This document discusses cybersecurity issues and proposes solutions. It notes that many large security breaches have occurred due to simple mistakes, lack of policies, and failure to follow best practices. It argues that good security enhances privacy, but security can exist without privacy. The core problems are identified as lack of qualified security leadership and misaligned priorities between security and other business functions. The document recommends supporting industry groups to share information, and taking a collaborative approach involving all stakeholders to balance security, privacy and business needs.

1. Running with Scissors
Security Hurts No Matter What

2. • Certified CISO
• Sold First Software Package in 1971
• Debugged UBASIC for FAU/FIU in 1973
• Member of FreeBSD Development Team
• Finalist EE Times Innovator of the Year
• Holder, US Patent Number 7603711
• Founded Florida Datamation in 1982
– Largest QNX Distributor in the World
– Clients: NSA, VISA, Nortel, SAIC, NOAA, DOD, IBM, 3Com, HP
• Founded SECNAP Network Security in 2001
– Designed IT Risk and Compliance Audit Practice
– Developed and Patented SECNAP’s ID/PS Appliance, core of MSSP Practice
– Clients: SAP, Bank United, City National Bank
• Founded Security Privateers in 2012
Michael Scheidell, CISO
Security Privateers

3. Agenda
Running with Scissors
Massive Security Breaches
Failed Policies
Good Security Enhances Privacy
Change the way you think
Core Problems
Support Industry Initiatives
Take responsibility

4. Security and Privacy Success ?
Running With Scissors
Where else except in Security and Weather can you be
wrong so many times and still keep your job?

5. Running with Scissors
Running with Scissors: Down
Budget cuts reduce security
Systems hacked
Customer data lost
Unauthorized bank transfers
Identify theft
Industrial espionage
Focused on the wrong objectives

6. Sony: #1 Again 77 million play station network users
Sega: Striving to be #2: 1.3 Million online gaming subscribers
Epsilon: 60 Million customer’s data breached
South Carolina Department of Revenue: 6.8 Million tax payers
Running With Scissors
Massive Security Breaches
1
2
3
4
5
RSA: Everyone who used RSA key fobs

7. Running With Scissors
•Most talked about security and privacy failures
•Simple security mistakes, programming, carelessness
•When too much security caused failures?
•You can’t have privacy without security
•But, you CAN have security without privacy
Failed Policies

8. South Carolina Department of Revenue, 6.8 Million Tax payers
 Looking for a CISO for over a year
 Could not find qualified candidate for $100K job
 Programmers didn’t follow best practices
 Network Administrator violated policies
 No one tested the application
 Dog ate my homework

9. Running with Scissors
Running with Scissors: UP
Spending Too much on Security
Money is wasted
No measurable effect
Ineffective
Focused on the wrong objectives

10. Running With Scissors
What major systemic failure can you think of
in Security and Privacy?
Where has too much Security eliminated
Privacy and did nothing for Security?
Have you experienced too much security?
Good Security Enhances Privacy
EU Data Privacy laws vs. US Data Protection

11. Security Without Privacy
$8 Billion Dollar Budget in 2012
$88 Billion Dollars since 2001

12. • Mission: The TSA protects the nation’s
transportation systems to ensure freedom
of movement for people and commerce
• Vision: Continuously set the standard for
excellence in transportation security
through its people, processes, and
technology
Failed Policies?
TSA: Mission, Vision, Core Values

13. Security Without Privacy
$80 Million, and now $245 Million

14. Enhanced Security
What did the TSA Find?

15. Enhanced Security
What did the TSA Find?

16. Enhanced Security
What did the TSA Find?

17. Show of hands: Who feels more Secure?PART
TWO – YES/NO

18. Less Secure ?

19. Running with Scissors
Core Problems
• More Hardware?
• More People?
• Better Processes?
• Hire a CISO for $100K a year?
• Change Mission Statement?
• Training?
How do you fix it?

20. 3D SLIDE MAN – EMOTIONS PART TWO – YES/NO
Block The Hackers
What do we Really Need?
Full Speed Ahead!
Don’t Touch Anything
Anything
Lets just Wait and See

21. Educate the Board
APT, SQL Injection, Cross Site Scripting,
Split Tunnel, VPN, WPA2, SSL v2, TLS v1,
SDN, SaaS, PaaS, IaaS
What do we Really Need?
CEO

22. What do we Really Need?
CISO
CISO Responsibilities
• Policies
• Guidelines
• Directives
• Procedures
• Standards

23. Balance Sheet, CAPX, Derivatives, GAAP, IFRS,
FASB, FIN, EBIDA
What do we Really Need?
CISO
What the CISO needs to know

24. What do we Really Need?
CEO
• Vision
• Mission
• Objectives
• Goals
• Strategies
• Results

25. Isolated and conflicting responsibilities
Executive Management Team
Financial Management Team
CEO
Network Engineers
Security Engineers
SEEMINLY CONFLICTING
CEO vs CISO
Budget vs Privacy
Spend vs Invest
Expand vs Secure
CISO

26. Decision Time: Who is Responsible?
Who has Authority ?TWO – YES/NO

27. 3D SLIDE MAN – EMOTIONS PART TWO – YES/NO
Not My Job

28. CEO is responsible for final decision
What do we really need?
CEO, CFO, CIO, CSO must agree

29. It is the
CIO/CFO/CTO/CSO’s
fault
What if we don’t agree?

30. Ultimately responsible
Example text
Go ahead and replace it with your own text. This is an
example text. Go ahead and replace it with your own text.
Go ahead and replace it with your own text
Network Engineer
Just trying to pay the
mortgage and visa bill
CISO
Reports to CIO
400K budget
CIO/CTO
Reports to CEO
3MM budget
CEO/President
Reports to Board &
Shareholders
13MM budget

31. What do we really need?

32. Running with Scissors
Keep the Main Thing The Main Thing
A successful organization understands the risks of
not only implementing security and privacy measures,
but the risks of NOT implementing them. Running
with Scissors: “Its what we do”
Keep Plenty of
Bandaids.
Put Running
Shoes on.
Keep Scissors
Sharp.

33. • Cloud Security Alliance (CSA)
• Information Systems Audit and Control
Association (ISACA)
• Information Systems Security Association
(ISSA)
• FBI’s InfraGard
• Host users groups meetings
Support Industry Initiatives
Users Groups, Trade Groups, Share Information

34. Involve Everyone:
•Business case & Budget
•Contractual agreement
•Vision
•Initial product backlog
•Initial release plan
•Stakeholderbuy-in
•Assemble team
PREPARATION
SCRUM PROCESS
CTO
CEO/President
Stakeholders
Sprint planning
meeting Daily Cycle
Sprint review
Sprint
retrospective
Update
product
backlog
RELEASE
Product
increment
CIO and
CSO
Users
CEO/CFO:
Lets move everything to the cloud.
We save on Capex, its more secure
and gives us reduncancy. We don’t
care if its Amazon, Oracle or HP

35. Everyone is
Happy
Company is secure, privacy maintained
CEO CFO
CTOCSO Programmers Users
CIO

36. CEO Happy: Board of Directors
Happy, got his 2MM bonus
1
CFO Happy: Reduced Operating Expense
No CAP Ex, Reduced Overhead
2
CIO Happy: CEO give him his bonus
3
Users Happy: More services, faster
user interface, reduced costs.
4
If it works: Name your bonus

37. THANK YOU!
Michael Scheidell, Managing Director, CISO
Security Privateers
www.securityprivateers.com
+1.561.948.1305 / michael@securityprivateers.com
Copyright 2013, Security Privateers
Portions Copyright Ron Leishman