Presentation at CMSS Conference 2016 - I was recently honored with the opportunity of speaking at the CMSS 2016 Conference. My goal for this engagement was to educate about the importance of innovating and applying exponential technologies in IT Security within the organization. My audience included many professionals in the medical industry, so it was important for me to be able to convey the importance of cybersecurity in that industry.

1. Exponential Technologies 101
Enterprise IT Security
CIO Innovation and Leadership
Presenter: Bill Murphy

2. Exponential Technologies 101

3. • Artificial Intelligence (AI)
• Machine Learning & Deep Learning
• Robotics
• Biotechnology & Bioinformatics & Digital Biology
• Virtual Reality & Augmented Reality
• Energy & Environmental Systems
• Medicine & Neuroscience
• Nanotechnology & Digital Fabrication (3D Printing)
• Blockchain
• Networks & Computing Systems (IT Security)
What is an Exponential Technology?

7. Offense and Defense

8. Shola – United Therapeutics

9. BRANDING
Shola – United Therapeutics

10. Exponential vs Linear

15. 15
4DS OF EXPONENTIALS
DECEPTIVE
TO
DISRUPTIVE
D IG IT IZ E D E MAT E RIA L IZ E D E MO NE T IZ E D E MO CRAT IZ E
Disruptive
Stress
/Opportunity

16. Awareness

17. Self Awareness

19. Examples of Disruption

20. Solid and Stable

21. Disruptive

22. What is a Disruptive Tech?

26. • Blackberry and Nokia
• Tesla and Automotive

28. Books to Help + Resources
• SU DC Chapter-
singularityudc.com
• Singularity University – su.org
• Singularity HUB – singularityhub.com
• Daniel Burrus - www.burrus.com
• Exponential Organizations –
exponentialorgs.com

29. With all the opportunities that Exponentials
bring there are Risks. Big Risks
1. Governance
2. Ethics
3. Privacy
4. Complexity
TRANSITION TO DEFENSE

30. DEFENSE – Enterprise IT Security
Qualitative
Vs
Quantitative

31. Health
Dr Ordered - reluctantly
Food Panel – Allergy
Hematology
Metabolic Chemistry
Lipid profile
Hormones
Urinalysis
Vitamins etc
Symptoms
Mental Fog
Mood Variability
Joint Pain

32. Frontiers of Optimal Performance &
Human Potential
• Firewalking 7x
• Active Spartan race training
• Cold water immersion via
Wim Hof
• Blackbelt
• Survival School
• Kiting and windsurfing
• Coaching Travel Soccer
• IronMan x2
• 2 x ½ IronMans
• Meditation/Mindfulness
(MBSR, Thich Nhat Han)
• Personal and Team Flow
States Experiments (Steven
Kotler)
• Innovation at the edge –
Design Thinking (SU)

36. 2015

39. The Plan
• Primary Target, Time Frame, Re-test
• Diet to deal with inflammation
• Exercise – Mobility, Strength
• Vitamins
• Meds
• Testing
• Execution
• Follow-up and Follow-Thru

40. Am I Done?
• You only saw a 2015 Food Allergy Panel.
Where is the 2016 Comparison?
• What about the stool sample?
• Year after Year. Massively Proactive.
• Rinse and Repeat

41. So What About Enterprise IT Security?

42. Back To
Qualitative and Quantitative
• Marry Qualitative and Quantitative
• Evidence Based
• Building Defensible Arguments/Plans

46. Security Defense Strategy
Whack-a-Mole?!

48. COMPREHENSIVE IT SECURITY HEALTH PANEL

51. Second Priority

52. COMPREHENSIVE IT SECURITY HEALTH PANEL
(1)External Facing Systems
(2)Firewall Internal Systems (systems used by
employees, mail services, activesync, vpn, etc.)
(3) Do your company PCs have an anti-virus program?

