SlideShare ist ein Scribd-Unternehmen logo

Making Measurable Gains - Contextualizing 'Secure' in Business

Rafal Los
Rafal Los

What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.

TechnologieBusiness
1 von 27
Making Measureable Gains …contextualizing „secure‟ in business. Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software BayThreat 2011 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Follow me down the rabbithole © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
“Security” is estranged from business Why? A vast amount of IT Security professionals are distant from their business. • Why is this? –what are some of the reasons you think this is true? • What are the results? –what are some of the observed results? 3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Answer: Information Security often fails, even when it succeeds. Why? We can‟t show how or why we succeeded. 4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Security incidents hurt. 5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
This is an … business goals 6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
And this is an … ‘Security’ goals 7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Let‟s start here… 8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Your Organization does not exist to be secure. 9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Why should they care? 1. Will the company stop existing? 2. Will there be loss of life? 3. What‟s the worst that can happen? 10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
But if organization‟s done care about security… …then why do you have a job? you can either resign to the fact that you‟re there to check a box … OR… you can contribute meaningfully to your organization. 11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
(Obligatory “bridge is out” slide) 12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium… 13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
“The business” speaks a different language Leveraged risks Business exposures Cost of capital Velocity of change Shareholder value 14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Creating meaningful security impact is not a trivial exercise. 15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
2 Ways to Approach from organizational or security Organizational • Start with organizational objectives • Works well for starting „over‟ (new) • Work your way towards IT Sec Security • Start with existing security, work back • Works well for „re-aligning‟ security • Start in tech, align to business or … 16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Security Centric approach Task Goal 1 Goal 2 Goal 3 1. List out all „security‟ Task 1 y n n activities, tasks, processes, projects Activity 1 n n n and purchases Purchase n n y 2. Attempt to map the above to Project 1 y n y „organizational goals‟ Activity 2 n n y 3. Where there is no direct correlation: • discontinue activity Goal 1: Meet compliance requirement A • re-align to fit one of org. goals Goal 2: Decrease fraud due to X by 1.25% Goal 3: Increase employee productivity 4% 4. Repeat for all security activity 17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Organization Centric approach 1. Understand the organization‟s goals (as in previous approach) 2. Develop security activities, processes, projects, tasks , purchases to align 3. Solve only organizational problems – “through the lens of the org” 4. Hint: You may have to be creative 18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Measurable Gains in Security? It is possible to serve both the organization, and security goals simultaneously. 1. Identify business objectives 2. Create tactical & strategic KPIs 3. Execute against KPIs 4. Measure to ensure positive impact against KPIs 20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Step 1: Identify business objectives Get answers to these 3 categories: • How does existing IT process hinder business excellence? • What is the organization‟s current biggest challenges? • What are the organization‟s 6, 12, 18 month goals? 21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Step 2: Create tactical & strategic KPIs • Hinder • How can you measure improvement to hindrance • What is bad, how bad is it, how much better should it be? • Challenges • Should we measure challenges as binary (met/failed)? • Can we measure „overcoming a challenge‟? • Goals • Measuring goal acceleration/achievement should be easiest • Understand org‟s objective, attempt to accelerate by X% 22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Step 3: Execute against KPIs Go do it. Execute projects, purchases, activities and processes in the name of organizational excellence – tell everyone this. Constantly measure your improvement of KPIs. 23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Step 4: Measure to ensure positive impact Have you helped accelerate organizational goals, while improving security posture? Keep KPIs simple, with lots of supporting data. 24 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Ultimately “IT Security” will evolve 25 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
It is possible to do both “Serve the business” Reduce IT vulnerabilities 26 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) 27 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Discuss on LinkedIn: Join the „SecBiz‟ group

Empfohlen

Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...Human Capital Media
 
Oracle Bi Foundation
Oracle Bi FoundationOracle Bi Foundation
Oracle Bi Foundationjamesgj2004
 
