TITLE: WANTED – People Committed to Solving Our Information Security Language Problem, the presentation given at the inaugural BSides Harrisburg Conference on October 2nd, 2019.
This document discusses solving the language problem in the information security industry. It proposes using a simple scoring system called S2Score to communicate security risk and status across organizations using a common language. S2Score assessments are available for free online and can also translate between different scoring systems used by organizations. The future of S2Score includes community involvement, integration with other tools, and adoption by vendors to help standardize security language industry-wide and make risk management more effective and efficient.
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
The information security industry is broken. It's our duty to fix it, and it starts with getting on the same page. The model isn't broken, but our application is. How do we apply the basics and fundamentals on a wider scale? It starts with defining a common language and a common approach. Next, make it all free.
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
The document discusses solving the language problem in information security. It begins by explaining that information security is about managing risk by assessing threats and vulnerabilities, and using administrative, physical, and technical controls. It then introduces the S2Score as a simple scoring system to communicate security in a common language. The document advocates for making security assessments free and accessible to all, and developing translation tools to map different organizations' risk scoring systems to a common scale. The overall goal is to establish a shared security language to improve understanding and coordination across the industry.
Presentation delivered to the Minnesota Counties Computer Cooperative (http://mnccc.org/) on October 30, 2019. The talk was given by SecurityStudio's CEO, Evan Francen and focused on how local governments play a role in protecting all of us.
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
The presentation shared with the Greater KC ISACA chapter on 11/14/19. The talk starts with housekeeping, then progresses into the heart of our language problem before ending with the dream to secure America. The talk was very well received, and now you can use it however you wish.
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskEC-Council
Richard is a security executive with ~20 years experience ranging from start-ups to global organizations. He is currently the CISO/VP of Trust for Twilio and most recently the VP/GM Cybersecurity and Privacy for GE Healthcare. His background is in Information Security, Digital Risk Management and Product Development with an analytics bent. His current focus is developing quantitatively informed strategies, building agile teams that scale and making digital risk measurable. Likewise, he recently co-authored a decision analysis book called “How To Measure Anything In Cybersecurity Risk” (Wiley 2016) This book targets those looking to improve risk management strategies using predictive analytics.
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
Basically, Enterprise Security 101. Covering frameworks, and how to try and wrap your arms around running the whole Information Security program from the beginning.
This document discusses solving the language problem in the information security industry. It proposes using a simple scoring system called S2Score to communicate security risk and status across organizations using a common language. S2Score assessments are available for free online and can also translate between different scoring systems used by organizations. The future of S2Score includes community involvement, integration with other tools, and adoption by vendors to help standardize security language industry-wide and make risk management more effective and efficient.
WANTED – People Committed to Solving our Information Security Language ProblemEvan Francen
The information security industry is broken. It's our duty to fix it, and it starts with getting on the same page. The model isn't broken, but our application is. How do we apply the basics and fundamentals on a wider scale? It starts with defining a common language and a common approach. Next, make it all free.
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
The document discusses solving the language problem in information security. It begins by explaining that information security is about managing risk by assessing threats and vulnerabilities, and using administrative, physical, and technical controls. It then introduces the S2Score as a simple scoring system to communicate security in a common language. The document advocates for making security assessments free and accessible to all, and developing translation tools to map different organizations' risk scoring systems to a common scale. The overall goal is to establish a shared security language to improve understanding and coordination across the industry.
Presentation delivered to the Minnesota Counties Computer Cooperative (http://mnccc.org/) on October 30, 2019. The talk was given by SecurityStudio's CEO, Evan Francen and focused on how local governments play a role in protecting all of us.
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
The presentation shared with the Greater KC ISACA chapter on 11/14/19. The talk starts with housekeeping, then progresses into the heart of our language problem before ending with the dream to secure America. The talk was very well received, and now you can use it however you wish.
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskEC-Council
Richard is a security executive with ~20 years experience ranging from start-ups to global organizations. He is currently the CISO/VP of Trust for Twilio and most recently the VP/GM Cybersecurity and Privacy for GE Healthcare. His background is in Information Security, Digital Risk Management and Product Development with an analytics bent. His current focus is developing quantitatively informed strategies, building agile teams that scale and making digital risk measurable. Likewise, he recently co-authored a decision analysis book called “How To Measure Anything In Cybersecurity Risk” (Wiley 2016) This book targets those looking to improve risk management strategies using predictive analytics.
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
Basically, Enterprise Security 101. Covering frameworks, and how to try and wrap your arms around running the whole Information Security program from the beginning.
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
Present your risk assessments to your board of directors in the language they understand - financial loss. "FAIR" or "Factor Analysis of Information Risk" is the quantitative risk analysis methodology that works with common frameworks while adding context for truly effective risk management.
