurity
Reading Works Detroit
 
UE Startups -- 9 Factors in Raising Funding in Silicon Valley
UE Startups -- 9 Factors in Raising Funding in Silicon ValleyUE Startups -- 9 Factors in Raising Funding in Silicon Valley
UE Startups -- 9 Factors in Raising Funding in Silicon Valley
Peter Szymanski
 
OPMA Health Care Trends Wikibrands Presentation (Harvestfest)
OPMA Health Care Trends Wikibrands Presentation (Harvestfest)OPMA Health Care Trends Wikibrands Presentation (Harvestfest)
OPMA Health Care Trends Wikibrands Presentation (Harvestfest)
Sean Moffitt
 
Independent-Fall-2015-Edition
Independent-Fall-2015-EditionIndependent-Fall-2015-Edition
Independent-Fall-2015-Edition
Todd C. Schultze
 
Building World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsBuilding World Class Cybersecurity Teams
Building World Class Cybersecurity Teams
Joyce Brocaglia
 
Intelligence Analysis & Deliverables
Intelligence Analysis & DeliverablesIntelligence Analysis & Deliverables
Intelligence Analysis & Deliverables
Elijah Ezendu
 

More Related Content

Viewers also liked

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Denim Group
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 

Viewers also liked (11)

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
XSS Remediation
XSS RemediationXSS Remediation
XSS Remediation
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 

Similar to Cornerstones of Trust - Hacking the CEO: Ninja Mind Tricks and other Ruses to Get Security Dollars

INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
Luca Moroni ✔✔
 
Independent-Fall-2015-Edition
Independent-Fall-2015-EditionIndependent-Fall-2015-Edition
Independent-Fall-2015-Edition
Todd C. Schultze
 
Building World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsBuilding World Class Cybersecurity Teams
Building World Class Cybersecurity Teams
Joyce Brocaglia
 
Michel de Wachter: Scaling up - The sky is the limit - TSD17
Michel de Wachter: Scaling up - The sky is the limit - TSD17Michel de Wachter: Scaling up - The sky is the limit - TSD17
Michel de Wachter: Scaling up - The sky is the limit - TSD17
StartUps.be
 

Similar to Cornerstones of Trust - Hacking the CEO: Ninja Mind Tricks and other Ruses to Get Security Dollars (20)

Issala exec-forum-opening-150604
Issala exec-forum-opening-150604Issala exec-forum-opening-150604
Issala exec-forum-opening-150604
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Tweet, Tweet, Ping, Ping Social Media Strategies For Insurance
Tweet, Tweet, Ping, Ping Social Media Strategies For InsuranceTweet, Tweet, Ping, Ping Social Media Strategies For Insurance
Tweet, Tweet, Ping, Ping Social Media Strategies For Insurance
 
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
 
Smart content in insurance - Presentation from The Digital Insurer
Smart content in insurance - Presentation from The Digital InsurerSmart content in insurance - Presentation from The Digital Insurer
Smart content in insurance - Presentation from The Digital Insurer
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in Cybersecurity
 
UE Startups -- 9 Factors in Raising Funding in Silicon Valley
UE Startups -- 9 Factors in Raising Funding in Silicon ValleyUE Startups -- 9 Factors in Raising Funding in Silicon Valley
UE Startups -- 9 Factors in Raising Funding in Silicon Valley
 
OPMA Health Care Trends Wikibrands Presentation (Harvestfest)
OPMA Health Care Trends Wikibrands Presentation (Harvestfest)OPMA Health Care Trends Wikibrands Presentation (Harvestfest)
OPMA Health Care Trends Wikibrands Presentation (Harvestfest)
 
Independent-Fall-2015-Edition
Independent-Fall-2015-EditionIndependent-Fall-2015-Edition
Independent-Fall-2015-Edition
 
Building World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsBuilding World Class Cybersecurity Teams
Building World Class Cybersecurity Teams
 
Intelligence Analysis & Deliverables
Intelligence Analysis & DeliverablesIntelligence Analysis & Deliverables
Intelligence Analysis & Deliverables
 
