The document discusses improving cloud vendor security assessments between customers and vendors. It outlines the challenges both parties face, including the overwhelming volume of assessments vendors receive and customers asking the wrong questions. The document provides recommendations for both customers and vendors, such as customers assessing the security of the solution and not just the vendor, and vendors establishing dedicated security teams to efficiently respond to assessments. The goal is for both parties to work together to continuously improve the security assessment process.
Cyber security lecture for University students, following and expanding on previously delivered presentation on Enterprise Security Incident Management. More in-depth, with the Security Incident lifecycle focus
What can go wrong?!
Thirty years of commercial information security have taught us to orchestrate perimeter controls, to correctly configure AAA systems, to evaluate risks and manage them.
But when we talk about the supply chain, the context dramatically changes and we risk realising we did not understand it all or we naively transferred our risk to an unaware third party.
Information Security Metrics - Practical Security MetricsJack Nichelson
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
More often than not, company executives ask the wrong questions about software security. This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives. Caroline will discuss a progression of software security capabilities and the metrics that correspond to different levels of maturity. She’ll discuss an approach for developing key metrics for your unique software security program and walk through a detailed example.
Cyber security lecture for University students, following and expanding on previously delivered presentation on Enterprise Security Incident Management. More in-depth, with the Security Incident lifecycle focus
What can go wrong?!
Thirty years of commercial information security have taught us to orchestrate perimeter controls, to correctly configure AAA systems, to evaluate risks and manage them.
But when we talk about the supply chain, the context dramatically changes and we risk realising we did not understand it all or we naively transferred our risk to an unaware third party.
Information Security Metrics - Practical Security MetricsJack Nichelson
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
More often than not, company executives ask the wrong questions about software security. This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives. Caroline will discuss a progression of software security capabilities and the metrics that correspond to different levels of maturity. She’ll discuss an approach for developing key metrics for your unique software security program and walk through a detailed example.
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
This white paper covers why incident readiness and response often falls short in ten areas that span people, processes and technology. By tackling these shortcomings, organizations can reduce risk by with early warnings of potential problems.
It is critical to measure the right things in order to make better-informed management decisions, take appropriate actions and change behaviors. But how do managers figure out what those right things are? A measurement approach tied to strategic business objectives ensures that planning, budgeting and the allocation of operational resources are focused on what matters to the organization.
(Source : RSA Conference USA 2017)
INFRAGARD 2014: Back to basics securityJoel Cardella
This talk focuses on getting Back To Basics with security controls. Too many enterprises are focusing on the wrong threats and spending money in the wrong places. Often overlooked are our basic security controls that require care and feeding, and regular review. This talk focuses on a few of those areas.
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
Vulnerability Assessment is, by some, regarded as one of the least “sexy” capabilities in information security. However, it is the presenter’s view that it is also a key component of any successful infosec program, and one that is often overlooked. Doing so serves an injustice to the organization and results in many missed opportunities to help ensure success in protecting critical information assets. The presenter will explore how Vulnerability Assessment can be leveraged “Beyond the Scan” and provide tangible value to not only the security team, but the entire business that it supports.
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
ShmooCon 2020
You’ve just been tasked with creating a vendor review management process at your company, but what does that even mean, and how are you going to do this? Do you need to buy a lot of expensive GRC software and hire an army of compliance staffers? This talk will explain what a vendor review process is and walk through setting one up at your company, using nothing more complicated than email, text files, and maybe some Slack and Google Forms.
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
This document explains the need for information security for all organizations and also the standards to be followed for doing the same. It also gives vendor selection criteria for selecting a consultancy firm for information security. It gives guidelines as to how to stop ethical hacking of your web application, be it any critical data from getting hacked, scripts being run, without the knowledge of the owner.
Post 11. Long term GoalThe Group’s goal is to offer attranhcrowley
Post 1
1. Long term Goal:
“The Group’s goal is to offer attractive, safe and environmentally sound vehicles which can compete in an increasingly tough market and set world standards in their respective class."
2.Balanced Scorecard:
Financial Perspectives:
Profit: 6.5 percent to 7.5 percent.
Operating return on Sales: 6.5 – 7.5%
Return on investment: 12-14%
Customer Perspectives:
Market penetration:
Offer affordable city cars, functional light commercial vehicles.