Cultivating security in the small nonprofitRoger Hagedorn
This document discusses steps that small nonprofits can take to improve security and decrease risks. It begins with an overview of six security basics: strong passwords, anti-malware software, using an updated browser, keeping devices patched, backing up data, and installing a firewall. However, it notes that these alone are not sufficient, as there are ways to circumvent defenses like using cloud services, USB drives, rogue wireless networks, smartphones, and social engineering. The document provides tips on how to assess and respond to risks through mitigation, transference, acceptance, or avoidance. It suggests easy initial steps like inventorying devices and software, changing defaults, training staff, and limiting administrative privileges.
Security threats are growing in volume, scale, and complexity. Not a day passes that we don’t hear about another data breach; and the average organization that’s hacked goes bankrupt within a year. From small and medium-size organizations to Fortune 500 companies, across every industry, no one is immune. It’s no longer enough to keep the bad stuff out (threat protection) or just keep the good stuff in (information protection). This session is a practical discussion on the ever evolving threat landscape, how you can keep up and protect yourself, your organization, and its reputation. It will help you build awareness about the types of resources and sensitive data that your nonprofit has, with tips on practical, accessible steps that you can take to ensure that information is safeguarded.
Data Security: What Every Leader Needs to KnowRoger Hagedorn
This document summarizes a presentation on data security for organizational leaders. It covers the key components of an effective security program, including support from management, understanding your data and where it is stored, implementing proper IT controls and monitoring, establishing security policies and procedures, and gaining staff involvement through training. It also discusses how to identify if a breach has occurred based on network traffic and user activity anomalies, and the steps to take in response, such as identifying and quarantining the damage before disinfecting and resecuring the network. The presentation aims to educate leaders on security basics and preparing an incident response plan.
This is a presentation introducing the SANS Institute's 20 Security Controls and the Australian Government's Top 35 Mitigation Strategies that I gave to The Small Business Technology Consulting Group in St Paul MN on November 13, 2012
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
Demonstrating Information Security Program EffectivenessDoug Copley
Measuring the effectiveness of an information security program is important for governance, continuous improvement, and providing assurance. Key things to measure include compliance with frameworks, control effectiveness, and progress towards goals. Metrics should be tailored to different audiences like executives, managers, and security staff. Example metrics include vulnerability remediation timelines, audit findings closure rates, and security event trends over time. Visual dashboards with indicators like colors and arrows help concisely communicate security program status and areas needing attention to stakeholders.
Hacker Halted 2009 - Owning People through TechnologyMike Murray
This document summarizes a presentation on social engineering techniques. It discusses how social engineers exploit human vulnerabilities by manipulating targets using skills of artful communication, awareness of the target, and frame control. Specific techniques discussed include creating a context of reciprocity, authority, social proof, confirmation, scarcity or urgency to influence targets and avoid activating their critical thinking faculties. The document argues that social engineering is effective because it plays on fundamental human tendencies and biases.
The document discusses top security concerns for executives from a survey. Over half of respondents think their organizations are not sufficiently prepared to handle cyber threats that could disrupt operations or damage their brands. The top concern identified is regulatory changes and increased scrutiny, with 67% thinking this could affect their products and services. Employees are also seen as a weak link, with less than 50% confident they know their company's security policies and only 43% remembering seeing password rules. Protecting customer data is another concern, as data breaches continue rising in costs, though security budgets are declining.
Security Trends: From "Silos" to Integrated Risk ManagementResolver Inc.
Learn about the recent trend that sees security practitioners moving away from a traditional “siloed” approach to problem solving that relies heavily on unique individual responsibilities and expertise. By breaking down information “silos” and employing a multi-disciplinary approach to problem solving, organizations can achieve better results through more efficient and effective risk management.
Gene Scriven, Chief Information Security Officer at Sabre Corporation, discussed the biggest threats to today’s enterprises during his presentation at the 2015 Chief Information Officer Leadership Forum in Dallas on March 11. In his presentation, “Top 12 Threats to Enterprise – aka ‘Gene’s Dirty Dozen,’” Scriven pointed out that information security is a major problem for many organizations, but there are several ways that organizations can protect themselves against myriad cyber threats.
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
Presentation deck delivered to the Rochester ISSA chapter members as part of the SecurityStudio Roadshow on November 7th, 2019. This presentation explains the language problem we're fighting in the information security industry and contains a realistic call to action for all of us.
People Committed to Solving our Information Security Language ProblemSecurityStudio
The talk given at the ISSA Phoenix Q4 2019 Chapter Meeting on 12/5/19. Four parts to the talk; housekeeping (where we establish some credibility), meat (where we discuss our information security language problem, the dream (where we talk about security America), and the call to action (get involved and get stuff done).
