SecurityStudio, profile picture
Uploaded bySecurityStudio
PPTX, PDF72 views

Keynote @ ECMECC School Security Summit

Evan Francen, CEO of SecurityStudio, discusses the state of information security, highlighting its failure to effectively protect individuals, particularly in schools. He emphasizes the importance of assessing risks and simplifying communication around security issues, introducing the concept of the S2Score as a tool for schools to evaluate their security posture for free. The document advocates for engagement from parents and students to improve security awareness and practices in both educational and home environments.

Education
Related topics:
Information Security

Embed presentation

Download to read offline
Cybersecure Schools, Parents, and Kids Evan Francen, CEO, SecurityStudio
Agenda - Format Cybersecure Schools, Parents, and Kids
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio I do a lot of security stuff… • Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor, S²Team, and S²Me • 25+ years of “practical” information security experience (started as a Cisco Engineer in the early 90s) • Worked as CISO and vCISO for hundreds of companies. • Developed the FRSecure Mentor Program; six students in 2010/500+ in 2018 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) Cybersecure Schools, Parents, and Kids AKA: The “Truth” AKA: The “Preacher”
UNSECURITY: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry? Published January, 2019 Cybersecure Schools, Parents, and Kids
IMPORTANT! Before I get started… • The World Health Organization states that over 800,000 people die every year due to suicide, and that suicide is the second leading cause of death in 15-29-year-olds. • 5 percent of adults (18 or older) experience a mental illness in any one year • In the United States, almost half of adults (46.4 percent) will experience a mental illness during their lifetime. • In the United States, only 41 percent of the people who had a mental disorder in the past year received professional health care or other services. • https://www.mentalhealthhackers.org/resources-and-links/
A simple CTF challenge in Robby’s Memory. qr fbir ygdblcg yafr erodkganc hbd oneqrde oe yb ygr zrcannanc bh ygr kbefbe. oe qr kgoncrj pwonre qoayanc hbd yafr yb kbfr onj cby bhh ygae powr zwlr jby hbd o kbefak zwans bh on rmr, qr kolcgy o cwafper bh ebfryganc jrrprd / fbdr fronanchlw ygon oneqrde; pldr zrolym: glfonaym. qgawr eyaww kopyaioyrj onj rnygdowwrj zm ygae jaekbirdm, qr zoes an bld lybpao, ydmanc yb fosr ygance hoad onj rtlow, eb ah qr qrdr yb jrpody onj cry zoks bn zbodj bld oadpwonr onj yafr hanowwm kofr yb cry le, qr qblwj goir frfbdare zwaeehlw rnblcg yb woey le lnyaw bld nrvy oddaiow onj cair ygrf yb ygr hlyldr, hbd ydlwm mbl snbq grd, zly ah nby, a oeeldr mbl, egr oweb goe o zrolyahlw eblw. -dbzzm onjdrq qowwrnzrdc zdocc mbld hwoc ae drfrfzrdancwbeygoksrde One way to get a free book. Solve this and email me; efrancen@securitystudio.com.
The #Truth 1. Information security isn’t about information or security as much as it is about people. 2. You cannot separate information security, privacy, and safety. 3. Everybody has something that somebody wants. 4. We are all in this together. Security people and “normal” people.
You know we have an language problem in our industry, right? Our Industry AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT Cybersecurity BCDR Malware Trojan Spoofing UTM Phishing Vishing DDoS Worm Botnet ML Vulnerability Zero-Day Layered Exploit Threat Actor Attribution Kali OSCP CISSP NIST CSF How many of you are security people (my tribe)?
You know we have an language problem in our industry, right? Normal People See Us Like AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT Cybersecurity BCDR Malware Trojan Spoofing UTM Phishing Vishing DDoS Worm Botnet ML Vulnerability Zero-Day Layered Exploit Threat Actor Attribution Kali OSCP CISSP NIST CSF
Why? Because we don’t agree on a language Their Language FIX: Fundamentals and simplification. Translation/Communication Let’s test this…
Information Security is
Managing RiskInformation Security is
Eliminating RiskInformation Security is NOT
ComplianceInformation Security is NOT
Managing RiskInformation Security is of what?
Managing RiskInformation Security is unauthorized disclosure, alteration, and/or destruction of information. of
Managing RiskInformation Security is in what? unauthorized disclosure, alteration, and/or destruction of information. of
Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is unauthorized disclosure, alteration, and/or destruction of information. of in
Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is Easier to go through your secretary than your firewall Firewall doesn’t help when someone steals your server YAY! IT stuff unauthorized disclosure, alteration, and/or destruction of information. of in
Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is What’s risk? unauthorized disclosure, alteration, and/or destruction of information. of in
Managing Risk Likelihood Impact Administrative Controls Physical Controls Technical Controls Information Security is Of something bad happening. If it did. unauthorized disclosure, alteration, and/or destruction of information. of in
Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is in unauthorized disclosure, alteration, and/or destruction of information. of Likelihood Impact How do you figure out likelihood and impact?
Managing Risk Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities. Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of
Managing Risk Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities. • Vulnerabilities are weaknesses. • A fully implemented and functional control has no weakness. • Think CMMI, 1 – Initial to 5 – Optimizing. in unauthorized disclosure, alteration, and/or destruction of information. of Likelihood Impact
