SlideShare ist ein Scribd-Unternehmen logo

Making Measurable Gains - Contextualizing 'Secure' in Business

Rafal Los
Rafal Los

What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.

TechnologieBusiness
1 von 27
Making Measureable Gains …contextualizing „secure‟ in business. Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software BayThreat 2011 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Follow me down the rabbithole © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
“Security” is estranged from business Why? A vast amount of IT Security professionals are distant from their business. • Why is this? –what are some of the reasons you think this is true? • What are the results? –what are some of the observed results? 3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Answer: Information Security often fails, even when it succeeds. Why? We can‟t show how or why we succeeded. 4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Security incidents hurt. 5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
This is an … business goals 6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
And this is an … ‘Security’ goals 7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Let‟s start here… 8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Your Organization does not exist to be secure. 9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Why should they care? 1. Will the company stop existing? 2. Will there be loss of life? 3. What‟s the worst that can happen? 10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
But if organization‟s done care about security… …then why do you have a job? you can either resign to the fact that you‟re there to check a box … OR… you can contribute meaningfully to your organization. 11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
(Obligatory “bridge is out” slide) 12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium… 13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
“The business” speaks a different language Leveraged risks Business exposures Cost of capital Velocity of change Shareholder value 14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Creating meaningful security impact is not a trivial exercise. 15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
2 Ways to Approach from organizational or security Organizational • Start with organizational objectives • Works well for starting „over‟ (new) • Work your way towards IT Sec Security • Start with existing security, work back • Works well for „re-aligning‟ security • Start in tech, align to business or … 16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Security Centric approach Task Goal 1 Goal 2 Goal 3 1. List out all „security‟ Task 1 y n n activities, tasks, processes, projects Activity 1 n n n and purchases Purchase n n y 2. Attempt to map the above to Project 1 y n y „organizational goals‟ Activity 2 n n y 3. Where there is no direct correlation: • discontinue activity Goal 1: Meet compliance requirement A • re-align to fit one of org. goals Goal 2: Decrease fraud due to X by 1.25% Goal 3: Increase employee productivity 4% 4. Repeat for all security activity 17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Organization Centric approach 1. Understand the organization‟s goals (as in previous approach) 2. Develop security activities, processes, projects, tasks , purchases to align 3. Solve only organizational problems – “through the lens of the org” 4. Hint: You may have to be creative 18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Measurable Gains in Security? It is possible to serve both the organization, and security goals simultaneously. 1. Identify business objectives 2. Create tactical & strategic KPIs 3. Execute against KPIs 4. Measure to ensure positive impact against KPIs 20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Step 1: Identify business objectives Get answers to these 3 categories: • How does existing IT process hinder business excellence? • What is the organization‟s current biggest challenges? • What are the organization‟s 6, 12, 18 month goals? 21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Step 2: Create tactical & strategic KPIs • Hinder • How can you measure improvement to hindrance • What is bad, how bad is it, how much better should it be? • Challenges • Should we measure challenges as binary (met/failed)? • Can we measure „overcoming a challenge‟? • Goals • Measuring goal acceleration/achievement should be easiest • Understand org‟s objective, attempt to accelerate by X% 22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Step 3: Execute against KPIs Go do it. Execute projects, purchases, activities and processes in the name of organizational excellence – tell everyone this. Constantly measure your improvement of KPIs. 23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Step 4: Measure to ensure positive impact Have you helped accelerate organizational goals, while improving security posture? Keep KPIs simple, with lots of supporting data. 24 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Ultimately “IT Security” will evolve 25 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
It is possible to do both “Serve the business” Reduce IT vulnerabilities 26 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) 27 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Discuss on LinkedIn: Join the „SecBiz‟ group

Empfohlen

Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...Human Capital Media
 
Oracle Bi Foundation
Oracle Bi FoundationOracle Bi Foundation
Oracle Bi Foundationjamesgj2004
 
What's this thing called "pull" - Mary Poppendieck
What's this thing called "pull" - Mary PoppendieckWhat's this thing called "pull" - Mary Poppendieck
What's this thing called "pull" - Mary PoppendieckAGILEMinds
 
Enterprise 2.0 by Dr Yves Caseau
Enterprise 2.0 by Dr Yves CaseauEnterprise 2.0 by Dr Yves Caseau
Enterprise 2.0 by Dr Yves CaseauOperae Partners
 
"Lean software development: discovering waste" by Mary Poppendieck
"Lean software development: discovering waste" by Mary Poppendieck"Lean software development: discovering waste" by Mary Poppendieck
"Lean software development: discovering waste" by Mary PoppendieckOperae Partners
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Presentación en inglés
Presentación en inglésPresentación en inglés
Presentación en inglésrockerhmk
 

Empfohlen

Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...
Developing Metrics to Evaluate HRs Contribution to the Achievement of Organiz...Human Capital Media
 
Oracle Bi Foundation
Oracle Bi FoundationOracle Bi Foundation
Oracle Bi Foundationjamesgj2004
 
What's this thing called "pull" - Mary Poppendieck
What's this thing called "pull" - Mary PoppendieckWhat's this thing called "pull" - Mary Poppendieck
What's this thing called "pull" - Mary PoppendieckAGILEMinds
 
Enterprise 2.0 by Dr Yves Caseau
Enterprise 2.0 by Dr Yves CaseauEnterprise 2.0 by Dr Yves Caseau
Enterprise 2.0 by Dr Yves CaseauOperae Partners
 
"Lean software development: discovering waste" by Mary Poppendieck
"Lean software development: discovering waste" by Mary Poppendieck"Lean software development: discovering waste" by Mary Poppendieck
"Lean software development: discovering waste" by Mary PoppendieckOperae Partners
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Presentación en inglés
Presentación en inglésPresentación en inglés
Presentación en inglésrockerhmk
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Atlantic Security Conference
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredNetIQ
 
Hp devops
Hp devopsHp devops
Hp devopsSoftware Guru
 
Software Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsSoftware Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsIT-oLogy
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatImperva
 
The Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosThe Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosDrew Jemilo
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security programCloudBees
 
SDNs for the Enterprise
SDNs for the EnterpriseSDNs for the Enterprise
SDNs for the EnterpriseOpen Networking Summits
 
eDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityeDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityAgileSparks
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
ACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPmrdebondt
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Italia
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisCraig Adams
 
Action from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightAction from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightStampedeCon
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
 
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IAgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IVersionOne
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014Colin O'Neill
 
FutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteFutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteLee Atchison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 

Weitere ähnliche Inhalte

Ähnlich wie Making Measurable Gains - Contextualizing 'Secure' in Business

Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Atlantic Security Conference
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredNetIQ
 
Software Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsSoftware Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsIT-oLogy
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatImperva
 
The Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosThe Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosDrew Jemilo
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security programCloudBees
 
eDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityeDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityAgileSparks
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
ACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPmrdebondt
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Italia
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisCraig Adams
 
Action from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightAction from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightStampedeCon
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationSridhar Karnam
 
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IAgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IVersionOne
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014Colin O'Neill
 
FutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteFutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteLee Atchison
 

Ähnlich wie Making Measurable Gains - Contextualizing 'Secure' in Business (20)

Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."
 
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...
 
Do Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get FiredDo Security Like a Start Up or Get Fired
Do Security Like a Start Up or Get Fired
 
Hp devops
Hp devopsHp devops
Hp devops
 
Software Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsSoftware Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce Jenkins
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
 
The Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and PortfoliosThe Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
The Agile Stakeholder Management Framework for Teams, Programs, and Portfolios
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security program
 
SDNs for the Enterprise
SDNs for the EnterpriseSDNs for the Enterprise
SDNs for the Enterprise
 
eDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to realityeDevOps in HPSW from buzzword to reality
eDevOps in HPSW from buzzword to reality
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentation
 
ACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HPACES Direct - Mobility - Pieter Schouten - HP
ACES Direct - Mobility - Pieter Schouten - HP
 
HP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for youHP Enterprise Software: Making your applications and information work for you
HP Enterprise Software: Making your applications and information work for you
 
Dark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File AnalysisDark Data Discovery & Governance with File Analysis
Dark Data Discovery & Governance with File Analysis
 
Action from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data RightAction from Insight - Joining the 2 Percent Who are Getting Big Data Right
Action from Insight - Joining the 2 Percent Who are Getting Big Data Right
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integration
 
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part IAgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
AgileLIVE – Accelerate Enterprise Agile with the Scaled Agile Framework®: Part I
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
The SAFe Way to Lean Software Development for AgileNCR - April 5, 2014
 
FutureStack'19 Closing Keynote
FutureStack'19 Closing KeynoteFutureStack'19 Closing Keynote
FutureStack'19 Closing Keynote
 

Mehr von Rafal Los

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Rafal Los
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0Rafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Rafal Los
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsRafal Los
 

Mehr von Rafal Los (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
 

Kürzlich hochgeladen

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Kürzlich hochgeladen (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Making Measurable Gains - Contextualizing 'Secure' in Business

  • 1. Making Measureable Gains …contextualizing „secure‟ in business. Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software BayThreat 2011 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 2. Follow me down the rabbithole © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 3. “Security” is estranged from business Why? A vast amount of IT Security professionals are distant from their business. • Why is this? –what are some of the reasons you think this is true? • What are the results? –what are some of the observed results? 3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 4. Answer: Information Security often fails, even when it succeeds. Why? We can‟t show how or why we succeeded. 4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 5. Security incidents hurt. 5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 6. This is an … business goals 6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 7. And this is an … ‘Security’ goals 7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 8. Let‟s start here… 8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 9. Your Organization does not exist to be secure. 9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 10. Why should they care? 1. Will the company stop existing? 2. Will there be loss of life? 3. What‟s the worst that can happen? 10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 11. But if organization‟s done care about security… …then why do you have a job? you can either resign to the fact that you‟re there to check a box … OR… you can contribute meaningfully to your organization. 11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 12. (Obligatory “bridge is out” slide) 12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 13. We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium… 13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 14. “The business” speaks a different language Leveraged risks Business exposures Cost of capital Velocity of change Shareholder value 14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 15. Creating meaningful security impact is not a trivial exercise. 15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 16. 2 Ways to Approach from organizational or security Organizational • Start with organizational objectives • Works well for starting „over‟ (new) • Work your way towards IT Sec Security • Start with existing security, work back • Works well for „re-aligning‟ security • Start in tech, align to business or … 16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 17. Security Centric approach Task Goal 1 Goal 2 Goal 3 1. List out all „security‟ Task 1 y n n activities, tasks, processes, projects Activity 1 n n n and purchases Purchase n n y 2. Attempt to map the above to Project 1 y n y „organizational goals‟ Activity 2 n n y 3. Where there is no direct correlation: • discontinue activity Goal 1: Meet compliance requirement A • re-align to fit one of org. goals Goal 2: Decrease fraud due to X by 1.25% Goal 3: Increase employee productivity 4% 4. Repeat for all security activity 17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 18. Organization Centric approach 1. Understand the organization‟s goals (as in previous approach) 2. Develop security activities, processes, projects, tasks , purchases to align 3. Solve only organizational problems – “through the lens of the org” 4. Hint: You may have to be creative 18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 19. 19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 20. Measurable Gains in Security? It is possible to serve both the organization, and security goals simultaneously. 1. Identify business objectives 2. Create tactical & strategic KPIs 3. Execute against KPIs 4. Measure to ensure positive impact against KPIs 20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 21. Step 1: Identify business objectives Get answers to these 3 categories: • How does existing IT process hinder business excellence? • What is the organization‟s current biggest challenges? • What are the organization‟s 6, 12, 18 month goals? 21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 22. Step 2: Create tactical & strategic KPIs • Hinder • How can you measure improvement to hindrance • What is bad, how bad is it, how much better should it be? • Challenges • Should we measure challenges as binary (met/failed)? • Can we measure „overcoming a challenge‟? • Goals • Measuring goal acceleration/achievement should be easiest • Understand org‟s objective, attempt to accelerate by X% 22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 23. Step 3: Execute against KPIs Go do it. Execute projects, purchases, activities and processes in the name of organizational excellence – tell everyone this. Constantly measure your improvement of KPIs. 23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 24. Step 4: Measure to ensure positive impact Have you helped accelerate organizational goals, while improving security posture? Keep KPIs simple, with lots of supporting data. 24 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 25. Ultimately “IT Security” will evolve 25 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 26. It is possible to do both “Serve the business” Reduce IT vulnerabilities 26 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 27. Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) 27 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Discuss on LinkedIn: Join the „SecBiz‟ group

Hinweis der Redaktion

  1. Please adjust confidentiality notice accordingly