Security BSides Atlanta - "The Business Doesn't Care..."

transcript

The Business Doesn’t Care

Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software

Security BSides Atlanta

contained herein is subject to change without notice. Confidentiality label goes here

…and its your fault.

Follow me down the rabbithole.

“Security” is estranged from business

A vast amount of IT Security professionals are distant from their business.

•Why is this? –what are some of the reasons you think this is true?

•What are the results? –what are some of the observed results?

This is an …

And this is an …

Define Risk

1. First definition 2. Second definition 3. Third definition

Define Vulnerability

1. First definition 2. Second definition 3. Third definition

Security IS part of the business.

…but what does that mean, really?

• Is your CISO/CSO on the executive board of the company?

• Does your CISO/CSO have executive power? • …what does this mean?

Relating Security <> Business

What are the 3 of your company’s board-level goals for the next fiscal year? 1. Goal 1 2. Goal 2 3. Goal 3

The bridge between Security | Business is out.

We speak “security talk”

vulnerabilities

0-day attacks

hacking

SQL Injection, XSS, …

critical, high, medium…

“The business” speaks a different language

Leveraged risks

Business exposures

Cost of capital

Velocity of change

Shareholder value

Driving off the risk/reward cliff …blind

Oh …

No what? How do you succeed?

• “Speak business language”

• cliché …but how?

• How do you relate IT risks to

business risks?

Get to know your business

Get to know your business • what does your company really do? • what does your board care about? • what gets your CEO his or her bonus? • what do analysts say about your company? • what do your customers care (or not) about?

What are your company’s business exposures, risks?

• what are your market risks from doing business? • what are your critical business exposures? • how can the CISO/CSO help mitigate those issues?

How can we relate IT to business ‘security’?

How would you convince your CEO that a SQL Injection vulnerability can sink their shareholder value?

Ultimately “IT Security” will evolve

Security Ops vs. Security Strategy

Security Operations (SecOps) • Operational security group • Traditional firewall controls • Day-to-day security technology

• Not a separate IT unit (“security”) • Infused into operational IT groups

• server management • network management • desktop management

Security Strategy • IT “risk” advisory consulting • Align to risk management, legal • Review, relate, advise the business

• Independent, small, agile group • Report into CRO, CFO

• eliminate conflict of interest • get “closer to the business”

It is possible to do both

“Serve the business” Reduce IT vulnerabilities

Thanks for learning something.

Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) Discuss on LinkedIn: Join the ‘SecBiz’ group

Security BSides Atlanta - "The Business Doesn't Care..."

Technology