Managing Risk Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right? Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of
Managing Risk Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right? That’s right! We need threats too. in unauthorized disclosure, alteration, and/or destruction of information. of Likelihood Impact
Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of
Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability.
Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability. So, what is information security?
Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of
Some more #truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy. The better you know yourself, the better you can protect yourself.
Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy. You cannot build any effective security program or strategy in a school or at home without an assessment.
Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy. You cannot build any effective security program or strategy in a school or at home without an assessment. As many as 90% of schools fail to do fundamental information security risk assessments. WHY? Reason #1: Complexity
Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of Fine for our tribe, but what about the others?
Managing Risk Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Likelihood Impact in unauthorized disclosure, alteration, and/or destruction of information. of What if we made a simple score to represent this?
Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is We call it the S²Score. We did.
Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is The S²Score is a simple and effective language to communicate information security to everyone (parents, students, school boards, other security people, administration, regulators, etc.).
Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is As many as 90% of schools fail to do fundamental information security risk assessments. Reason #2: Cost
Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S²Score is available at no cost. No budget, no problem.
Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S²Score is available at no cost. No budget, no problem. There’s no catch.
Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S²Score is available at no cost. No budget, no problem. There’s no catch. For those who like our snazzy standards and acronyms, the S2Org is derived from and mapped to: • NIST CSF • NIST SP 800-53 • NIST SP 800-171 • ISO 27002 • COBIT • Others…
Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S2Score is available at no cost to anyone. There’s no catch. For those who like our snazzy standards and acronyms, the S2Org is derived from and mapped to: • NIST CSF • NIST SP 800-53 • NIST SP 800-171 • ISO 27002 • COBIT • Others…
Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s FREE! The assessment that creates the S2Score is available at no cost to anyone. There’s no catch. For those who like our snazzy standards and acronyms, the S2Org is derived from and mapped to: • NIST CSF • NIST SP 800-53 • NIST SP 800-171 • ISO 27002 • COBIT • Others… That’s for schools… S2Org is free. https://securitystudio.com. ECMECC is a trusted partner helping schools.
What about parents and kids? (security is security, which is good) People are creatures of habit. We can’t address issues that we don’t know about. The same people at home are the same people at work and school. This also requires an assessment. The better you know yourself, the better you can protect yourself.
What about parents and kids? (security is security, which is good) Motivation will come from understanding. In information security, ignorance isn’t bliss! If data security doesn’t motivate… Surely safety will! The default is risk ignorance. DANGER! It’s breach. Maybe privacy will. If privacy doesn’t motivate…
S2Me is also free. Always will be. https://s2me.io. What about parents and kids? Here’s what we’ll do…
S2Me is also free. Always will be. https://s2me.io. What about parents and kids? Here’s what we’ll do… Eventually (maybe soon), we create an S2Teen too.
What to do NOW! By speaking a common language we can work on what really matters (our most significant risks). What we’re going to do: • Keep preaching. • Work politically. • Keep improving (by listening). What you need to do: • Get your S2Org Assessment and do it! • Help us preach. • Get your free S2Me Assessment. • Get your family, friends, and parents to do one too. • Help us improve (by talking). What’s the point?
What to do NOW! By speaking a common language we can work on what really matters (our most significant risks). What we’re going to do: • Keep preaching. • Work politically. • Keep improving (by listening). What you need to do: • Get your S2Org Assessment and do it! • Help us preach. • Get your free S2Me Assessment. • Get your family, friends, and parents to do one too. • Help us improve (by talking). What’s the point? People are the point! Information security is not about information or security as much as it is about people. People within our industry and people who work with us are confused and we’re wasting valuable resources.
What to do NOW! By speaking a common language we can work on what really matters (our most significant risks). What we’re going to do: • Keep preaching. • Work politically. • Keep improving (by listening). What you need to do: • Get your S2Org Assessment and do it! • Help us preach. • Get your free S2Me Assessment. • Get your family, friends, and parents to do one too. • Help us improve (by talking). What’s the point? People are the point! Information security is not about information or security as much as it is about people. People within our industry and people who work with us are confused and we’re wasting valuable resources. ECMECC is a trusted partner! Ask them for help or more information. Follow me/us on Twitter: @evanfrancen @StudioSecurity Thank you!