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationSecurityStudio
The slide deck used on 11/21/19. There are four parts to this talk; housekeeping (establishing credibility with the audience), the meat (our information security language problem and our solution), the dream (securing America), and the call to action (get your free S2Org and S2Me risk assessments).
The title is "Cybersecure Schools, Parents, and Kids. The talk was delivered to ~250 people attending the summit. Tackling information security at school and at home requires us to agree to and apply the fundamentals. The S2Org is helping schools become more secure, and the S2Me is helping at home.
Cloud security expert Tricia Pattee discusses where to get the most bang for your security buck. Topics covered include:
-The five most common security mistakes
-Top six areas of security spend
-How to maximize budget – and minimize risk
-Hidden cloud security costs
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
Presentation on the 2015-2016 State of Cybersecurity and Third Party Vendor Risk Management, presented by Matt Pascussi and Rishi Singh.
This presentation was sponsored by TekSystems.
Microsoft power point closing presentation-greenbergISSA LA
The document summarizes the Los Angeles Security Summit 7 event. It provides information on upcoming ISSA Los Angeles chapter events and meetings. It also summarizes key lessons from summit presentations on the state of security breaches and attacks, including how breaches often go undiscovered for months and are found by external parties. The document outlines recommendations for security leaders, such as implementing security awareness training, baking security into the software development lifecycle, enforcing access management, and continuing education. It concludes by thanking summit speakers, volunteers, and vendors for their participation.
Measurement, Quantitative vs. Qualitative and Other Cool StuffJody Keyser
InfoSec Measurement and Quantitative vs Qualitative Methods
Recorded Webinar Here:
https://www3.gotomeeting.com/register/604059902
Aliado and Risk Centric Security would like to introduce you to the world of quantitative risk and decision analysis.
Our webinars will provide you with a glimpse of the power and credibility that quantitative methods can bring to the problems that Information Security Professionals face every day
Topics covered include:
What is risk?
Possibility and Probability
What is a measurement and what is it for?
Qualitative vs. Quantitative methods
Static modeling vs. Monte Carlo simulation
Calibration and the power of a calibrated estimate
Modeling Expert Opinion and the RCS BetaPERT calculator
A. Definitions
1. Risk
2. Risk and Opportunity
3. Possibility vs. probability
4. Measurement
5. Precision vs. accuracy
6. Qualitative vs. quantitative methods
OSB50: Operational Security: State of the UnionIvanti
The document discusses operational security and the state of cyber threats. It provides an overview of key trends including less control over data and devices, more complex networks, the rise of insecure internet of things devices, and the need for security to balance risk mitigation and enable business opportunities. Survey results show that security tasks are often split between IT and security teams. The document argues that organizations need to take a risk-based approach to security centered around understanding inherent risks, how assets could be compromised, and ensuring effective controls are in place. It also discusses challenges to achieving effective security.
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
This document provides a review and outlook on cybersecurity in 2015 and emerging trends. It summarizes major hacks in 2015, such as the OPM hack, and discusses how politicians are increasingly focused on cybersecurity issues. It notes challenges such as the lack of cybersecurity talent and discusses trends like the growing importance of privacy, mobile security risks, and the use of deception techniques in cyber defenses. The document outlines both ongoing issues like phishing and areas that are improving, such as increased awareness and funding for cybersecurity. It explores emerging trends including managed security services, cloud-based security tools, cyber insurance, threat intelligence sharing, and the potential of machine learning and behavioral analysis.
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
Present your risk assessments to your board of directors in the language they understand - financial loss. "FAIR" or "Factor Analysis of Information Risk" is the quantitative risk analysis methodology that works with common frameworks while adding context for truly effective risk management.
Cultivating security in the small nonprofitRoger Hagedorn
This document discusses steps that small nonprofits can take to improve security and decrease risks. It begins with an overview of six security basics: strong passwords, anti-malware software, using an updated browser, keeping devices patched, backing up data, and installing a firewall. However, it notes that these alone are not sufficient, as there are ways to circumvent defenses like using cloud services, USB drives, rogue wireless networks, smartphones, and social engineering. The document provides tips on how to assess and respond to risks through mitigation, transference, acceptance, or avoidance. It suggests easy initial steps like inventorying devices and software, changing defaults, training staff, and limiting administrative privileges.
Security threats are growing in volume, scale, and complexity. Not a day passes that we don’t hear about another data breach; and the average organization that’s hacked goes bankrupt within a year. From small and medium-size organizations to Fortune 500 companies, across every industry, no one is immune. It’s no longer enough to keep the bad stuff out (threat protection) or just keep the good stuff in (information protection). This session is a practical discussion on the ever evolving threat landscape, how you can keep up and protect yourself, your organization, and its reputation. It will help you build awareness about the types of resources and sensitive data that your nonprofit has, with tips on practical, accessible steps that you can take to ensure that information is safeguarded.