What's this thing called "pull" - Mary Poppendieck
What's this thing called "pull" - Mary PoppendieckWhat's this thing called "pull" - Mary Poppendieck
What's this thing called "pull" - Mary PoppendieckAGILEMinds
 
Enterprise 2.0 by Dr Yves Caseau
Enterprise 2.0 by Dr Yves CaseauEnterprise 2.0 by Dr Yves Caseau
Enterprise 2.0 by Dr Yves CaseauOperae Partners
 
"Lean software development: discovering waste" by Mary Poppendieck
"Lean software development: discovering waste" by Mary Poppendieck"Lean software development: discovering waste" by Mary Poppendieck
"Lean software development: discovering waste" by Mary PoppendieckOperae Partners
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Presentación en inglés
Presentación en inglésPresentación en inglés
Presentación en inglésrockerhmk
 

Empfohlen

Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...Human Capital Media
 
Oracle Bi Foundation
Oracle Bi FoundationOracle Bi Foundation
Oracle Bi Foundationjamesgj2004
 
What's this thing called "pull" - Mary Poppendieck
What's this thing called "pull" - Mary PoppendieckWhat's this thing called "pull" - Mary Poppendieck
What's this thing called "pull" - Mary PoppendieckAGILEMinds
 
Enterprise 2.0 by Dr Yves Caseau
Enterprise 2.0 by Dr Yves CaseauEnterprise 2.0 by Dr Yves Caseau
Enterprise 2.0 by Dr Yves CaseauOperae Partners
 
"Lean software development: discovering waste" by Mary Poppendieck
"Lean software development: discovering waste" by Mary Poppendieck"Lean software development: discovering waste" by Mary Poppendieck
"Lean software development: discovering waste" by Mary PoppendieckOperae Partners
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Presentación en inglés
Presentación en inglésPresentación en inglés
Presentación en inglésrockerhmk
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Atlantic Security Conference
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredNetIQ
 
Hp devops
Hp devopsHp devops
Hp devopsSoftware Guru
 
Software Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsSoftware Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsIT-oLogy
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatImperva
 
The Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosThe Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosDrew Jemilo
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security programCloudBees
 
SDNs for the Enterprise
SDNs for the EnterpriseSDNs for the Enterprise
SDNs for the EnterpriseOpen Networking Summits
 
eDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityeDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityAgileSparks
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
ACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPmrdebondt
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Italia
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisCraig Adams
 
Action from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightAction from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightStampedeCon
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
 
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IAgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IVersionOne
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014Colin O'Neill
 
FutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteFutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteLee Atchison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 

Weitere ähnliche Inhalte

Ähnlich wie Making Measurable Gains - Contextualizing 'Secure' in Business

Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Atlantic Security Conference
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredNetIQ
 
Software Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsSoftware Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsIT-oLogy
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatImperva
 
The Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosThe Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosDrew Jemilo
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security programCloudBees
 
eDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityeDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityAgileSparks
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
ACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPmrdebondt
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Italia
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisCraig Adams
 
Action from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightAction from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightStampedeCon
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
 
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IAgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IVersionOne
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014Colin O'Neill
 
FutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteFutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteLee Atchison
 

Ähnlich wie Making Measurable Gains - Contextualizing 'Secure' in Business (20)

Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."
 
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get Fired
 
Hp devops
Hp devopsHp devops
Hp devops
 
Software Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsSoftware Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce Jenkins
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
 
The Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosThe Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security program
 
SDNs for the Enterprise
SDNs for the EnterpriseSDNs for the Enterprise
SDNs for the Enterprise
 
eDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityeDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to reality
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentation
 
ACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HP
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for you
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File Analysis
 
Action from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightAction from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data Right
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integration
 
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IAgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
 
FutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteFutureStack'19 Closing Keynote
FutureStack'19 Closing Keynote
 

Mehr von Rafal Los

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0Rafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Rafal Los
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsRafal Los
 

