Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
What Affects Confidence In
Security Programs?
Rocky Mountain Information Security Conference 2014
Bill Burns | Executive...
2
My Background
 Production hybrid cloud security at scale
– Deployed distributed, hybrid cloud WAF
– Co-developed CloudH...
3
Agenda
 Trends and Forcing Functions on Information Security
 InfoSec’s Role in Managing Business Risk
 Security Inno...
4
CISOs: “What Kept You Up Last Night?”
Source: Scale Venture Partners
5
Agile/DevOps
BYOD
Shadow IT /
Consumerization
Increased
Regs/Compliance
Internet Of Things
IT Automation
Mobile computin...
6
Security Forcing Function – Mobility, BYOD
Source: Mary Meeker, KPCB
7
Security Forcing Function – Mobility, BYOD
(1) Pew Research, Jan 2014 | (2) Gartner, May 2013
Smartphone - 58%
Tablet - ...
8
Security Forcing Function – Work Anywhere
 Blurring work/life integration
– Aruba’s “#GenMobile”initiative
– Starbucks ...
9
Security Forcing Function – IaaS / Virtualization
 Clouds are
compelling to
businesses, hard
for old security
controls ...
10
Old: Perimeter Firewalls
11
Old: Perimeter Firewalls
 Castle and Moat (layered) defense
 Place people, data behind datacenter firewalls
 Provisi...
12
New Perimeters : Follow the Data
13
Security controls evolving to be more:
o Proximal – Move closer to the application and data
o Mobile – Follow the infra...
14
InfoSec’s Role
 Be a trusted advisor to the business
– InfoSec doesn’t own the risk
– Anticipates security risk/contro...
15
So…What’s Your Cloud Comfort Level?
 Cloud Adoption / Maturity:
– Naysayers: you can’t do that (but can’t articulate w...
16
So…What’s Your Cloud Comfort Level?
 Cloud Adoption/Maturity
– Naysayers
– Pathfinders
– Optimizers
 Cloud is inevita...
17
Security Delivered Via Cloud Services
18
Anticipating Risks: Partners’ Controls
 Service Providers: must consider security as a basic requirement
– They have a...
19
Anticipating Risks: Partners’ Controls
 Integrate Security Controls with Legal
– Risk-based Questionnaires: Level of s...
20
SaaS Applications: Growth and Risk Perspective
21
InfoSec Advisor: New controls and capabilities
 Track movement, access to assets
– Behavioral analytics become embedde...
22
Adopting Cloud: Getting Started in IaaS
 Plan: Pick 1-3 security metrics to improve & compare
– Examples: Days to patc...
23
Summary: Evolving Controls, Maturity
 Get Baseline visibility into your Cloud Services
– Facts critical to business-le...
24
Wisegate: Maturity Proportional to Confidence
Source: Wisegate IT Security Benchmark, Sept 2013
25
Areas of Security Interest: Early Results
 Advanced authentication and
identification schemes
 App-centric firewalls ...
26
Guidance to Security Vendors: Early Feedback
 Be 10x better - provide superior customer value
– Look for disruptive te...
27
Increasing Confidence: Early Research Results
 Security programs with higher maturity have more confidence
– Regulatio...
28
Thank you!
Security-Research@ScaleVP.com
Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.co...
Upcoming SlideShare
Loading in …5
×

What affects security program confidence? - may2014 - bill burns

830 views

Published on

Published in: Technology
  • Closing keynote for the Rocky Mountain Information Security Conference, May 2014
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

