The document discusses the complexities of security awareness and the importance of effective policies and governance in cybersecurity. It emphasizes the need for engagement from senior management and collaboration across business units to create understandable and manageable security protocols. Additionally, it advocates for a risk management approach, iterative improvement, and clarity in communication to foster a culture of security within organizations.

3. http://about.me/barrycaplin
securityandcoffee.blogspot.com

4. Security Isn’t Easy…
We didn’t get into it for the…

5. The Challenge of Security Awareness
Nobody cares about Security…
Why?
And how do we get their attention and
support?

6. Issues
• Security viewed as a negative
• Avoidance v. “risk”
– Delays
– Cost
– Extra work
– “Gotchas”

7. It Can’t Be Just…

8. We need sensible controls…

10. … early in the process…

12. Bad CISO/Good CISO

13. Governance
Governance…
We don’t need
no stinkin’
governance!
Bad CISO

14. Governance
Develop a clear
strategy using
an industry
standard
framework.

15. Policy
All Security
Policy is the
same. I got Bad CISO
mine from a
book.
“Hello Mr. Anderson”

16. Policy
Policies are
based on solid
principles, but
adapted to fit
the
organization.
… and prophesies from the oracle

17. Compliance
We write the
policies. We
make people
sign an oath. Bad CISO
Done.
Compliance and consequences policy

18. Compliance
We must make
(understandable)
policies. We must
teach. We must
assess, measure
and report.

19. Awareness
Users will know
what they have
to do or be
eliminated. Bad CISO

20. Awareness
Users can talk to
Security. We
teach. We answer
questions.

21. Senior Management
I say what
they want to
hear.
They’re not Bad CISO
listening
anyway.

22. Senior Management
Give them the info
they need and
they will be
engaged.

23. Projects and Dev
They can pay me
now or they can
pay me later.
Bad CISO

24. Projects and Dev
We work together
with business to
finish on-time and
with needed
controls.

25. Business Needs
I buy the best
known security
products
because they’ve Bad CISO
got to be good.

26. Business Need
Working together
we find control-
and cost-effective
security products
that work and are
usable.

27. Operations
We’ve always done
it this way.
Bad CISO

28. Operations
We partner with
the business and
tailor the program
to meet the need.

29. Stuff I Say…
KISS

30. Stuff I Say…
No one has “read and
understood”
but definitely still responsible
Simple, direct language in policy
Compliance via education

31. Stuff I Say…
You pay by the word
Keep policies short and sweet
If not, you’ll pay on the
compliance-effort side

32. Stuff I Say…
People want to do the right
thing
but what is the right thing?
Understandable policy
Simple rules

33. Stuff I Say…
Do What Makes Sense
Risk Management approach
Seek out and destroy meaningless
policy/controls/practices

34. Stuff I Say…
Iterative Improvement
Maturity model
CObIT, SEI CMMI

35. Stuff I Say…
Automation!
Metrics
Tools
Reporting

36. Stuff I Say…
What is the business need?
Find out business need in plain
business language

37. Stuff I Say…
Have Fun!

39. Discussion…
Slides at http://slideshare.net/bcaplin
barry.caplin@state.mn.us
bc@bjb.org, @bcaplin, +barry caplin
securityandcoffee.blogspot.com