Inspire new customers and keep them loyal.
Internal Business Process:
Property, Plant and Equipment improvements
Learning and growth:
Employee satisfaction:
Competent and committed employees
Take on responsibility for the environment and society.
Develop sustainability as management principle
3.Balanced Scorecard effects on Manager:
Balanced score card helps manager to develop an efficient policy which leads to achieving the organizational goal.
4.Lead and Lag Measure:
Lead indicators are measures of non-financial and financial outcomes that guide management in making current decisions which yields results in the future. For example, here return on investment would be a lead indicator.
Lag indicators are results of management decisions which are made earlier. For example, here lag indicator is company’s cash flow.
Post 2
I chose Capital One.
Website of bank: https://www.capitalone.com/
1. What do you think that banks overall long-terms goals are?
Based on my research Chase banks long-term goal might be improve more services on making everything digital and to get more market and increasing the wealth and expanding the mortgage business.
2. Develop a balanced scorecard for the bank, include two to five measures in each of the scorecard’s perspective.
Financial: Advance cash flow and profitability of every plan or strategy in the Capital One company, Creating return in investments by growth by advances and aggregate deposits, Enough for liquid cash flow and get return and long-term and short-term investments.
Customer: Profits through customers on high in demand products, Customers belief and trust to increase loyalty and firm by measuring and solving customers’ needs via complaints and measure growth rate of customers in bank per month.
Internal process: To recruit and maintain eligible employees and develop a new process and strategy and achieve objective goals and develop new working environment which will help to develop more automating process and advance process in transaction which will help to increase average time for processing transactions in the firm.
Organization Captivity: In this advanced tech world, customers always focus on easy way banking everywhere, so up-to-date facilities will increase customers in the bank. Also, it should benefit employee’s growth in training and satisfaction. This will help to develop new business ideas and increase the market value of firm.
3. How would the balanced scorecard would affect the way managers develop the banks stra ...
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
This whitepaper delves into the security and privacy challenges that are core to Fintech companies and explains how one should go about formulating the security strategy for the Fintech initiative. It also brings into perspective, the various technical aspects of the secured environment from a Fintech point-of-
view.
Securing The Reality of Multiple Cloud Apps: Pandora's StoryCloudLock
Doug Meier, Director of Security and Compliance at Pandora, shares how Pandora defines and handles “shadow IT”, assesses and onboards vendors, all while keeping pace with the company’s must-do business in the cloud. He covers hot topics such as single sign-on, identity management, and active directory integration.
UpGuard - Complete Guide to Vendor QuestionnairesMike Baukes
The largest data exposures have been the result of third-party mismanagement. For anyone serious about avoiding data breaches, understanding both their internal and external risks are critical. How good are the security hygiene practices of your vendors? What are their digital surfaces? How can their mistakes be used against you?
This straightforward guide is designed to de-mystify the best practices when managing third-party vendors.
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
This white paper covers why incident readiness and response often falls short in ten areas that span people, processes and technology. By tackling these shortcomings, organizations can reduce risk by with early warnings of potential problems.
It is critical to measure the right things in order to make better-informed management decisions, take appropriate actions and change behaviors. But how do managers figure out what those right things are? A measurement approach tied to strategic business objectives ensures that planning, budgeting and the allocation of operational resources are focused on what matters to the organization.
(Source : RSA Conference USA 2017)
INFRAGARD 2014: Back to basics securityJoel Cardella
This talk focuses on getting Back To Basics with security controls. Too many enterprises are focusing on the wrong threats and spending money in the wrong places. Often overlooked are our basic security controls that require care and feeding, and regular review. This talk focuses on a few of those areas.
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
Vulnerability Assessment is, by some, regarded as one of the least “sexy” capabilities in information security. However, it is the presenter’s view that it is also a key component of any successful infosec program, and one that is often overlooked. Doing so serves an injustice to the organization and results in many missed opportunities to help ensure success in protecting critical information assets. The presenter will explore how Vulnerability Assessment can be leveraged “Beyond the Scan” and provide tangible value to not only the security team, but the entire business that it supports.
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
ShmooCon 2020
You’ve just been tasked with creating a vendor review management process at your company, but what does that even mean, and how are you going to do this? Do you need to buy a lot of expensive GRC software and hire an army of compliance staffers? This talk will explain what a vendor review process is and walk through setting one up at your company, using nothing more complicated than email, text files, and maybe some Slack and Google Forms.
