Page 1
The Business Doesn’t Care
Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software
Security BSides Atlanta
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
…and its your fault.
Page 2
Follow me down the rabbithole.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 3
Why?
“Security” is estranged from business
A vast amount of IT Security professionals are distant from their business.
•Why is this? –what are some of the reasons you think this is true?
•What are the results? –what are some of the observed results?
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
3
Page 4
This is an …
4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 5
And this is an …
5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 6
That was too easy … 6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 7
Define Risk
7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
1. First definition 2. Second definition 3. Third definition
Page 8
8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Define Vulnerability
1. First definition 2. Second definition 3. Third definition
Page 9
9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 10
Security IS part of the business.
10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
…but what does that mean, really?
• Is your CISO/CSO on the executive board of the company?
• Does your CISO/CSO have executive power? • …what does this mean?
Page 11
Relating Security <> Business
11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
What are the 3 of your company’s board-level goals for the next fiscal year? 1. Goal 1 2. Goal 2 3. Goal 3
Page 12
The bridge between Security | Business is out.
12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 13
We speak “security talk”
13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
vulnerabilities
0-day attacks
hacking
SQL Injection, XSS, …
critical, high, medium…
Page 14
“The business” speaks a different language
14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Leveraged risks
Business exposures
Cost of capital
Velocity of change
Shareholder value
Page 15
Driving off the risk/reward cliff …blind
15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 16
Oh …
16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 17
No what? How do you succeed?
17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
• “Speak business language”
• cliché …but how?
• How do you relate IT risks to
business risks?
Page 18
Get to know your business
18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Get to know your business • what does your company really do? • what does your board care about? • what gets your CEO his or her bonus? • what do analysts say about your company? • what do your customers care (or not) about?
What are your company’s business exposures, risks?
• what are your market risks from doing business? • what are your critical business exposures? • how can the CISO/CSO help mitigate those issues?
Page 19
How can we relate IT to business ‘security’?
19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
How would you convince your CEO that a SQL Injection vulnerability can sink their shareholder value?
Page 20
Ultimately “IT Security” will evolve
20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Page 21
Security Ops vs. Security Strategy
21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Security Operations (SecOps) • Operational security group • Traditional firewall controls • Day-to-day security technology
• Not a separate IT unit (“security”) • Infused into operational IT groups
• server management • network management • desktop management
Security Strategy • IT “risk” advisory consulting • Align to risk management, legal • Review, relate, advise the business
• Independent, small, agile group • Report into CRO, CFO
• eliminate conflict of interest • get “closer to the business”
VS
Page 22
It is possible to do both
22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
“Serve the business” Reduce IT vulnerabilities
Page 23
Thanks for learning something.
23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) Discuss on LinkedIn: Join the ‘SecBiz’ group