Data Security: What Every Leader Needs to KnowRoger Hagedorn
This document summarizes a presentation on data security for organizational leaders. It covers the key components of an effective security program, including support from management, understanding your data and where it is stored, implementing proper IT controls and monitoring, establishing security policies and procedures, and gaining staff involvement through training. It also discusses how to identify if a breach has occurred based on network traffic and user activity anomalies, and the steps to take in response, such as identifying and quarantining the damage before disinfecting and resecuring the network. The presentation aims to educate leaders on security basics and preparing an incident response plan.
This is a presentation introducing the SANS Institute's 20 Security Controls and the Australian Government's Top 35 Mitigation Strategies that I gave to The Small Business Technology Consulting Group in St Paul MN on November 13, 2012
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
Demonstrating Information Security Program EffectivenessDoug Copley
Measuring the effectiveness of an information security program is important for governance, continuous improvement, and providing assurance. Key things to measure include compliance with frameworks, control effectiveness, and progress towards goals. Metrics should be tailored to different audiences like executives, managers, and security staff. Example metrics include vulnerability remediation timelines, audit findings closure rates, and security event trends over time. Visual dashboards with indicators like colors and arrows help concisely communicate security program status and areas needing attention to stakeholders.
Hacker Halted 2009 - Owning People through TechnologyMike Murray
This document summarizes a presentation on social engineering techniques. It discusses how social engineers exploit human vulnerabilities by manipulating targets using skills of artful communication, awareness of the target, and frame control. Specific techniques discussed include creating a context of reciprocity, authority, social proof, confirmation, scarcity or urgency to influence targets and avoid activating their critical thinking faculties. The document argues that social engineering is effective because it plays on fundamental human tendencies and biases.
The document discusses top security concerns for executives from a survey. Over half of respondents think their organizations are not sufficiently prepared to handle cyber threats that could disrupt operations or damage their brands. The top concern identified is regulatory changes and increased scrutiny, with 67% thinking this could affect their products and services. Employees are also seen as a weak link, with less than 50% confident they know their company's security policies and only 43% remembering seeing password rules. Protecting customer data is another concern, as data breaches continue rising in costs, though security budgets are declining.
Security Trends: From "Silos" to Integrated Risk ManagementResolver Inc.
Learn about the recent trend that sees security practitioners moving away from a traditional “siloed” approach to problem solving that relies heavily on unique individual responsibilities and expertise. By breaking down information “silos” and employing a multi-disciplinary approach to problem solving, organizations can achieve better results through more efficient and effective risk management.
Gene Scriven, Chief Information Security Officer at Sabre Corporation, discussed the biggest threats to today’s enterprises during his presentation at the 2015 Chief Information Officer Leadership Forum in Dallas on March 11. In his presentation, “Top 12 Threats to Enterprise – aka ‘Gene’s Dirty Dozen,’” Scriven pointed out that information security is a major problem for many organizations, but there are several ways that organizations can protect themselves against myriad cyber threats.
WANTED – People Committed to Solving our Information Security Language ProblemSecurityStudio
Presentation deck delivered to the Rochester ISSA chapter members as part of the SecurityStudio Roadshow on November 7th, 2019. This presentation explains the language problem we're fighting in the information security industry and contains a realistic call to action for all of us.
People Committed to Solving our Information Security Language ProblemSecurityStudio
The talk given at the ISSA Phoenix Q4 2019 Chapter Meeting on 12/5/19. Four parts to the talk; housekeeping (where we establish some credibility), meat (where we discuss our information security language problem, the dream (where we talk about security America), and the call to action (get involved and get stuff done).
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationSecurityStudio
The slide deck used on 11/21/19. There are four parts to this talk; housekeeping (establishing credibility with the audience), the meat (our information security language problem and our solution), the dream (securing America), and the call to action (get your free S2Org and S2Me risk assessments).
The title is "Cybersecure Schools, Parents, and Kids. The talk was delivered to ~250 people attending the summit. Tackling information security at school and at home requires us to agree to and apply the fundamentals. The S2Org is helping schools become more secure, and the S2Me is helping at home.
Cloud security expert Tricia Pattee discusses where to get the most bang for your security buck. Topics covered include:
-The five most common security mistakes
-Top six areas of security spend
-How to maximize budget – and minimize risk
-Hidden cloud security costs
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
Presentation on the 2015-2016 State of Cybersecurity and Third Party Vendor Risk Management, presented by Matt Pascussi and Rishi Singh.
This presentation was sponsored by TekSystems.
Microsoft power point closing presentation-greenbergISSA LA
The document summarizes the Los Angeles Security Summit 7 event. It provides information on upcoming ISSA Los Angeles chapter events and meetings. It also summarizes key lessons from summit presentations on the state of security breaches and attacks, including how breaches often go undiscovered for months and are found by external parties. The document outlines recommendations for security leaders, such as implementing security awareness training, baking security into the software development lifecycle, enforcing access management, and continuing education. It concludes by thanking summit speakers, volunteers, and vendors for their participation.