53. EXECUTION PLAN – IT ROADMAP -
PRIORITIZATION

55. Year Over Year Comparison
When you spend a $
What boats are
effected?

56. External Facing Systems (systems used by external public/customers)
– Do you have an up to date list of all systems presented to the public or customers including
services in use?
• How many are there? (answer the next set by # based on yes count)
– Are the front end user interfaces behind an application filter security device with active
blocking capability beyond layer ¾ firewall?
– Does the application filter block all high risk issue?
– Does the application filter block all medium risk issues?
– Do you have any exceptions for sites or subsites on the application filter?
– Does this system terminate ssl or encryption?
– Is the application or db tier in a different zone/subnet/across a security boundary?
– Is the communication between the front end and the next tier unencrypted so the security
systems can review cross tier traffic?
– Do you formally audit to ensure that these settings are active and working:
• Monthly
• Quarterly
• Yearly

57. • Firewall Internal Systems (systems used by employees,
mail services, activesync, vpn, etc.)
– Are all non-security devices behind a firewall?
– Is the firewall a full UTM with services active and in automated
blocking mode for high risk items?
– Is the firewall a full UTM with services active and in automated
blocking mode for medium risk items?
– Are all inbound rules configured explicit in at least two of the
following: source, destination and protocol.
– Do you formally audit to ensure that these settings are active
and working:
• Monthly
• Quarterly
• Yearly

58. Anti-Virus PC
– Do your company PCs have an anti-virus program?
– How often are definitions updated?
• Multiple times a day
• Daily
• Weekly or more
– Do you run centrally managed antivirus?
– Are alerts for viruses, service failures, and update problem sent to staff?
– Do you exclude any pc from AV?
– What percent of systems are covered (I.e. do you skip Macs, Linux etc)
– How often do you check for gaps in coverage
• Weekly
• Monthly
• Quarterly
– How often do you audit scanning exclusions for files and processes?
• Quarterly
• Twice a year
• Yearly
– Is there an approval process prior to allowing exclusions?

59. • Email Encryption and DLP
– Do you have a system that automatically audits mail messages for
context driven content (PII, PCI, Confidential, etc)
– Do you formally audit to ensure that the system is are active and
working:
• Monthly
• Quarterly
• Yearly
– Can anyone opt out of the system?
– Does the system encrypt, reject, or redact ALL emails that fail the
automatic audit?
– Does the system allow external parties to initiate and reply in an
encrypted fashion?
– Do you formally audit to ensure that the policies used and look for
gaps?
• Monthly
• Quarterly
• Yearly

60. My Vision for You is to Reign in
Complexity
But this is only a Blood Panel……
What do you do about it?

61. Overall Gaps
• Based on the review a lot of good mature security
technologies exist however the following is
required:
– Additional implementation work is required to realize
the full impact of the solution
– Review system X to ensure intended use is in line with
current state of the system. Currently this is not the
case
– A proactive process of managing security systems A, B
and C need to be developed in order to ensure
security

62. Action Plan Step 1
• Concentrate on validating and hardening what
is in place
– Perform an user account audit
– Perform an edge security audit
– Enable Varonis to provide proactive security
– Enable Secret Server to harden the environment

63. Action Plan Step 2
• Two technologies that can be added to bolster
security, especially if HIPAA compliance is
desired
– Endpoint security for USB device security
– ZixGateway for Email Encrytion and DLP

64. Sample Deliverables
• Varonis Data Governance
(steps needed to complete
the install)
• Thycotic Gap Comparison
• Edge Assessment +
• AD /Account Audit
• Road Map – with Priority

65. Audit/
Compliance
Regulators/
Regulations
FFIEC, PCI, DoD,
HIPPA, etc
Standards
Staff
Gartner
Vendors
Consultants
Business Framework
ExO CIO Business IT
Framework

66. Framework
• What happens when you lose your CFO or
Accounting Manager?
Versus
• What happens when you lose your CIO, CISO,
VP IT, Manager IT, etc

67. Common Language of Business
• Debits and Credits
• Income Statement and Balance Sheet
• P&L

68. Align Proper Business Expectations
Does your VP of Sales guarantee revenue?
Where in your business do you have
guarantees?