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
This document explains the need for information security for all organizations and also the standards to be followed for doing the same. It also gives vendor selection criteria for selecting a consultancy firm for information security. It gives guidelines as to how to stop ethical hacking of your web application, be it any critical data from getting hacked, scripts being run, without the knowledge of the owner.
Post 11. Long term GoalThe Group’s goal is to offer attranhcrowley
Post 1
1. Long term Goal:
“The Group’s goal is to offer attractive, safe and environmentally sound vehicles which can compete in an increasingly tough market and set world standards in their respective class."
2.Balanced Scorecard:
Financial Perspectives:
Profit: 6.5 percent to 7.5 percent.
Operating return on Sales: 6.5 – 7.5%
Return on investment: 12-14%
Customer Perspectives:
Market penetration:
Offer affordable city cars, functional light commercial vehicles.
Inspire new customers and keep them loyal.
Internal Business Process:
Property, Plant and Equipment improvements
Learning and growth:
Employee satisfaction:
Competent and committed employees
Take on responsibility for the environment and society.
Develop sustainability as management principle
3.Balanced Scorecard effects on Manager:
Balanced score card helps manager to develop an efficient policy which leads to achieving the organizational goal.
4.Lead and Lag Measure:
Lead indicators are measures of non-financial and financial outcomes that guide management in making current decisions which yields results in the future. For example, here return on investment would be a lead indicator.
Lag indicators are results of management decisions which are made earlier. For example, here lag indicator is company’s cash flow.
Post 2
I chose Capital One.
Website of bank: https://www.capitalone.com/
1. What do you think that banks overall long-terms goals are?
Based on my research Chase banks long-term goal might be improve more services on making everything digital and to get more market and increasing the wealth and expanding the mortgage business.
2. Develop a balanced scorecard for the bank, include two to five measures in each of the scorecard’s perspective.
Financial: Advance cash flow and profitability of every plan or strategy in the Capital One company, Creating return in investments by growth by advances and aggregate deposits, Enough for liquid cash flow and get return and long-term and short-term investments.
Customer: Profits through customers on high in demand products, Customers belief and trust to increase loyalty and firm by measuring and solving customers’ needs via complaints and measure growth rate of customers in bank per month.
Internal process: To recruit and maintain eligible employees and develop a new process and strategy and achieve objective goals and develop new working environment which will help to develop more automating process and advance process in transaction which will help to increase average time for processing transactions in the firm.
Organization Captivity: In this advanced tech world, customers always focus on easy way banking everywhere, so up-to-date facilities will increase customers in the bank. Also, it should benefit employee’s growth in training and satisfaction. This will help to develop new business ideas and increase the market value of firm.
3. How would the balanced scorecard would affect the way managers develop the banks stra ...
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
This whitepaper delves into the security and privacy challenges that are core to Fintech companies and explains how one should go about formulating the security strategy for the Fintech initiative. It also brings into perspective, the various technical aspects of the secured environment from a Fintech point-of-
view.
Securing The Reality of Multiple Cloud Apps: Pandora's StoryCloudLock
Doug Meier, Director of Security and Compliance at Pandora, shares how Pandora defines and handles “shadow IT”, assesses and onboards vendors, all while keeping pace with the company’s must-do business in the cloud. He covers hot topics such as single sign-on, identity management, and active directory integration.
UpGuard - Complete Guide to Vendor QuestionnairesMike Baukes
The largest data exposures have been the result of third-party mismanagement. For anyone serious about avoiding data breaches, understanding both their internal and external risks are critical. How good are the security hygiene practices of your vendors? What are their digital surfaces? How can their mistakes be used against you?
This straightforward guide is designed to de-mystify the best practices when managing third-party vendors.
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
With more than 50,000 new malware created every day organisations can no longer afford to risk the financial and reputational impacts of a security or data breach, which can be too much for a business to recover from. Because of this, IT managers face increasing scrutiny and pressure from CEOs, managing directors and boards to prove that they are keeping the organisation secure.
The changing threat landscape means organisations need to be vigilant and smarter about security. While businesses still face threats from infected devices and malware, attackers have also moved beyond that. For example, there is an increasing number of targeted email attacks with cyber criminals spending time to monitor communications so they can imitate emails that are so sophisticated that even relatively savvy users will open them.