Michel de Wachter: Scaling up - The sky is the limit - TSD17
Michel de Wachter: Scaling up - The sky is the limit - TSD17Michel de Wachter: Scaling up - The sky is the limit - TSD17
Michel de Wachter: Scaling up - The sky is the limit - TSD17
 
Managing Startups in Times of Covid-19
Managing Startups in Times of Covid-19 Managing Startups in Times of Covid-19
Managing Startups in Times of Covid-19
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust model
 
Your Bottom Line is Showing: Why reputation management matters to Investor Re...
Your Bottom Line is Showing: Why reputation management matters to Investor Re...Your Bottom Line is Showing: Why reputation management matters to Investor Re...
Your Bottom Line is Showing: Why reputation management matters to Investor Re...
 
Untangling The Web: Putting it all together
Untangling The Web: Putting it all togetherUntangling The Web: Putting it all together
Untangling The Web: Putting it all together
 
The Next Round - Optimizing Your Next Financing with Investor Reporting
The Next Round - Optimizing Your Next Financing with Investor ReportingThe Next Round - Optimizing Your Next Financing with Investor Reporting
The Next Round - Optimizing Your Next Financing with Investor Reporting
 
2017 in Review: Infosec Pros Look Back on the Year
2017 in Review: Infosec Pros Look Back on the Year2017 in Review: Infosec Pros Look Back on the Year
2017 in Review: Infosec Pros Look Back on the Year
 
Advertiser's Crash Course in Influencer Marketing
Advertiser's Crash Course in Influencer MarketingAdvertiser's Crash Course in Influencer Marketing
Advertiser's Crash Course in Influencer Marketing
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 

More from Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Paige Cruz
 

Recently uploaded (20)

Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 

Cornerstones of Trust - Hacking the CEO: Ninja Mind Tricks and other Ruses to Get Security Dollars