69. Premiums to Mitigate Risk

70. The Role of Transparency

71. • Defensible
• Logical

72. Powerful Leadership

73. Governance (Governing) and Risk

76. Forget Big Data – Think Little Data…..
With Context

78. Thunder & House & Squirrel

79. DAR Scan – Data at Rest Scan
Being Governed
VS
The Governor

80. How Data is lost?
 Employee post to share drive
 Employee shares with vendor
 Employee theft
 Employee accident
 Malware/Virus
 Social Media
 Hacking attack (Spear Fishing)
 Social Engineering
 USB

81. Incidents by File Type
Policy File Type Hits Number of Files
Customer List Adobe PDF 1846 90
Customer List Email Message File (MIME, EML) 1071 43
Customer List HTML 311 16
Customer List Microsoft Excel 73842 360
Customer List Microsoft PowerPoint 125 6
Customer List Microsoft Word 1258 34
Customer List Plain Text 7539 55
D_CCN (pattern) Adobe PDF 479 3
D_CCN (pattern) Microsoft Excel 146 144
D_CCN (pattern) Plain Text 1442 5
D_SSN (pattern) Adobe PDF 2264 7
D_SSN (pattern) Microsoft Excel 180 93
D_SSN (pattern) Microsoft PowerPoint 2 1
D_SSN (pattern) Microsoft Word 1 2
D_SSN (pattern) Other Word Processors 1 1
D_SSN (pattern) Plain Text 63 3
Example of Incidents

82. Example of Incidents
Incidents Made in the last 90 Days
File Creation Time File_Share Policy Hits
Number of
Files
7/28/2012 1:12:00
AM
BadFileServercustomersBIGEFCUAudit CustomerList 14 1
8/3/2012 2:43:00 PMBadFileServercustomersNurseFirst Cor Customer List 87 1
8/29/2012 11:35:00
PM
BadFileServercustomersUniversityFCU Customer List 92 3
9/11/2012 11:44:00
PM
BadFileServermarketingPartnersBlue Customer List 35 1
9/6/2012 11:49:00
PM
BadFileServermarketingPartnersGTB D_SSN
(pattern)
1 1
9/6/2012 11:50:00
PM
BadFileServerBLD_BLD_ReportsXYZC D_CCN
(pattern)
239 1
9/6/2012 11:50:00
PM
BadFileServerBLD_BLD_ReportsXYZC D_SSN
(pattern)
381 1
10/4/2012 5:55:00
PM
BadFileServerBLD_BLD_ReportsXYZC D_SSN
(pattern)
500 1
10/4/2012 11:41:00
PM
BadFileServerBLD_BLD_ReportsXYZC D_SSN
(pattern)
500 1
9/6/2012 11:50:00
PM
BadFileServerMKT_MKT_ReportsXYZS Customer List 16 1
10/2/2012 11:48:00
PM
BadFileServerMKT_MKT_ReportsXYZS Customer List 17 1
8/9/2012 11:45:00
PM
BadFileServerMKTMKT Customers123 F Customer List 38 1
9/6/2012 11:51:00
PM
BadFileServerMKTMKT Customers123 F Customer List 74 1

83. Example of Incidents
Full Incident Report
File_Share Policy
Inciden
ts
Files File Path
BadFileServer operations
Docs
D_SSN
(patter
n)
AprilMainZix.xlsx BadFileServer operations
Docs Documents.bak ZixMain
2010
BadFileServer marketing CI
OES
D_SSN
(patter
n)
Sales_OldStuff.zip/Gol
f Outing_June27.doc
BadFileServer marketing CIO
ES
BadFileServer marketing CI
OES
Custom
er List
Sales_OldStuff.zip/VM
ware Attendance List
CIOES.xls
BadFileServer marketing CIO
ES
BadFileServer marketing CI
OES
Custom
er List
Sales_OldStuff.zip/Sep
t Sales email blast.doc
BadFileServer marketing CIO
ES
BadFileServer marketing CI
OES
Custom
er List
Sales_OldStuff.zip/Roc
kville List from Vania
March 02.xls
BadFileServer marketing CIO
ES

84. Example of Incidents
Incidents by File Share
File_Share Policy Incidents Files
BadFileServeraccounting Customer List 144 1
BadFileServeraccountingArchive D_CCN (pattern) 139 139
BadFileServeraccountingArchive D_SSN (pattern) 170 85
BadFileServeraccountingArchive2005 D_SSN (pattern) 5 1
BadFileServeraccountingConst_Assoc Customer List 288 18
BadFileServeraccountingSherrie Customer List 1000 1
BadFileServeraccountingSherrie D_SSN (pattern) 1 1
BadFileServercustomers_InActive_Clie Customer List 276 13
BadFileServercustomers_InActive_Clie D_CCN (pattern) 1 1
BadFileServercustomers123FCUcontra Customer List 70 4
BadFileServercustomersABC_Network_ Customer List 12 1
BadFileServercustomersABCAssessmen Customer List 60 2
BadFileServercustomersAlpha Systems Customer List 15 1
BadFileServercustomersXYZSSL_VPN Customer List 12 1
BadFileServercustomersStateDep Statu Customer List 237 1