More Related Content

PPTX
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
bySecurityStudio
 
PPTX
People Committed to Solving our Information Security Language Problem
bySecurityStudio
 
DOC
Five Mistakes of Incident Response
byAnton Chuvakin
 
PDF
Threat Modeling 101
byAtlassian
 
PPTX
Business-Critical Backup: Preparing for a Disaster
byNetWize
 
PPTX
WANTED – People Committed to Solving our Information Security Language Problem
bySecurityStudio
 
PPTX
WANTED - People Committed to Solving Our Information Security Language Problem
byEvan Francen
 
PPTX
WANTED – People Committed to Solving our Information Security Language Problem
bySecurityStudio
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
bySecurityStudio
 
People Committed to Solving our Information Security Language Problem
bySecurityStudio
 
Five Mistakes of Incident Response
byAnton Chuvakin
 
Threat Modeling 101
byAtlassian
 
Business-Critical Backup: Preparing for a Disaster
byNetWize
 
WANTED – People Committed to Solving our Information Security Language Problem
bySecurityStudio
 
WANTED - People Committed to Solving Our Information Security Language Problem
byEvan Francen
 
WANTED – People Committed to Solving our Information Security Language Problem
bySecurityStudio
 

Similar to Keynote @ ECMECC School Security Summit

PPTX
WANTED – People Committed to Solving our Information Security Language Problem
byEvan Francen
 
PPTX
Keynote @ ISC2 Cyber Aware Dallas
byEvan Francen
 
PPTX
Harrisburg BSides Presentation - 100219
byEvan Francen
 
PPTX
How to Secure America
bySecurityStudio
 
PPTX
Information Security & Manufacturing
byEvan Francen
 
PPTX
What is Information Security and why you should care ...
byJames Mulhern
 
PPTX
Information Assurance and Security 1 LESSON 1.pptx
byMacky Zamora
 
PPTX
1. Introduction to cybersecurity and information security
byHrishikeshDBhavar
 
PDF
Unit 1&2.pdf
byNdheh
 
PDF
(eBook PDF) Information Security: Principles and Practices 2nd Edition
byrrnohojhxx852
 
PPTX
Week 1&2 intro_ v2-upload
byVinoth Sn
 
PPTX
Chapter-Seven.pptxhmhjmhjkhjkhjkljlhjkhjkhj
byShemse Shukre
 
PDF
Solution Manual for CompTIA Security+ Guide to Network Security Fundamentals,...
byvilbikcepero
 
PPTX
An Introduction to Cyber security
bySamanvay Jain
 
PPT
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
PDF
Chapter 6 Security of Information and Cyber Security(FASS)
byMd Shaifullar Rabbi
 