Measurement, Quantitative vs. Qualitative and Other Cool StuffJody Keyser
InfoSec Measurement and Quantitative vs Qualitative Methods
Recorded Webinar Here:
https://www3.gotomeeting.com/register/604059902
Aliado and Risk Centric Security would like to introduce you to the world of quantitative risk and decision analysis.
Our webinars will provide you with a glimpse of the power and credibility that quantitative methods can bring to the problems that Information Security Professionals face every day
Topics covered include:
What is risk?
Possibility and Probability
What is a measurement and what is it for?
Qualitative vs. Quantitative methods
Static modeling vs. Monte Carlo simulation
Calibration and the power of a calibrated estimate
Modeling Expert Opinion and the RCS BetaPERT calculator
A. Definitions
1. Risk
2. Risk and Opportunity
3. Possibility vs. probability
4. Measurement
5. Precision vs. accuracy
6. Qualitative vs. quantitative methods
OSB50: Operational Security: State of the UnionIvanti
The document discusses operational security and the state of cyber threats. It provides an overview of key trends including less control over data and devices, more complex networks, the rise of insecure internet of things devices, and the need for security to balance risk mitigation and enable business opportunities. Survey results show that security tasks are often split between IT and security teams. The document argues that organizations need to take a risk-based approach to security centered around understanding inherent risks, how assets could be compromised, and ensuring effective controls are in place. It also discusses challenges to achieving effective security.
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
This document provides a review and outlook on cybersecurity in 2015 and emerging trends. It summarizes major hacks in 2015, such as the OPM hack, and discusses how politicians are increasingly focused on cybersecurity issues. It notes challenges such as the lack of cybersecurity talent and discusses trends like the growing importance of privacy, mobile security risks, and the use of deception techniques in cyber defenses. The document outlines both ongoing issues like phishing and areas that are improving, such as increased awareness and funding for cybersecurity. It explores emerging trends including managed security services, cloud-based security tools, cyber insurance, threat intelligence sharing, and the potential of machine learning and behavioral analysis.
Cybersecurity Risk Management Tools and Techniques (1).pptxClintonKelvin
A database containing sensitive information on ongoing criminal investigations is hacked and confidential case details are leaked online. The incident response plan would provide guidelines on immediate actions to contain the breach, secure remaining systems, notify relevant stakeholders, and initiate forensic analysis to identify the source of the attack.
From ATLSecCon program:
There is a need to make well-informed security decisions that align with business expectations. It’s always been there; we’re just more explicit about it today. This session focuses on a core tenant that bridges the gap in communication between security and business focuses: risk. Our most familiar approaches to risk measurement are failing us. What else is out there? And what are the implications for various security disciplines? We will dive into these topics and flesh out a way forward that aligns our security concerns with their business needs.
The document summarizes key takeaways from the RSA Conference 2016. It discusses the rising threat of ransomware and the need to back to basics on security fundamentals like authentication, firewalls, and software updates. It also notes that the target of attacks is expanding to cloud and big data, and that organizations need to treat data as toxic. Other topics covered include new approaches to threat modeling, developing resilience after a breach, extending security teams through outsourcing, and reassessing threat detection capabilities. The document provides an agenda and information on speakers for an upcoming cybersecurity summit event.
Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...Dana Gardner
The document summarizes a panel discussion on cybersecurity standards and supply chain risks. The panelists discussed the need for standards to address increasing complexity in technology and supply chains. Specifically, they noted that existing security controls are not effective due to complexity, and standards are needed to integrate security into system development processes and manage risks throughout the technology lifecycle and supply chain. Trustworthiness, assurance, and resilience must be priorities going forward.
Will there be an IT Risk Management 2.0?Luke O'Connor
This document summarizes a presentation by Dr. Luke O'Connor on IT risk management. It discusses the challenges of identifying important vulnerabilities, valuing assets, and judging the effectiveness of security controls. It also addresses questions around password expiry policies and different approaches to IT risk management, including traditional security approaches versus risk-based approaches. Finally, it questions whether IT professionals can effectively conduct risk management and discusses how IT risk activities are often swallowed by compliance or operational risk frameworks instead of directly supporting decision making.
Under cyber attack: EY's Global information security survey 2013EY
This document summarizes the key findings from a survey of over 1,900 organizations on cybersecurity threats and responses. Some of the main points include:
- Many organizations have improved their cybersecurity programs but still have work to do to address evolving threats. Top priorities include business continuity, cyber risks, and data protection.
- Budgets for cybersecurity are increasing for 43% of organizations, but information security professionals still feel budgets are insufficient.
