Security First - Trends and Principles

Security First

georgianpartners.com Security First

• A holistic way of thinking about security

• Increasingly a competitive differentiator

• Not just security of data, networks, logins, web…

• Each new area of innovation has a security aspect

What Is Security First?

Security First

Why Should Any of Us Care?


Security Impact on Valuations


Global Cost of Cyber Crime

– Juniper Research


Cyber Crime: Explosive Impact

Source: Ponemon Institute

Source: Imprima

6%

5%

5%

5%

4%

Financial

Health

Services

Technology

Life Sciences

Breaches Cause Churn

$355

$246

$221

$208

$195

Healthcare

Education

Financial

Services

Life Sciences

Per Record Cost

Shutdown in 24M, 72%

Survive, 28%

Data Loss

Shutdown in 12M, 93%

Survive, 7%

Data Loss > 10 days


• J.P. Morgan Chase & Co.From $250M to $500M in 2016

• Bank of America said that “the only place in the company that didn't have a budget constraint was cybersecurity“

• U.S. govt increased budget by 35%, going from $14B in 2016 to $19B in 2017

• Morgan Stanley says that cyber security market went from $4B in 2004 to $120B in 2017 (31% CAGR)

Security: Good Growth

$1,144$1,957 $2,144

$2,814$3,830

$0

$1,000

$2,000

$3,000

$4,000

$5,000

2011 2012 2013 2014 2015

Source: Gartner

Source: CB Insights

$0

$20

$40

$60

$80

$100

2011 2012 2013 2014 2015 2016

Global Cybersecurity Spending Billions

Cybersecurity Global Yearly Funding History2011-2015

166222

264299

332

Security First

Near-Future Trends


• 10s of millions of IoT devices used for 1.2 Tbps DDoS

• Jeep hack causes recall of 1.4M cars for bug fix

• Ransomware quadruples in 2016• Apple announces differentially

private ML

2017+: Rapid Scaling


• Time to market critical• Just like software in 2000s:

function first• Weak authentication• Excessive collection of data• Potential direct harm in

physical world

The IoT (In)Security Iceberg


• GDPR – General Data Protection Regulation

• Comes into force in EU in May 2018

• Affects any company that processes data of EU residents

• Fine: max of €20M and 4% of revenue

Security and Privacy Regulations


Applications:• Convince an autonomous car

that it’s about to hit a wall• Convince a bot with 99% certainty

that someone else requested a transaction

• Convince an industrial system that it’s not overheating

• Works even without knowing the model or training data!

Security of AI (or How to Brainwash a Robot)


• Classification of binaries and network traffic

• Behavioral anomaly detection• Biometrics: ECG, face recognition,

voice recognition• Hacker Bots (DARPA)

Security by Machine Learning


The Quantum Computing Armageddon

=

Hypothesis: quantum computers can break crypto exponentially faster than classic computers


• Code replaces notarized paper• Contract executes when

conditions are met• Automated organizations

managed directly by shareholders through code (DAO)

• Automation of government functions

Smart Contracts

Blockchain

Contract code

Events

Actions


Differential Privacy

Add Noise

Add Noise

Add Noise

Aggregate Analytics

“Differential privacy lets you gain

insights from large datasets, but with

a mathematical proof that no one can learn about a single individual.”

Security First

Principles


4. Go for a win-win. Seek out synergies between security and function. 5. Avoid partners that weaken your security.

8. Design systems to reduce the impact of a compromise.9. Assume that reality is always worse than it appears. 10. Have a rapid remediation plan. Practice using it.

1. Start now.2. Make security everyone’s responsibility.3. Create new value through security and privacy.

6. Always be (threat) modeling. 7. Give customers control and oversight over their data.

Differentiate onSecurity

Build onStrength

Knowledge isPower

You Will Be Hacked


Start now.

The cost of introducing privacy and security late is the cost of undoing all past decisions that have security implications. Start a introducing a security first mindset into your business today.

1

Differentiate on Security


Make security everyone’s responsibility.

The security conversation is between the CEO and all of her direct reports. Security should be embedded in culture, hiring, business strategy, technology, and promotion.

2



Create new value through security and privacy.

Make your commitment to security and privacy known to your customers. Provide precise and accurate guarantees for the security and privacy of your products. Educate your customers on privacy benefits and risks in your vertical.

3



Go for a win-win. Seek out synergies between security and function.

The greatest innovations are the ones that convert a win-lose to a win-win. Starting with security increases the likelihood of a win-win outcome.

4

Build on Strength


Avoid partners that weaken your security.

Your business partners and 3rd party integrations are part of the attack surface. Ask them about their security and privacy stance, and prefer security first partners. Help your partners take a security first stance as a way to protect yourself.

5

Build on Strength


Always be (threat) modeling.

Adversarial behavior can take many forms. Be creative in understanding your assets, stakeholders and current state of the system. Plan ahead for new attack surfaces and advances in attacker capabilities.

6

Knowledge is Power


Give customers control and oversight over their data.

Customers value their data. Provide more privacy guarantees and customer control over data as a way to increase the value of your services.

7

Knowledge is Power


Design systems to reduce the impact of a compromise.

Avoid single points of failure and be fastidious in granting access to resources. Assume that each asset is part of the attack surface, assess the risk, and apply protections accordingly.

8

You Will Be Hacked


Assume that reality is always worse than it appears.

Your security is not perfect. Test your response regularly. Be prepared to survive a failure and recover quickly. If you feel uncertain whether a decision can lead to a security compromise, it probably can.

9

You Will Be Hacked


Have a rapid remediation plan. Practice using it.

When a security or privacy compromise is discovered, exercise your well practiced incident response plan and notify affected customers. Provide timely remediation to protect your brand and retain customer trust.

10

You Will Be Hacked


4. Go for a win-win. Seek out synergies between security and function. 5. Avoid partners that weaken your security.

8. Design systems to reduce the impact of a compromise.9. Assume that reality is always worse than it appears. 10. Have a rapid remediation plan. Practice using it.

1. Start now.2. Make security everyone’s responsibility.3. Create new value through security and privacy.

6. Always be (threat) modeling. 7. Give customers control and oversight over their data.

Differentiate onSecurity

Build onStrength

Knowledge isPower

You Will Be Hacked

Security First

Thank you

Date post:	15-Feb-2017
Category:	Technology
Upload:	georgian-partners
View:	75 times
Download:	0 times