Many CISOs and security professionals fail to get enough funding to adequately protect their organizations. This presentation looks at how why technology professionals are treated like outsiders in so many organizations and how by better understanding the business and partnering with them to deliver digital solutions can change an organization to looking at security as an enabler for the organization.
You have 16 minutes until the first click on a phishing campaign. The first report from a savvy user will arrive after 28 minutes.
68% of breaches took months or longer to discover.
A whopping 81% involved stolen or weak passwords.
43 percent of cyber attacks target small business.
Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
60 percent of small companies go out of business within six months of a cyber attack.
48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets.
In addition, disruption to normal operations cost an average of $955,429.
43 percent of cyber attacks target small business.
Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
60 percent of small companies go out of business within six months of a cyber attack.
48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets.
In addition, disruption to normal operations cost an average of $955,429.
IT started out just weird.
Companies had one computer. It required a huge freezing cold dedicated room and you had to wear a white lab coat to even go into the room
People walked around shoving stacks of punch cards into the machine to make it just spit out a number to say the books were balanced correctly.
Guys like this were everywhere.
We spoke of C and classes and functions. We talked about getting physical bugs out of machines.
Can you imagine the Miltons next to Don Draper?
We were seen as outsiders that “the business” people didn’t understand.
We were never really part of the company. We were servants that let them do their jobs.
They didn’t understand what we did or how we did it.
They would give us all for requirements. Which we really should have called their wish list.
We would spend weeks breaking them down
produce a gantt chart
and give them number.
No matter what we gave them it was too high. We’d fight for weeks, drop requirements, drop time and in turn “price”
At the end we’d agree but no one walked away happen
Then we’d go away for months and start building.
We have to buy new servers, rack them, stack them, put them on the network, setup DNS, install the software, then we can start writing code…
Half way through they’d tell us they didn’t need what we were building anymore and wanted something else
We’d yell scope creep and
we’d make another one of these.
At this point lots of projects were cancelled or failed to deliver what the business wanted
Many organization’s are going through a “digital transformation.” Every single business is becoming a digital business. Everyone is realizing that the data we produce and consume as business is becoming much more powerful than the things we produce.
The auto manufacturers around us are turning into digital platforms and less about the cars we make. As we move towards cars that drive themselves, people will care less and less about the bubble they’re in and more about what that bubble can do for them. Pay from your dashboard, watch movies in the back seat, car rental as a service.
Finance and Banking is finally standardizing the APIs to do business between them and open up to additional services.
Healthcare is finally maturing to allow us to securely share our records between doctors.
Businesses are looking to create new business models, markets, products and services through new experiences with their customers.
The business side of the world is seeing an ability to remove the operations and maintenance overhead of running all of the services on site and give them to someone else for a nominal fee.
As the security centric folks in the company this is how we feel.
Our company’s most critical data is going everywhere. Salesforce is taking all our CRM data. We have at least four different cloud providers where company resides, probably in an unencrypted misconfigured S3 bucket.
Multiple startups who don’t care about your data or privacy are riding on top of these platforms letting the business users secure them and we’re busy trying to blacklist URLs and force users into an MDM they don’t want to use.
Usernames and passwords are being generated on the fly in a bunch of different systems by any business user with a credit card.
This is the third digital transformation I’ve seen in my career and I’ve only been doing this for about 20-25 years. Mainframe migration, IT modernization, Web 2.0 and not digital transformation. We claim that there are new ways of doing business, new opportunities that must be captured, IT isn’t moving fast enough so we have to toss a grenade on it.
When you really look at it, this the culmination of years of mismanaged IT projects and service offerings that aren’t delivering the value they promised.
How many projects have we seen where they put a whole bunch of developers on it, a bunch of focus and then “poof” there goes all the support once it hits production. Magically the business believes that the project is over and things will just run in production without any care and feeding. This is now “operations and maintenance” like we’re buying a car and just have to put gas in it, change the oil and tires and it should last for a decade.
But we can use this as an opportunity
Everyone has a phone that can balance the books in their pocket and see their individual and the organization’s sales in realtime
Most of the organization supports their own machines
Everyone has a cousin or a nephew who wrote in app
Amazon Echo is now three years old and everyone has one in their kitchen
Users understand the importance of 2 factor thanks to the banking industry and asking us for it internally.
We’re much more approachable now but they expect a lot more from us
Businesses are scared of being left behind
33% of customers expect a personalized experience in exchange for their information
51% of customer would switch banks for a better app, 10% already have
85% of marketing teams are not ready for GDPR. Penalties are the greater of $24M or 4% of your revenue.