- Focus is shifting from basic security operations to improving and innovating programs. However, skilled resources and executive support still lag behind needs.
- Around half of organizations now align their security strategy with business and IT strategies, showing increased understanding of security's importance.
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
Malware is software created to disrupt systems or steal information. This document discusses the malware lifecycle including development, deployment, detection, correction, and protection. It notes that malware creators range from organized crime to hackers and state actors. Their motivations include financial gain, espionage, and hacktivism. While advanced malware requires programming skills, malware kits allow less skilled users to cause damage. The document emphasizes that detecting and responding to malware is challenging for security teams due to the increasing sophistication and volume of malware.
Similar to Harrisburg BSides Presentation - 100219 (20)
Step Up Your Data Security Against Third-Party RisksEvan Francen
This presentation was delivered to the Hacks & Hops event attendees in the Spring of 2019. The event featured a short keynote following by a moderated panel discussion. The panel experts provided excellent guidance for all risk managers, CISOs, vendor managers, etc.
This presentation was delivered to Minnesota manufacturing CEOs who attended the April 2019 Enterprise Minnesota event. Manufacturing companies face real information security threats that they need to prepare for.
Simple Training for Information Security and Payment FraudEvan Francen
The document discusses payment fraud risks and protections. It summarizes a survey finding that 74% of organizations were victims of payment fraud in 2016. Checks and wire transfers are most commonly targeted. Business email compromise scams targeting wire transfers are on the rise. The document provides 7 tips for protection, including employing dual control for transactions and monitoring accounts daily.
People. The Social Engineer's Dream - TechPulse 2017Evan Francen
Presentation given by Evan Francen at TechPulse 2017. The presentation was about social engineering, including common tactics and basic protections. Topics such as phishing, vishing, and physical access attacks were discussed. Evan also shared some of the real-life stories that he has experienced during his 20+ career.
AFCOM - Information Security State of the UnionEvan Francen
A presentation delivered by FRSecure's president Evan Francen at the August, 2015 Twin Cities AFCOM Chapter Meeting. There were more than 50 people in attendance to learn about FRSecure, current information security events and threats, what companies are doing, and basic information security principles.
It's not our job to tell business not to use mobile devices, even personally-owned mobile devices. It's our job to enable business to use mobile devices securely for the benefit of the organization, customers, employees, and contractors.
In this presentation, given on April 30 at techpulse 2013, Evan Francen from FRSecure teaches how to secure mobile devices in today's business environments.
Information security challenges in today’s banking environmentEvan Francen
This presentation was delivered to by FRSecure's Evan Francen to the Uniforum User's Group on November 8th, 2012. There were more than 50 bankers in attendance, and the presentation was very well received.
Information Security in a Compliance WorldEvan Francen
Presented by Evan Francen at the 2012 RK Dixon Tech Summit
What drives information security in your organization?
What is information security?
Customer requirements
Compliance
Compliant = Secure?
Solution - Strategic Information Security
Top Five Things You Should Do (Tactically & Strategically)
Need Help? – Contact Us!
Information Security For Leaders, By a LeaderEvan Francen
Evan Francen, President of FRSecure, discusses the challenges of building an efficient and effective security program in today’s world. Learn why most leaders have a false assumption of security, and how you can avoid the security mistakes most organizations make. - Delivered on 4/17/12 at TechPulse 2012.
Information Security is NOT an IT IssueEvan Francen
This document summarizes a presentation about information security. The presentation argues that information security is not just an IT issue and should be viewed as a business issue. It explains that IT-centric security can overlook important administrative and physical controls. The presentation recommends establishing an information security committee with the right stakeholders to develop policies and oversee a security program. It also describes security services offered by FRSecure to help organizations assess and improve their information security.
FRSecure's Ten Security Principles to Live (or die) ByEvan Francen
The document outlines ten principles for protecting information and customer data according to FRSecure LLC. The principles emphasize that information security is a shared responsibility, not just an IT issue, and that people are the biggest risks. While compliance is important, it does not guarantee security. Businesses need practical and cost-effective security that is tailored to their unique needs. There are no quick fixes for security problems.
Meaningful Use and Security Risk AnalysisEvan Francen
Presentation delivered by FRSecure president, Evan Francen to the 100+ Iowa CPSI User Group attendees on October 18th, 2011.
Meaningful Use Core Requirement "Security Risk Analysis"
An Introduction to Information SecurityEvan Francen
A recent presentation given by FRSecure at the Action, Inc. Data Security Event on August 17th, 2011. This presentation was delivered by FRSecure president, Evan Francen CISSP CISM CCSK
This document provides an overview of FRSecure LLC, a full-service information security consulting company. It describes FRSecure's services such as information security assessments, program development, management, penetration testing, and training. The document discusses the need for information security to protect organizations from risks. It also outlines FRSecure's approach to performing security assessments based on ISO 27002 standards and delivering actionable recommendations and implementation assistance. Presentation topics are provided to discuss the benefits of partnering with FRSecure.