85. HIPPA/HIPAA, NIST/DOD since we are a
downstream contractor, NCUA, PCI, SOC
compliance

86. Technical Framework

88. OFFENSE
• Study top Disruptors in your field

89. Exponential Technologies
• IT Security and Networks
• Robotics
• Artificial Intelligence
• Virtual Reality/ Augmented
Reality
• Deep Learning & Machine
Learning
• Neuroscience
• Biomedicine & Digital
Biology
• Energy and
Environmental Systems
• Blockchain
• 3D Manufacturing
Printing
• IT Security and
Networks
• Nanotechnology
• IoT and Big Data
• Algorithms & APIs

92. Exponentials in the Health Field

94. Pay Attention to Blockchain

100. “The Smartest People in the World
Don’t Work for You”

101. Measure Your Organizational
Readiness to Innovate
• Visualize this
• Are you leaning into disruption or playing
afraid
10
5
1

102. Software is Eating the World
Quote “Everything that Humans are Inefficient
at will be eaten by Software.”

103. APIs & Algorithms
NIH – Gut Health
- Microbiome

104. Micro- Experiments
• NIH data sets – Gut Health example
• Fail fast and forward
• Push projects to the edge. Starve the edge.

105. • Start small with innovation pockets/ Labs
• Apply Design Thinking & Lean Startup
Mentality
• Align with people who have entrepreneurial
tendencies within the company
• Principle of Innovation at the edge of the
company

106. Staffing to Build Expertise

107. Community and Crowds

108. Bigger Thinking - Exponential
World Wide Expansion

109. MTP – Massive Transformational
Purpose

110. • Identify and avoid corporate anti-bodies
• Pay attention to when you disbelieve to avoid
being disrupted during the curve when the
technology seems odd or weird
What to Avoid

113. Summary – Offense Take-aways
• Learn to play offense - Join an innovation group like
mine or someone else's
• Be surrounded by ideas and people who think similar
• You are the average of the 5 people you hang around
• Build systems at the edge
• Avoid corp anti-bodies
• Pay attention to Lean and Design Thinking as it applies
to innovation (Joy, Inc, Exponential Org)
• Forget Big Data – Think Little Data
• Understand who your disruptors are? Technologies in
Health? Disruptive business practices, Communities,
blockchain, algorithms, & APIs

114. Offense Take-aways
• You don’t need permission to add revenue….
• Are you retiring in the next 5 years?
• It is a mindset first (for you) then a culture thing
• Neuroscience The Brain of a Leader thinking
Exponentially
• IoT & Dashboards
• Remember - role of offense and defense
• Financial Statements of the business – Point in
Time versus Progress over Time.

115. Defense Take-aways
• Play defense hard. Don’t play ping pong. Settle
into strategy and risk. Which will drive all tactical
execution.
• Embrace IT Security complexity with strategy.
Eliminate overlapping technology confusion. Data
Governance, privacy, risk – understand context.
• Flush out unnecessary costs
• Create Defensible Arguments/Plans
• Forget Big Data – Think Little Data
• Take a multi-year approach

116. Bill’s BIO & How to Contact Me?

118. World Class IT Security, Strategic and Tactical Thought Leadership for Enterprise
IT Business Leaders, Intra-preneurs, Entrepreneurs, Innovation, Design
Thinking, Creativity, Frontiers of Human Performance,
Breakthroughs in Neuroscience, & Exponential Technologies

119. CIO Security Scoreboard

120. CIO Innovation Insider
Group Meetings
Insider Updates Weekly
Report

121. Singularity University
Washington DC Chapter
Ambassador
Examines Disruptive and
Exponential Technologies
By looking at how they can be used to Improve the lives
of a billion of People”

122. Bill Murphy
410-320-6433
billm@redzonetech.net
Linkedin
twitter: @exoitleader
www.redzonetech.net
www.cioscoreboard.com