Mehr von Rafal Los (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
 

Kürzlich hochgeladen

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Kürzlich hochgeladen (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Making Measurable Gains - Contextualizing 'Secure' in Business

  • 1. Making Measureable Gains …contextualizing „secure‟ in business. Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software BayThreat 2011 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 2. Follow me down the rabbithole © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 3. “Security” is estranged from business Why? A vast amount of IT Security professionals are distant from their business. • Why is this? –what are some of the reasons you think this is true? • What are the results? –what are some of the observed results? 3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 4. Answer: Information Security often fails, even when it succeeds. Why? We can‟t show how or why we succeeded. 4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 5. Security incidents hurt. 5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 6. This is an … business goals 6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 7. And this is an … ‘Security’ goals 7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 8. Let‟s start here… 8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 9. Your Organization does not exist to be secure. 9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 10. Why should they care? 1. Will the company stop existing? 2. Will there be loss of life? 3. What‟s the worst that can happen? 10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 11. But if organization‟s done care about security… …then why do you have a job? you can either resign to the fact that you‟re there to check a box … OR… you can contribute meaningfully to your organization. 11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 12. (Obligatory “bridge is out” slide) 12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 13. We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium… 13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 14. “The business” speaks a different language Leveraged risks Business exposures Cost of capital Velocity of change Shareholder value 14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 15. Creating meaningful security impact is not a trivial exercise. 15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 16. 2 Ways to Approach from organizational or security Organizational • Start with organizational objectives • Works well for starting „over‟ (new) • Work your way towards IT Sec Security • Start with existing security, work back • Works well for „re-aligning‟ security • Start in tech, align to business or … 16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 17. Security Centric approach Task Goal 1 Goal 2 Goal 3 1. List out all „security‟ Task 1 y n n activities, tasks, processes, projects Activity 1 n n n and purchases Purchase n n y 2. Attempt to map the above to Project 1 y n y „organizational goals‟ Activity 2 n n y 3. Where there is no direct correlation: • discontinue activity Goal 1: Meet compliance requirement A • re-align to fit one of org. goals Goal 2: Decrease fraud due to X by 1.25% Goal 3: Increase employee productivity 4% 4. Repeat for all security activity 17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 18. Organization Centric approach 1. Understand the organization‟s goals (as in previous approach) 2. Develop security activities, processes, projects, tasks , purchases to align 3. Solve only organizational problems – “through the lens of the org” 4. Hint: You may have to be creative 18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 19. 19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 20. Measurable Gains in Security? It is possible to serve both the organization, and security goals simultaneously. 1. Identify business objectives 2. Create tactical & strategic KPIs 3. Execute against KPIs 4. Measure to ensure positive impact against KPIs 20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 21. Step 1: Identify business objectives Get answers to these 3 categories: • How does existing IT process hinder business excellence? • What is the organization‟s current biggest challenges? • What are the organization‟s 6, 12, 18 month goals? 21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 22. Step 2: Create tactical & strategic KPIs • Hinder • How can you measure improvement to hindrance • What is bad, how bad is it, how much better should it be? • Challenges • Should we measure challenges as binary (met/failed)? • Can we measure „overcoming a challenge‟? • Goals • Measuring goal acceleration/achievement should be easiest • Understand org‟s objective, attempt to accelerate by X% 22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 23. Step 3: Execute against KPIs Go do it. Execute projects, purchases, activities and processes in the name of organizational excellence – tell everyone this. Constantly measure your improvement of KPIs. 23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 24. Step 4: Measure to ensure positive impact Have you helped accelerate organizational goals, while improving security posture? Keep KPIs simple, with lots of supporting data. 24 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 25. Ultimately “IT Security” will evolve 25 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 26. It is possible to do both “Serve the business” Reduce IT vulnerabilities 26 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 27. Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) 27 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Discuss on LinkedIn: Join the „SecBiz‟ group

Hinweis der Redaktion

  1. Please adjust confidentiality notice accordingly