89% of customers are uncomfortable sharing personal data without their consent
With the availability of cloud services we can start moving faster than ever before and have a demo environment up in minutes.
We have an ability to put all the hardware, network, and platform service acquisition problems behind us. The cloud vendors are incentivized to give us secure platforms to build from because its their reputation as well. We have access to services at a secure massive scale that we could have never dreamed of 5 years ago.
Amazon alone has 500,000 people making over $20 billion a year this year. Google over 125,000 people. Microsoft nearly 100,000. Let them them be smarter than all of us.
Companies are scared of being the next Equifax or FacebookEquifax has screwed all of us harder than we can even imagine. It’s all been out there for years, but they’re the first to publicly admit it and have the direct attribution at scale.
Facebook as stupid as it was, is really pushing the privacy and trust discussion forward.
This gives us an opportunity.
We are quickly moving away from just being able to take from consumers and customers. Consumers are realizing that they have options in the market and don’t have to give up their data.
The business is struggling to enable this transformation and give customers options for sharing their data.
How many times today do you install an app and it asks you for 50 permissions on your phone. I deny them all and uninstall it.
We are asking users to trust us with their credit card numbers, their account permissions, their kids, access to their homes and vehicles, their entire medical history, the appliances in their home.
Is the business makes this mistake, lose the data, then all the trust is lost.
At this point we might be tempted to say “Did you know on average, when a company loses their customer financial information generates a loss of $1.5 Billion in market value”
They know it, we don’t have to tell them anymore. This is on the front of every CEO and board member’s mind.
We can use this.
Link customer profiles.
Manage relationships.
Add accounts – spotify, pandora, etc.
Add credit cards
Vehicle profiles
New car buying experience – pair your phone, your profile gets loaded directly
Rental vehicles
Dealership oil change opportunities
Trunk deliveries
Self driving cars
Partner with Comcast
Where did you pause it? Loaded direct in the car you step into in the morning
Content providers
You have a trust problem, it’s not an identity problem. You’re asking people for a lot of personal information that can do them damage and you need to have a platform for all of that info on one place that you can protect and that people can trust. You want one place to manage, secure and audit the hell out of instead of spreading that around to different platforms. You also want to be able to quickly add new services and capabilities without having to redesign or go through a bunch of custom integration links.
This now gives us centralized services that the company can buy into:
Centralized authentication
Centralized authorization
An Auditable API gateway
A secure data store for credentials on users and APIs
A secure device and IoT platform.
We have a SIEM / logging platform that can audit all these events and actions and provide that for our own services and for their own metrics
We need to work with the people on the business side to find out their desired outcomes instead of getting a list of requirements. We need to ask them what their desired business impact is and what behaviors they are looking to get from the customers. Read those leadership strategy emails or slides from the yearly all hands meeting and come prepared with ideas.
When you work towards outcomes, the team becomes valuable because they take ownership of the outcome from the beginning. The team doesn’t assume the product owner knows what the customer wants and are in a place to try new ideas to help the business be successful with the business together. Constantly testing hypothesis. We’ve done this for years in marketing by using test markets and then expanding on successful trials.
Be Proactive : Read the “top 5 priorities list” the business puts out every year. You know what the business is looking to do. Look for opportunities to do that securely. One think you have that Amazon, Google, and Microsoft can never compete with is inside knowledge of your business. Customers don’t know what they don’t know. If you can lead them to solutions that also help your cause it’s a double win. Log aggregation tools, SIEMs can provide them great insight into customer patterns and behaviors is built correctly. Just because it’s a security tool doesn’t mean it can’t be a business tool too. They want analytics at a user level, we can pretty easily give them that.
Break down the silos : Walk through the marketing department, stare at the walls awkwardly until someone asks you WTF you’re doing. Then ask questions, find out what their problems are. Go to sales department and do the same thing. Then in a week come back and say “hey, I think I have something that might help you” and tell them about it. If they are interested, tell your boss about it. Work like hell to show them a prototype quickly.
Increase Automation : If you aren’t learning Kubernetes, Puppet/Chef/Ansible, understanding how CI/CD works, do it now. It’s the only way to keep things moving. We need to be able to keep up with the Amazon’s of the world and integrate into their platforms. If we have a way to accelerate that and can anticipate the businesses and other developers needs and have it ready you look like the hero. This can’t be done without automation. Learn to script and learn to write simple code. i.e. something like Python, it’s going to be all about the data and if you can pull data from systems together and give it to the business they’ll love you to death
Review shitty processes :