This document discusses cybersecurity issues and proposes solutions. It notes that many large security breaches have occurred due to simple mistakes, lack of policies, and failure to follow best practices. It argues that good security enhances privacy, but security can exist without privacy. The core problems are identified as lack of qualified security leadership and misaligned priorities between security and other business functions. The document recommends supporting industry groups to share information, and taking a collaborative approach involving all stakeholders to balance security, privacy and business needs.
2. • Certified CISO
• Sold First Software Package in 1971
• Debugged UBASIC for FAU/FIU in 1973
• Member of FreeBSD Development Team
• Finalist EE Times Innovator of the Year
• Holder, US Patent Number 7603711
• Founded Florida Datamation in 1982
– Largest QNX Distributor in the World
– Clients: NSA, VISA, Nortel, SAIC, NOAA, DOD, IBM, 3Com, HP
• Founded SECNAP Network Security in 2001
– Designed IT Risk and Compliance Audit Practice
– Developed and Patented SECNAP’s ID/PS Appliance, core of MSSP Practice
– Clients: SAP, Bank United, City National Bank
• Founded Security Privateers in 2012
Michael Scheidell, CISO
Security Privateers
3. Agenda
Running with Scissors
Massive Security Breaches
Failed Policies
Good Security Enhances Privacy
Change the way you think
Core Problems
Support Industry Initiatives
Take responsibility
4. Security and Privacy Success ?
Running With Scissors
Where else except in Security and Weather can you be
wrong so many times and still keep your job?
5. Running with Scissors
Running with Scissors: Down
Budget cuts reduce security
Systems hacked
Customer data lost
Unauthorized bank transfers
Identify theft
Industrial espionage
Focused on the wrong objectives
6. Sony: #1 Again 77 million play station network users
Sega: Striving to be #2: 1.3 Million online gaming subscribers
Epsilon: 60 Million customer’s data breached
South Carolina Department of Revenue: 6.8 Million tax payers
Running With Scissors
Massive Security Breaches
1
2
3
4
5
RSA: Everyone who used RSA key fobs
7. Running With Scissors
•Most talked about security and privacy failures
•Simple security mistakes, programming, carelessness
•When too much security caused failures?
•You can’t have privacy without security
•But, you CAN have security without privacy
Failed Policies
8. South Carolina Department of Revenue, 6.8 Million Tax payers
Looking for a CISO for over a year
Could not find qualified candidate for $100K job
Programmers didn’t follow best practices
Network Administrator violated policies
No one tested the application
Dog ate my homework
9. Running with Scissors
Running with Scissors: UP
Spending Too much on Security
Money is wasted
No measurable effect
Ineffective
Focused on the wrong objectives
10. Running With Scissors
What major systemic failure can you think of
in Security and Privacy?
Where has too much Security eliminated
Privacy and did nothing for Security?
Have you experienced too much security?
Good Security Enhances Privacy
EU Data Privacy laws vs. US Data Protection
12. • Mission: The TSA protects the nation’s
transportation systems to ensure freedom
of movement for people and commerce
• Vision: Continuously set the standard for
excellence in transportation security
through its people, processes, and
technology
Failed Policies?
TSA: Mission, Vision, Core Values
19. Running with Scissors
Core Problems
• More Hardware?
• More People?
• Better Processes?
• Hire a CISO for $100K a year?
• Change Mission Statement?
• Training?
How do you fix it?
20. 3D SLIDE MAN – EMOTIONS PART TWO – YES/NO
Block The Hackers
What do we Really Need?
Full Speed Ahead!
Don’t Touch Anything
Anything
Lets just Wait and See
21. Educate the Board
APT, SQL Injection, Cross Site Scripting,
Split Tunnel, VPN, WPA2, SSL v2, TLS v1,
SDN, SaaS, PaaS, IaaS
What do we Really Need?
CEO
22. What do we Really Need?
CISO
CISO Responsibilities
• Policies
• Guidelines
• Directives
• Procedures
• Standards
23. Balance Sheet, CAPX, Derivatives, GAAP, IFRS,
FASB, FIN, EBIDA
What do we Really Need?
CISO
What the CISO needs to know
24. What do we Really Need?
CEO
• Vision
• Mission
• Objectives
• Goals
• Strategies
• Results
25. Isolated and conflicting responsibilities
Executive Management Team
Financial Management Team
CEO
Network Engineers
Security Engineers
SEEMINLY CONFLICTING
CEO vs CISO
Budget vs Privacy
Spend vs Invest
Expand vs Secure
CISO
30. Ultimately responsible
Example text
Go ahead and replace it with your own text. This is an
example text. Go ahead and replace it with your own text.
Go ahead and replace it with your own text
Network Engineer
Just trying to pay the
mortgage and visa bill
CISO
Reports to CIO
400K budget
CIO/CTO
Reports to CEO
3MM budget
CEO/President
Reports to Board &
Shareholders
13MM budget
32. Running with Scissors
Keep the Main Thing The Main Thing
A successful organization understands the risks of
not only implementing security and privacy measures,
but the risks of NOT implementing them. Running
with Scissors: “Its what we do”
Keep Plenty of
Bandaids.
Put Running
Shoes on.
Keep Scissors
Sharp.
33. • Cloud Security Alliance (CSA)
• Information Systems Audit and Control
Association (ISACA)
• Information Systems Security Association
(ISSA)
• FBI’s InfraGard
• Host users groups meetings
Support Industry Initiatives
Users Groups, Trade Groups, Share Information
34. Involve Everyone:
•Business case & Budget
•Contractual agreement
•Vision
•Initial product backlog
•Initial release plan
•Stakeholderbuy-in
•Assemble team
PREPARATION
SCRUM PROCESS
CTO
CEO/President
Stakeholders
Sprint planning
meeting Daily Cycle
Sprint review
Sprint
retrospective
Update
product
backlog
RELEASE
Product
increment
CIO and
CSO
Users
CEO/CFO:
Lets move everything to the cloud.
We save on Capex, its more secure
and gives us reduncancy. We don’t
care if its Amazon, Oracle or HP
36. CEO Happy: Board of Directors
Happy, got his 2MM bonus
1
CFO Happy: Reduced Operating Expense
No CAP Ex, Reduced Overhead
2
CIO Happy: CEO give him his bonus
3
Users Happy: More services, faster
user interface, reduced costs.
4
If it works: Name your bonus