  • 1. June 16, 2015 – The World Ahead John B. Dickson, CISSP john@denimgroup.com | @johnbdickson 844.572.4400 Denim Group
  • 2. Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional- customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. June 16, 2015 – The World Ahead
  • 3. John B. Dickson, CISSP June 16, 2015 – The World Ahead
  • 4. Agenda  Background  The Very Real Problem with Security  How CEOs Think  Ninja Mind Tricks & Ruses  Questions and Answers June 16, 2015 – The World Ahead
  • 5. I Wear Two Hats – #1 The Security Guy Hat  Armored “hat” (i.e., helmet) of a security guy  Ex-Air Force guy  20+ years in the field  World view heavily influenced by security mindset June 16, 2015 – The World Ahead
  • 6. I Wear Two Hats - #2 Business Guy Hat  Serial Entrepreneur & MBA  Interact with other business leaders and execs  Understand how much fun the “onus of responsibility” can be  Fully aware of across-the-board risk issues. June 16, 2015 – The World Ahead
  • 7. Background: Getting Your Security Budget Approved Without FUD  Exploit Pet Projects  Account for Culture  Tailor to Your Specific Vertical  Consciously Cultivate Credibility and Relationships  Capitalize on Timely Events  Capture Successes & Over-Communicate Source: RSA 2014 “Getting Your Security Budget Approved Without FUD June 16, 2015 – The World Ahead
  • 8. Two Concepts that We’ll Talk More about…  Exploit Pet Projects  Account for Culture  Tailor to Your Specific Vertical  Consciously Cultivate Credibility and Relationships  Capitalize on Timely Events  Capture Successes & Over-Communicate June 16, 2015 – The World Ahead
  • 9. Security Budgets: The Starting Point  Some have lost the game before getting on the field  Competing Against:  Line of business pet projects – expansion of production  Executive level visibility or utility – e.g., new corporate jet  Things that product more tangible ROI  Information security as the “silent service” – Rich Baich, Wells Fargo CISO  Source: “Winning as a CISO,” Rich Baich Source: RSA 2014 Podcast The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources June 16, 2015 – The World Ahead
  • 10. CEO CFO CIO VP Development Development CISO Security Leaders Are at a Structural Disadvantage  They have a staff advisory role and not a “line” operator role  They have different world views that drive their perspective  They talk differently  They have less power June 16, 2015 – The World Ahead
  • 11. CEO’s, Though Worried, Are FUD Resistant  Is it like selling insurance?  The security industry is struggling for parallel models and metaphors  FUD Distorts the Process June 16, 2015 – The World Ahead
  • 12. CEO Concerns  Talent Management  Operating in a Global Marketplace  Regulation and Legislation  Keeping Energy Costs Under Control  Implementation of Healthcare Reform  Regulatory Uncertainty  Consumer Spending  Currency Risk Sources: WSJ and HBR Reports June 16, 2015 – The World Ahead
  • 13. CEO Concerns (Continued)  Airplanes Falling out of the Sky  Terrorism  Oil Workers Getting Kidnapped in Nigeria  North Korea (kind of…)  Netflix if you were Blockbuster  You Get the Picture June 16, 2015 – The World Ahead
  • 14. CEO’s Stakeholders (Field of Play) Inside  Management Team  Employees  Unions Outside  Board of Directors  Shareholders  Public Opinion  Auditors  Regulators  Unions  Vendor Partners June 16, 2015 – The World Ahead
  • 15. Ninja Mind Trick #1 – Exploit CEO Pet Projects  Key Strategy Concepts  Identify key corporate projects and bake in security  CEO-level sponsorship  Less scrutiny than “out year” operational budgets  Numbers are big  Potential Success Patterns  Merger or acquisitions  Entry into new markets  New products June 16, 2015 – The World Ahead
  • 16. Ninja Mind Trick #2 - Consciously Cultivate Credibility and Relationships  Key Strategy Concepts  Meet with your CEO when you don’t need to…  Regular meetings without “asks”  Clarification for Audit Committee or Board of Directors  Build up a Surplus of Credibility, then ask for $$$’s  Potential Success Patterns  Providing clarity on risk issues CEOs rarely understand  Providing voice of sanity on compliance matters  Pushing back on overzealous 3rd parties June 16, 2015 – The World Ahead
  • 17. Ninja Mind Trick #3 – Shine at the Board of Directors Meeting  Key Strategy Concepts  The Board of Directors is the CEO’s domain  Boards of Directors are now most interested in cyber security issues  Security is an issue CEO’s are largely ill-equipped to address  Score cool points for your CEO with her board  Regularly address the Board on a recurring basis  Potential Success Patterns  Defusing a tough security question from thorny board members  Providing security context for potential new business ventures June 16, 2015 – The World Ahead
  • 18. Ninja Mind Trick #4 – Enable New Markets or Products  Key Strategy Concepts  I abhor terms like “alignment” or “enabling the business” however….  Providing enough confidence to conduct commerce or enter new markets allows CEO to expand top line  Security context allows CEOs to make calculated risks in new markets or products  Can communicate these calculated risks to internal and external stakeholders, raising level of confidence  Consistently helps June 16, 2015 – The World Ahead