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Tastemy Pandit
Know what your zodiac sign says about your taste in food! Explore how the 12 zodiac signs influence your culinary preferences with insights from MyPandit. Dive into astrology and flavors!
Discover timeless style with the 2022 Vintage Roman Numerals Men's Ring. Crafted from premium stainless steel, this 6mm wide ring embodies elegance and durability. Perfect as a gift, it seamlessly blends classic Roman numeral detailing with modern sophistication, making it an ideal accessory for any occasion.
https://rb.gy/usj1a2
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
[To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
This PowerPoint compilation offers a comprehensive overview of 20 leading innovation management frameworks and methodologies, selected for their broad applicability across various industries and organizational contexts. These frameworks are valuable resources for a wide range of users, including business professionals, educators, and consultants.
Each framework is presented with visually engaging diagrams and templates, ensuring the content is both informative and appealing. While this compilation is thorough, please note that the slides are intended as supplementary resources and may not be sufficient for standalone instructional purposes.
This compilation is ideal for anyone looking to enhance their understanding of innovation management and drive meaningful change within their organization. Whether you aim to improve product development processes, enhance customer experiences, or drive digital transformation, these frameworks offer valuable insights and tools to help you achieve your goals.
INCLUDED FRAMEWORKS/MODELS:
1. Stanford’s Design Thinking
2. IDEO’s Human-Centered Design
3. Strategyzer’s Business Model Innovation
4. Lean Startup Methodology
5. Agile Innovation Framework
6. Doblin’s Ten Types of Innovation
7. McKinsey’s Three Horizons of Growth
8. Customer Journey Map
9. Christensen’s Disruptive Innovation Theory
10. Blue Ocean Strategy
11. Strategyn’s Jobs-To-Be-Done (JTBD) Framework with Job Map
12. Design Sprint Framework
13. The Double Diamond
14. Lean Six Sigma DMAIC
15. TRIZ Problem-Solving Framework
16. Edward de Bono’s Six Thinking Hats
17. Stage-Gate Model
18. Toyota’s Six Steps of Kaizen
19. Microsoft’s Digital Transformation Framework
20. Design for Six Sigma (DFSS)
To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...APCO
The Radar reflects input from APCO’s teams located around the world. It distils a host of interconnected events and trends into insights to inform operational and strategic decisions. Issues covered in this edition include:
The 10 Most Influential Leaders Guiding Corporate Evolution, 2024.pdfthesiliconleaders
In the recent edition, The 10 Most Influential Leaders Guiding Corporate Evolution, 2024, The Silicon Leaders magazine gladly features Dejan Štancer, President of the Global Chamber of Business Leaders (GCBL), along with other leaders.
Digital Marketing with a Focus on Sustainabilitysssourabhsharma
Digital Marketing best practices including influencer marketing, content creators, and omnichannel marketing for Sustainable Brands at the Sustainable Cosmetics Summit 2024 in New York
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...Aleksey Savkin
The Strategy Implementation System offers a structured approach to translating stakeholder needs into actionable strategies using high-level and low-level scorecards. It involves stakeholder analysis, strategy decomposition, adoption of strategic frameworks like Balanced Scorecard or OKR, and alignment of goals, initiatives, and KPIs.
Key Components:
- Stakeholder Analysis
- Strategy Decomposition
- Adoption of Business Frameworks
- Goal Setting
- Initiatives and Action Plans
- KPIs and Performance Metrics
- Learning and Adaptation
- Alignment and Cascading of Scorecards
Benefits:
- Systematic strategy formulation and execution.
- Framework flexibility and automation.
- Enhanced alignment and strategic focus across the organization.
Taurus Zodiac Sign: Unveiling the Traits, Dates, and Horoscope Insights of th...my Pandit
Dive into the steadfast world of the Taurus Zodiac Sign. Discover the grounded, stable, and logical nature of Taurus individuals, and explore their key personality traits, important dates, and horoscope insights. Learn how the determination and patience of the Taurus sign make them the rock-steady achievers and anchors of the zodiac.
The Genesis of BriansClub.cm Famous Dark WEb PlatformSabaaSudozai
BriansClub.cm, a famous platform on the dark web, has become one of the most infamous carding marketplaces, specializing in the sale of stolen credit card data.
How to Implement a Real Estate CRM SoftwareSalesTown
To implement a CRM for real estate, set clear goals, choose a CRM with key real estate features, and customize it to your needs. Migrate your data, train your team, and use automation to save time. Monitor performance, ensure data security, and use the CRM to enhance marketing. Regularly check its effectiveness to improve your business.