This webinar will explore the building blocks required to ensure you have the roadmap required to best protection against cyber attacks. We will provide you with a high level view of the following topics:
· Audit and discovery – What are your weaknesses and are you compliant?
· Education – Do your employees know when not to open that attachment?
· Policy – Do you have the right policies for your industry?
· Technology – Where to start and what has changed?
The Avid Life Media hack is a striking example of everything that can go wrong when a company is completely breached followed by a total disclosure of the stolen information. This attack resulted in an estimated $200 million in costs, firing of the CEO, and countless lives ruined. This presentation will review the data exposed and what can be learned to prevent this from happening to your organization.
Similar to (ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all the Wrong Questions (20)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all the Wrong Questions
1.
2. The Cloud Trust Conundrum:
You’re Asking All the Wrong Questions
Andrew Leeth
Jill Czerwinski
2
September 28, 2015
Session Number: 2230
3. About Us
» Representing the Customer...Jill Czerwinski
» 13 years in Information Security Consulting for Crowe Horwath
» Focus on Third Party Risk Management
» Manage several outsourced Vendor Info Sec Assessment functions
» CISSP, CISA, PMP, MCSA, Sec+
» https://www.linkedin.com/in/jillczerwinski
» Representing the Vendor...Andrew Leeth
» Product Security Engineer at Salesforce
» Specialize in Application Security of our products and that of vendors
» GWAPT, GMOB, CSSLP, CISSP, CEH, CCSK, Sec+
» @SecurityLeeth
3
4. Overview
1. The (Cloud) Vendor Information Security Paradigm
2. Current Process for 3rd Party Reviews
3. Pitfalls in Current Processes
4. Fixing the problem from both sides - Our Tips
4
5. The Cloud Vendor Information Security Paradigm:
The Plight of the Customer
» Outsourcing (in a big way) is here to stay & volume is overwhelming
» Uphill battle to maintain consistent Info Sec Standards across the Extended Enterprise
» Could we have prevented Target?
6. The Vendor Information Security Paradigm:
The Plight of the Vendor
» Able to provide the same high level of security for
*all* customers; even small customers can benefit
from the security usually left for larger companies
» Teams of experts working around the clock to
provide the highest level of availability and security
» Reduced cost compared to traditional on-premise
technology by sharing resources with other
customers
» Often times, can provide better security than a
customer could provide themselves
7. The Vendor Information Security Paradigm:
The Plight of the Vendor
» Complete every certification/standard
questionnaire/audit available
» Trying to minimize work by customer
» Many customers come from various industries with
different regulations and requirements
» Sheer number of customer who what to perform an
assessment is overwhelming
» Account executives aren’t able to assist, left to in
demand security resources
8. So Customers... How are we solving this?
❖ We’re trying to ‘Tier’ relationships
➢ True Risk Assessment?
❖ We’re considering our ‘Questionnaire’
➢ Sometimes custom, sometimes leveraging a tool
like the Shared Assessments Group (SIG)
❖ We may outsource some or all reviews
❖ We’re unsure if we’re the Chicken or the Pig...
➢ Mar 2013 Ponemon Institute Study: 79%
believed that End-Users are primary responsible
for cloud security
❖ Volume keeps getting in the way
➢ As we get comfortable, volume and complexity
goes up
9. We Vendors Know…
You’re asking all the wrong questions!!
» Endless stream of assessments (cloud providers
have many customers)
» Customers are vague in questions
» Questions are custom and do not follow a standard
» Oftentimes hundreds, if not thousands, of questions
» Questions come in various forms: email attached
documents, GRC/Web App form, plain email, etc.
» Often times, customer assessment/audit team is not
in the loop with customer business on what the
solution is being offered
» Don’t use the resources provided either online or
after NDA (such as SOC, STAR, and other reports)
» Understand what is the customer’s responsibility vs.
cloud provider’s responsibility!
10. Babysitter Pro
Cost Effective
Keeps kids happy
Innovative Technology
Allows you to get out of the house
Alright Customers, Lets go back to basics…
What do we ultimately want out of this process
We want to know that our vendor:
- Is appropriately knowledgeable
(People)
- Does the right things (Process)
- Has inherently secure solutions
(Technology)
Ultimately, we want to know that you can be trusted!