PPTX
People are the biggest risk
byEvan Francen
 
PDF
Primer for Information Security Programs
byRichard Greenberg, CISSP
 
PPT
Information Security
bychenpingling
 
PPTX
Chapter_1_Detailed_Information_Security_Presentation.pptx
byYakob Utama Chandra ,SE., MMSI
 
WANTED – People Committed to Solving our Information Security Language Problem
byEvan Francen
 
Keynote @ ISC2 Cyber Aware Dallas
byEvan Francen
 
Harrisburg BSides Presentation - 100219
byEvan Francen
 
How to Secure America
bySecurityStudio
 
Information Security & Manufacturing
byEvan Francen
 
What is Information Security and why you should care ...
byJames Mulhern
 
Information Assurance and Security 1 LESSON 1.pptx
byMacky Zamora
 
1. Introduction to cybersecurity and information security
byHrishikeshDBhavar
 
Unit 1&2.pdf
byNdheh
 
(eBook PDF) Information Security: Principles and Practices 2nd Edition
byrrnohojhxx852
 
Week 1&2 intro_ v2-upload
byVinoth Sn
 
Chapter-Seven.pptxhmhjmhjkhjkhjkljlhjkhjkhj
byShemse Shukre
 
Solution Manual for CompTIA Security+ Guide to Network Security Fundamentals,...
byvilbikcepero
 
An Introduction to Cyber security
bySamanvay Jain
 
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
Chapter 6 Security of Information and Cyber Security(FASS)
byMd Shaifullar Rabbi
 
People are the biggest risk
byEvan Francen
 
Primer for Information Security Programs
byRichard Greenberg, CISSP
 
Information Security
bychenpingling
 
Chapter_1_Detailed_Information_Security_Presentation.pptx
byYakob Utama Chandra ,SE., MMSI
 

Recently uploaded

PPTX
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
PDF
Unit3 Phases and process of curriculum development.pdf
byziaoria016
 
PPTX
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
PPTX
Chapter 1: Introduction to Strategic Management.pptx
byFJ M
 
PPTX
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
PPTX
Lesson_1 Acceleration.pptx_Science 8-4th quarter
byAnnabelAlarcon
 
PDF
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
PDF
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
PPTX
GRADE 8_WEEK 2_QUARTER 4_ENGLISH_MATATAG.pptx
byRoinelReyes1
 
PPTX
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
PPTX
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PPTX
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
PPTX
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
PPTX
Chapter 1: Introduction to Economics - Macroeconomics and Microeconomics.pptx
byFJ M
 
PPTX
ENGLISH-7-Quarter-4-Week-3 Matatag .pptx
byKimberlyJadeCuyos
 
PDF
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
PDF
RAJAT ARORA SIR PHYSICAL EDUCATION NOTES ALL CHAPTERS .pdf
bysumitkannoujiya74
 
PDF
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
PDF
Pharmaceutical Quality Assurance Unit 1 (BP606T)
byChetan Mali
 
PDF
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
Unit3 Phases and process of curriculum development.pdf
byziaoria016
 
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
Chapter 1: Introduction to Strategic Management.pptx
byFJ M
 
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
Lesson_1 Acceleration.pptx_Science 8-4th quarter
byAnnabelAlarcon
 
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
GRADE 8_WEEK 2_QUARTER 4_ENGLISH_MATATAG.pptx
byRoinelReyes1
 
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
Chapter 1: Introduction to Economics - Macroeconomics and Microeconomics.pptx
byFJ M
 
ENGLISH-7-Quarter-4-Week-3 Matatag .pptx
byKimberlyJadeCuyos
 
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
RAJAT ARORA SIR PHYSICAL EDUCATION NOTES ALL CHAPTERS .pdf
bysumitkannoujiya74
 
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
Pharmaceutical Quality Assurance Unit 1 (BP606T)
byChetan Mali
 
Bones by Sadu Kassam (play) story ppt pdf
byRonnieMaeBorres
 

Keynote @ ECMECC School Security Summit