  • 19. Ninja Mind Trick #4 – Enable New Markets or Products (Continued)  Potential Success Patterns  Will privacy controls allow me to directly sell to end customers and cut out the middle man increasing our profit per transaction?  Will fraud detection tool allow me to better understand patterns of buy behavior so we can optimize their experience and cross-sell them more products?  Will security baked in to our mobile applications allow our clients to conduct more transactions and increase loyalty to our brand?  Will encryption and security controls allow me to sell into China and not worry about my intellectual property issues? June 16, 2015 – The World Ahead
  • 20. Ninja Mind Trick #4 – Enable New Markets or Products – Security Guy Perspective  Potential Success Patterns  Will privacy controls allow me to directly sell to end customers and cut out the middle man increasing our profit per transaction?  Will fraud detection tools allow me to better understand patterns of buying behavior so we can optimize their experience and cross-sell them more products?  Will security baked in to our mobile applications allow our clients to conduct more transactions and increase loyalty to our brand?  Will encryption and security controls allow me to sell into China and not worry about my intellectual property issues? June 16, 2015 – The World Ahead
  • 21. Ninja Mind Trick #4 – Enable New Markets or Products – CEO Perspective  Potential Success Patterns  Will privacy controls allow me to directly sell to end customers and cut out the middle man increasing our profit per transaction?  Will fraud detection tools allow me to better understand patterns of buying behavior so we can optimize their experience and cross-sell them more products?  Will security baked in to our mobile applications allow our clients to conduct more transactions and increase loyalty to our brand?  Will encryption and security controls allow me to sell into China and not worry about my intellectual property issues? June 16, 2015 – The World Ahead
  • 22. Ninja Mind Trick #5 – Positively Influence Share Price  Key Strategy Concepts  If publicly traded…  Potential Success Patterns  Confidence around a stream of new projects, products, and markets that create new and large revenue streams  Keeping your company out of the news  When public incidents do occur, reacting with confidence to stabilize the stock price June 16, 2015 – The World Ahead
  • 23. Ninja Mind Trick #6 – Prevent the CEO from Getting Fired  Truism - A truism is a claim that is so obvious or self- evident as to be hardly worth mentioning, except as a reminder or as a rhetorical or literary device, and is the opposite of falsism. Source: Wikipedia June 16, 2015 – The World Ahead
  • 24. Resources  Source: RSA 2014 “Getting Your Security Budget Approved Without FUD,” http://www.rsaconference.com/writable/presentations/file_upload/ciso-w04a-getting-your-security- budget-approved-without-fud.pdf  “The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Resources,” RSA Podcast http://www.rsaconference.com/media/the-savvy-security-leader-using-guerrilla-tactics-to-id-security- program-resources  “The 3 Things CEOs Worry About the Most,” Harvard Business Review, https://hbr.org/2015/03/the-3- things-ceos-worry-about-the-most  “5 Things CEOs are worried about in 2014”, Wall Street Journal, http://blogs.wsj.com/briefly/2014/01/03/5- things-ceos-are-worried-about-in-2014/  “Winning as a CISO,” Baich, Rich  Wikipedia June 16, 2015 – The World Ahead
  • 25. June 16, 2015 – The World Ahead Disclaimer The views and opinions expressed during this conference are those of the speakers and do not necessarily reflect the views and opinions held by the Information Systems Security Association (ISSA), the Silicon Valley ISSA, the San Francisco ISSA or the San Francisco Bay Area InfraGard Members Alliance (IMA). Neither ISSA, InfraGard, nor any of its chapters warrants the accuracy, timeliness or completeness of the information presented. Nothing in this conference should be construed as professional or legal advice or as creating a professional-customer or attorney-client relationship. If professional, legal, or other expert assistance is required, the services of a competent professional should be sought. Thank you John B. Dickson, CISSP | Principal john@denimgroup.com | @johnbdickson 844-572-4400 Denim Group

Editor's Notes

  1. How CEOs Think, but more importantly what do they worry about…
  2. -Art of War is very focused on, obviously, war. But it is also focused on wars that can be won. InfoSec can never be “won”
  3. Which is why cyber security threats seem so abstract and over-the-horizon If you’re Sony? What they’re really afraid of: Netflix if you were Blockbuster
  4. Build up a Surplus of Credibility – Stephen Covey “Emotional Bank Account:
  5. Build up a Surplus of Credibility – Stephen Covey “Emotional Bank Account:
  6. Build up a Surplus of Credibility – Stephen Covey “Emotional Bank Account:
  7. Build up a Surplus of Credibility – Stephen Covey “Emotional Bank Account:
  8. Build up a Surplus of Credibility – Stephen Covey “Emotional Bank Account:
  9. Build up a Surplus of Credibility – Stephen Covey “Emotional Bank Account:
  10. Build up a Surplus of Credibility – Stephen Covey “Emotional Bank Account:
  11. Build up a Surplus of Credibility – Stephen Covey “Emotional Bank Account: