Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

How do we secure America - nVision 2019 Main Stage

22 Aufrufe

Veröffentlicht am

This is the presentation deck that was delivered by Evan Francen on the nVision 2019 Main Stage. The presentation establishes core truths about information security then presents a call to action for getting people to simply focus on the fundamentals using SecurityStudio's free S2Org cybersecurity risk assessment.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

How do we secure America - nVision 2019 Main Stage

  1. 1. How do we secure America?
  2. 2. IMPORTANT! Before I get started… • The World Health Organization states that over 800,000 people die every year due to suicide, and that suicide is the second leading cause of death in 15-29-year-olds. • 5 percent of adults (18 or older) experience a mental illness in any one year • In the United States, almost half of adults (46.4 percent) will experience a mental illness during their lifetime. • In the United States, only 41 percent of the people who had a mental disorder in the past year received professional health care or other services. • https://www.mentalhealthhackers.org/resources-and-links/
  3. 3. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio I do a lot of security stuff… • Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor, S²Team, and S²Me • 25+ years of “practical” information security experience (started as a Cisco Engineer in the early 90s) • Worked as CISO and vCISO for hundreds of companies. • Developed the FRSecure Mentor Program; six students in 2010/500+ in 2018 • Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.) How do we secure America? AKA: The “Truth”
  4. 4. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry? Published January, 2019 How do we secure America?
  5. 5. Resources & Contact Want to participate? Want to partner? Want these slides? LET’S WORK TOGETHER! • Email: efrancen@securitystudio.com • @evanfrancen • @StudioSecurity #S2Roadshow • Blog - https://evanfrancen.com • Podcast (The UNSECURITY Podcast) Thank you!
  6. 6. How do we secure America?
  7. 7. How do we secure America? Show of hands.
  8. 8. How do we secure America? Show of hands. An idea, but we need to start somewhere and we need to start now. Before we get there…
  9. 9. How do we secure America? Show of hands. An idea, but we need to start somewhere and we need to start now. Before we get there… What is “Secure”? We sort of need to agree on this first.
  10. 10. How do we secure America? Show of hands. An idea, but we need to start somewhere and we need to start now. Before we get there… What is “Secure”? We sort of need to agree on this first. How many of you are security people (my tribe)?
  11. 11. You know we have an language problem in our industry, right? Our Industry AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT Cybersecurity BCDR Malware Trojan Spoofing UTM Phishing Vishing DDoS Worm Botnet ML Vulnerability Zero-Day Layered Exploit Threat Actor Attribution Kali OSCP CISSP NIST CSF
  12. 12. You know we have an language problem in our industry, right? Normal People See Us Like AI Blockchain Penetration Test Vulnerability Management NIST CSF RiskRisk Management Containers Incident Management Cyber Insurance Threats Maturity Assessment Malware Security Cryptography Breach APT Cybersecurity BCDR Malware Trojan Spoofing UTM Phishing Vishing DDoS Worm Botnet ML Vulnerability Zero-Day Layered Exploit Threat Actor Attribution Kali OSCP CISSP NIST CSF
  13. 13. Why? Because we don’t agree on a language Their Language FIX: Fundamentals and simplification. Translation/Communication WARNING – It’s work and it’s NOT sexy.
  14. 14. Why? Because we don’t agree on a language Their Language FIX: Fundamentals and simplification. Translation/Communication WARNING – It’s work and it’s NOT sexy. So, let’s listen… Let’s demonstrate our own language problem 1st.
  15. 15. Information Security is
  16. 16. Managing RiskInformation Security is
  17. 17. Eliminating RiskInformation Security is NOT
  18. 18. ComplianceInformation Security is NOT
  19. 19. Managing RiskInformation Security is in what?
  20. 20. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is
  21. 21. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is Easier to go through your secretary than your firewall Firewall doesn’t help when someone steals your server YAY! IT stuff
  22. 22. Managing Risk Administrative Controls Physical Controls Technical Controls Information Security is What’s risk?
  23. 23. Managing Risk Likelihood Impact Administrative Controls Physical Controls Technical Controls Information Security is Of something bad happening. If it did.
  24. 24. Managing Risk Likelihood Impact Administrative Controls Physical Controls Technical Controls Information Security is How do you figure out likelihood and impact?
  25. 25. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities.
  26. 26. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Start with vulnerabilities. • Vulnerabilities are weaknesses. • A fully implemented and functional control has no weakness. • Think CMMI, 1 – Initial to 5 – Optimizing.
  27. 27. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right?
  28. 28. Managing Risk Likelihood Impact Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is OK, but there’s no risk in a weakness by itself, right? That’s right! We need threats too.
  29. 29. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is
  30. 30. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability.
  31. 31. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is There is NO risk • For vulnerabilities without a threat. • For threats without a vulnerability. So, what is information security?
  32. 32. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is
  33. 33. Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy.
  34. 34. Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy. You cannot build an effective security program or strategy without an assessment.
  35. 35. Some truth about information security It’s relative. Something insecure at the core will always be insecure. You can’t manage what you can’t measure. You can’t manage risk without assessing it. Complexity is the enemy. You cannot build an effective security program or strategy without an assessment. Most organizations (public and private) FAIL to do fundamental information security risk assessments. WHY? Reason #1: Complexity
  36. 36. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Fine for our tribe, but what about the others?
  37. 37. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is What if we made a simple score to represent this?
  38. 38. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is We call it the S2Score. We did.
  39. 39. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls The S2Score is a simple and effective language to communicate information security to everyone (citizens, city councils, county boards, other security people, auditors, regulators, etc.). Information Security is
  40. 40. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Most organizations (public and private) FAIL to do fundamental information security risk assessments. Reason #2: Cost
  41. 41. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s free. The assessment that creates the S2Score is available at no cost to anyone.
  42. 42. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s free. The assessment that creates the S2Score is available at no cost to anyone. There’s no catch.
  43. 43. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls Information Security is Let’s make an information security risk assessment that’s free. The assessment that creates the S2Score is available at no cost to anyone. There’s no catch. For those who like our snazzy standards and acronyms, the S2Org is derived from and mapped to: • NIST CSF • NIST SP 800-53 • NIST SP 800-171 • ISO 27002 • COBIT • Others…
  44. 44. Managing Risk Likelihood Impact Threats Vulnerabilities Administrative Controls Physical Controls Technical Controls S2Score is Cool. Speaking the same language should be free. Now that we agree on security (or “secure”) and have removed the two most common and significant barriers… What’s next to Secure America? Simple. Adoption. Let’s do a demonstration to show what I mean.
  45. 45. I live in Waconia, Minnesota. A town in Carver County.
  46. 46. Carver County is one of 87 counties in Minnesota.
  47. 47. Minnesota is one state amongst 49 other beautiful states.
  48. 48. Minnesota is one state amongst 49 other beautiful states. Are you troubled having the U.S. Flag anywhere near the word “Poor”? I am.
  49. 49. How do we secure America? By speaking a common language we can work on what really matters (our most significant risks). What we’re going to do: • Keep preaching. • Work politically. • Keep improving (by listening). What you need to do: • Get your free S2Org Assessment and do it! • Help us preach. • Help us work politically. • Help us improve (by talking).
  50. 50. Your Tasks: 1. Do your S2Org Assessment: https://app.securitystudio.com/organization/signup 2. Help us preach by telling everyone. 3. Help us politically by telling your leadership. 4. Help us improve by telling us: • Contact within the tool or here: https://securitystudio.com/contact/ • Twitter: @evanfrancen or @StudioSecurity How do we secure America? Thank you!

×