IMPACT Silver is a pure silver zinc producer with over $260 million in revenue since 2008 and a large 100% owned 210km Mexico land package - 2024 catalysts includes new 14% grade zinc Plomosas mine and 20,000m of fully funded exploration drilling.
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...my Pandit
Explore the fascinating world of the Gemini Zodiac Sign. Discover the unique personality traits, key dates, and horoscope insights of Gemini individuals. Learn how their sociable, communicative nature and boundless curiosity make them the dynamic explorers of the zodiac. Dive into the duality of the Gemini sign and understand their intellectual and adventurous spirit.
Navigating the world of forex trading can be challenging, especially for beginners. To help you make an informed decision, we have comprehensively compared the best forex brokers in India for 2024. This article, reviewed by Top Forex Brokers Review, will cover featured award winners, the best forex brokers, featured offers, the best copy trading platforms, the best forex brokers for beginners, the best MetaTrader brokers, and recently updated reviews. We will focus on FP Markets, Black Bull, EightCap, IC Markets, and Octa.
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Neil Horowitz
On episode 272 of the Digital and Social Media Sports Podcast, Neil chatted with Brian Fitzsimmons, Director of Licensing and Business Development for Barstool Sports.
What follows is a collection of snippets from the podcast. To hear the full interview and more, check out the podcast on all podcast platforms and at www.dsmsports.net
SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA MATKA FAST RESULT MILAN RATAN RAJDHANI MAIN BAZAR MATKA FAST TIPS RESULT MATKA CHART JODI CHART PANEL CHART FREE FIX GAME SATTAMATKA ! MATKA MOBI SATTA 143 spboss.in TOP NO1 RESULT FULL RATE MATKA ONLINE GAME PLAY BY APP SPBOSS
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf46adnanshahzad
How to Start Up a Company: A Step-by-Step Guide Starting a company is an exciting adventure that combines creativity, strategy, and hard work. It can seem overwhelming at first, but with the right guidance, anyone can transform a great idea into a successful business. Let's dive into how to start up a company, from the initial spark of an idea to securing funding and launching your startup.
Introduction
Have you ever dreamed of turning your innovative idea into a thriving business? Starting a company involves numerous steps and decisions, but don't worry—we're here to help. Whether you're exploring how to start a startup company or wondering how to start up a small business, this guide will walk you through the process, step by step.
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
Harrisburg BSides Presentation - 100219
1. WANTED – People Committed to
Solving our Information Security
Language Problem
Evan Francen, CEO, SecurityStudio
2. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/
3. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/
4. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
I do a lot of security stuff…
• Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor,
S²Team, and S²Me
• 25+ years of “practical” information security experience
(started as a Cisco Engineer in the early 90s)
• Worked as CISO and vCISO for hundreds of companies.
• Developed the FRSecure Mentor Program; six students in
2010/500+ in 2018
• Advised legal counsel in very public breaches (Target, Blue
Cross/Blue Shield, etc.)
Solving our Information Security Language Problem
AKA: The “Truth”
5. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
Solving our Information Security Language Problem
6. You know we have an
language problem in
our industry, right?
Our Industry
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
7. You know we have an
language problem in
our industry, right?
Normal
People See
Us Like
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
8. Why?
Because we
don’t agree on a
language
Their Language
FIX: Fundamentals and
simplification.
Translation/Communication
WARNING – It’s work and
it’s NOT sexy.
26. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.
27. Some truth about information security
Must be put on a scale (degrees of security)
Must master the fundamentals
Must measure it.
Must do risk assessments.
Keep it simple!
As much as 90% of
organizations fail to do
fundamental information
security risk assessments.
WHY? Reason #1: Complexity
41. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
FISASCORE® is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.
We built VENDEFENSE
to be a translator.
What’s the
point?
Information security language and
translations are the point!
People are the point! People within our industry and
people who work with us are confused and we’re wasting
valuable resources on a 1,000 different solutions to the
same problems, all using different languages.
42. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
FISASCORE® is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.
We built VENDEFENSE
to be a translator.
What’s the
point?
Information security language and
translations are the point!
People are the point! People within our industry and
people who work with us are confused and we’re wasting
valuable resources on a 1,000 different solutions to the
same problems, all using different languages.
OK, I get it. Two last
questions.
1. What does the future of
S2Score look like?
2. What should I do now?
43. What does the future hold for the S2Score Language?
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Other
tools/integrations
These are things that
are coming:
• The roadshow.
• Community
involvement
program.
• Vendor/product
incorporation.
• Integration with
any/all.
44. What should you do now?
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Other
tools/integrations
Simple.
• Get your S2Score.
• Participate with us; give
us feedback, help us solve
problems.
• The S2Score is mapped to
NIST CSF, ISO 27002, NIST
SP 800-53, CIS, and COBIT.
More to come.
• SIMPLE. FUNDAMENTAL.
COMPLIANT.