What affects security program confidence? - may2014 - bill burns

  1. 1. 1 What Affects Confidence In Security Programs? Rocky Mountain Information Security Conference 2014 Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3
  2. 2. 2 My Background  Production hybrid cloud security at scale – Deployed distributed, hybrid cloud WAF – Co-developed CloudHSM for IaaS hardware root of trust  Corporate IT “all-cloud” security strategy – Cloud-first, mobile-first infrastructure model – Mix of public cloud, best-of-breed SaaS  RSAC Program Committee, Startup Technical Advisory Boards, ISSA CISO Forum & Career Lifecycle  Previously:
  3. 3. 3 Agenda  Trends and Forcing Functions on Information Security  InfoSec’s Role in Managing Business Risk  Security Innovations, Market Needs  Early Research Results: Improving Confidence
  4. 4. 4 CISOs: “What Kept You Up Last Night?” Source: Scale Venture Partners
  5. 5. 5 Agile/DevOps BYOD Shadow IT / Consumerization Increased Regs/Compliance Internet Of Things IT Automation Mobile computing SaaS Ubiquitous Internet Access Virtualization / IaaS Weaponization of Internet / espionage Work/Life Integration Concern Unconcern Top Trends & Forcing Functions on InfoSec Source: Scale Venture Partners
  6. 6. 6 Security Forcing Function – Mobility, BYOD Source: Mary Meeker, KPCB
  7. 7. 7 Security Forcing Function – Mobility, BYOD (1) Pew Research, Jan 2014 | (2) Gartner, May 2013 Smartphone - 58% Tablet - 42% By 2017, 50% of employers will require you to BYOD[2] for work.
  8. 8. 8 Security Forcing Function – Work Anywhere  Blurring work/life integration – Aruba’s “#GenMobile”initiative – Starbucks wants to be your life’s “3rd Place”  Ubiquitous network access & seamless roaming – 802.11ac, n – wireless networking “just works” • Faster than typical wired ports, easier to provision – Mobile 4G LTE is also “fast enough” • Faster than my home’s DSL – By 2018: 25% of corporate data will flow directly mobile-cloud[3] (3) Gartner, Nov 2013
  9. 9. 9 Security Forcing Function – IaaS / Virtualization  Clouds are compelling to businesses, hard for old security controls to match pace  AWS Example: – ~Quadrupled offered services in 4 years – Reduced pricing 42 times in 8 years as equipment ages out Source: AWS
  10. 10. 10 Old: Perimeter Firewalls
  11. 11. 11 Old: Perimeter Firewalls  Castle and Moat (layered) defense  Place people, data behind datacenter firewalls  Provisioning workflows were serialized, expensive, slow  “Behind the firewall” = Trusted
  12. 12. 12 New Perimeters : Follow the Data
  13. 13. 13 Security controls evolving to be more: o Proximal – Move closer to the application and data o Mobile – Follow the infrastructure, application o Resilient - Emphasize recovery and response o Holistic – Include technical, legal, and business-level input o Coordinated - Reliant on communications, automation New Perimeters : Follow the Data
  14. 14. 14 InfoSec’s Role  Be a trusted advisor to the business – InfoSec doesn’t own the risk – Anticipates security risk/controls changes and needs – Communicates technical risks in business terms  Implement guardrails and gates based on risk, sensitivity – Like breaks on a car: Enables the business to take smart risks – Architect, design, implement controls – Measure & report risk with data – Manage remediation, response  Success: Customers proactively request your guidance!
  15. 15. 15 So…What’s Your Cloud Comfort Level?  Cloud Adoption / Maturity: – Naysayers: you can’t do that (but can’t articulate why) – Pathfinders: here’s how to do it, early lessons learned – Optimizers: here’s how to do it well, what not to do
  16. 16. 16 So…What’s Your Cloud Comfort Level?  Cloud Adoption/Maturity – Naysayers – Pathfinders – Optimizers  Cloud is inevitable – Get comfortable managing it – Example: “We have 10 years of legacy work to deal with, we don’t have time to look at our cloud usage!” – Benefits to agility, automation, consistency  It’s about the business – Board-level discussion on results, competition, risk – “Risk is our business” – Philosopher James T. Kirk
  17. 17. 17 Security Delivered Via Cloud Services
  18. 18. 18 Anticipating Risks: Partners’ Controls  Service Providers: must consider security as a basic requirement – They have a smoother attack surface than enterprises – Laser-focused goals, homogeneous environment, etc. – All customers pentesting their provider: Doesn’t scale • Which standard would we all trust? CCM? Other? Discuss.  Which controls are most relevant, important for your business? – Prioritize those during negotiations, evaluations, assessments – Bring Your Own Security: Encryption, incident response, audit, SoD, …