11. So where do we go from here?
Leading Practices in Cloud Vendor Security Assessments
Customer
1. Assess the Solution, not just the
Vendor
2. Evaluate your vendor’s response
3. Think continuous improvement
Vendor
1. Trust/Security is not going away
2. Security can be differentiator
3. Dedicated team to address
customer assessments
4. Channel to direct customer
feedback/issues to development
12. Roadmap for the Customer:
#1: Assess the Solution, Not the Vendor
Integrate Vendor Assessments into the Solution
development and monitoring process
Understand:
- What drove us to procure this solution?
- What are our internal roles and responsibilities
(potential significant carve out) (i.e PaaS)
For periodic vendor reviews, why would be assessing
Security independent of an assessment of the overall
relationship?
- Is the solution even meeting our needs?
- Security as a scapegoat, potential waste of effort
“We’ve got a vendor for you…”
13. Roadmap for the Customer:
#2: Evaluate your vendor’s response
We want to gain enough information to establish trust and identify gaps
We sometimes settle for…
- A really long questionnaire (that we made, found, bought)
- An attestation report (SOC, PCI, SIG, etc) we struggle to interpret
- Going onsite and ‘walking around’
14. Roadmap for the Customer:
#2: Evaluate your vendor’s response
So how do we establish this trust?
We want to know that our vendor:
● Is appropriately knowledgeable (People)
● Does the right things (Process)
● Has inherently secure solutions (Technology)
15. Roadmap for the Customer:
#2: Evaluate your vendor’s response
Example #1: The Cutting Edge SaaS provider
Confidentiality: Highly Confidential, High Volume
Availability: Not business critical
Integrity: Reporting system, no reliance on data integrity
People: 10 person startup
Process: No formal programs, no physical locations
Technology: Penetration Test
16. Roadmap for the Customer:
#2: Evaluate your vendor’s response
Example #2: The Mega-Provider
Confidentiality: Highly Confidential, High Volume, Data Masked prior to transmission
Availability: Mission Critical
Integrity: SOX application
People: Formal Info Sec Officer and Team
Process: Formal Programs, SOC reports, etc etc.
Technology: Legacy Mainframe-based system that does not
employ modern security principles
17. Roadmap for the Customer:
#3: Think Continuous Improvement
Security vendor management is not a ‘one time’
exercise. Think about:
» How do I set the relationship up for success
during due diligence? (Example: Penetration
Test)
» Are their vendor communities that our team can
become a part of, to keep a pulse on the vendor
and its Information Security strategy?
» Is your team trained and incentivized to monitor
vendor security?
» Are you gathering feedback from your business
units and vendors on your process?
» Automation - continue to refine and explore
18. Roadmap for the Vendor:
#1: Trust/Security is not going away
» Security is here to stay
» Customers are not going to drop their data into a black
hole; there will always be a need for customer
assessments
» Accept this as the future and build people and
processes around this
19. Roadmap for the Vendor:
#2: Security can be differentiator
» Transparency into security operations can go a long
way
» A company investing in security is looked upon
favorably
» Implementing cutting edge security practices vs.
keeping up with security
20. Roadmap for the Vendor:
#3: Dedicated team to address customer assessments
» Consistency in responses is key
» Team is trained on common
security/compliance/regulatory requirements
» React quickly on reports of new zero days (ex:
Heartbleed)
» Build tools and processes to quickly respond to
assessments
21. Roadmap for the Vendor:
#4: Channel to direct customer feedback/issues
to development
» Customers will ultimately discover ways to better the
product’s security, need a way to get this in the right
hands
» Vulnerabilities, zero days, and new attacks happen
everyday to the most secure systems. Critical findings
need to be escalated and handled on an expedited
timeframe.
» Responding and adapting to threats is half the battle
22. How do we improve?
From the other side of the fence...
Customer
1. Inquiries from customers into
Security should be expected, not
resisted. We consider that part of
the solution.
2. We expect you to be as
passionate about Security as we
are.
3. Our testing is not your testing.
Vendor
1. Customers should set realistic
timeframes on assessments
2. Ask only the essential questions,
you truly care about to gain trust
3. Do your homework, talk to the
business procuring the solution
and research public security
information about the solution