  19. 19. 19 Anticipating Risks: Partners’ Controls  Integrate Security Controls with Legal – Risk-based Questionnaires: Level of scrutiny based on data sensitivity – Contractual: Add boilerplate language in your contracts, MSAs, etc. • Ask your partners for the security fundamentals • Operational security basics, secure development, security incident notification, etc.  Assess Third-Parties Partners – Trust but verify their controls. It’s your data! – Do one-time and ongoing assessments – Make sure you’re testing what you anticipated – Partner with your partners on any findings
  20. 20. 20 SaaS Applications: Growth and Risk Perspective
  21. 21. 21 InfoSec Advisor: New controls and capabilities  Track movement, access to assets – Behavioral analytics become embedded, table stakes – DRM/DLP-like controls, applied closer to the data – More focus on detection, monitoring – Blocking done more through orchestration, automation – Inventories and network paths always up to date  Restrict access to assets – Cloud-to-Cloud chokepoints – SSO and risk-based authentication, authorization – On-the-fly controls: DLP, encryption, watermarking – Firewall controls based on tags, data and host classification/sensitivity
  22. 22. 22 Adopting Cloud: Getting Started in IaaS  Plan: Pick 1-3 security metrics to improve & compare – Examples: Days to patch vulns, avg host uptime, fw ACLs used  Do: Start simple, fail fast on “uninteresting” workflows  Improve: Codify policies, patches, asset management, provisioning.  Iterate: Review lessons learned often, make small course corrections – Good security starts with solid operational hygiene
  23. 23. 23 Summary: Evolving Controls, Maturity  Get Baseline visibility into your Cloud Services – Facts critical to business-level conversations – You’re using more SaaS than you realize – Share data with IT, legal, other stakeholders  Monitor and Protect your Data – Start collecting/mining SaaS access, audit logs – Integrate with your SIEM, monitoring systems – Deploy additional controls via chokepoints, automation  Increase program maturity – Cloud is an opportunity to codify, automate security – Operational hygiene is the basis for solid security program
  24. 24. 24 Wisegate: Maturity Proportional to Confidence Source: Wisegate IT Security Benchmark, Sept 2013
  25. 25. 25 Areas of Security Interest: Early Results  Advanced authentication and identification schemes  App-centric firewalls and containers to protect data  Behavioral analytics to improve security, fraud  Continuous endpoint monitoring, orchestration, remediation  Continuous risk & compliance monitoring, reporting  Dashboards and analytics to communicate and share metrics  DevOps / security integrations to codify security  Holistic DLP, data encryption and key management  Malware protection without signatures  Mobile security to protect data anywhere  PKI and digital certificate management for authentication, encryption  Proactive / predictive attack detection, real-time response  Threat intelligence feeds, sharing Source: Scale Venture Partners
  26. 26. 26 Guidance to Security Vendors: Early Feedback  Be 10x better - provide superior customer value – Look for disruptive technologies, approaches – Interoperate with what I already have – What can I turn off if I buy your thing?  Think API, integration first – Defenders & DevOps: The future is automation, interoperability – InfoSec staffing is hard, automation is a force multiplier – No cheating: Build your GUI on your API  Model, measure, provide insights – Security A/B testing, modeling allows safe experimentation – Provide insights of current, continuous risk state – Want to manage cloud risk better than legacy – Good deployment strategies start with great migration strategies Source: Scale Venture Partners
  27. 27. 27 Increasing Confidence: Early Research Results  Security programs with higher maturity have more confidence – Regulations help, but also – Operational consistency, – Incorporating standardized frameworks (ISO, NIST)  Build what works for your company’s culture – Culture trumps strategy – There is no one, true “map”: Every program is different – ? Endpoint-centric vs. network-centric // Block vs. monitor + respond  Create, market, share metrics with your peers – Empowers teams that own responsibility for controls – Encourages fact-based decision-making – Communicates your program’s Business Impact Source: Scale Venture Partners
  28. 28. 28 Thank you! Security-Research@ScaleVP.com Bill Burns | Executive-In-Residence | Scale Venture Partners | Bill@ScaleVP.com | @x509v3

×