SlideShare una empresa de Scribd logo

Ciso executive forum 2013

Bill Burns
Bill Burns
1 de 24
Descargar para leer sin conexión
CISO Survival In The Real World Bill Burns Director, Information Security ISSA CISO Executive Forum Feb 24, 2013
“Thrive”, not Survive • Context • A few contributions • Future Bets & Areas of Focus
Future Bets 2015: Forcing Functions • Social + Mobility + Cloud • Traditional Controls Are Lacking • Analytics
Netflix Business • World’s largest TV network • 33 million members in 40 countries • Over a billion hours streamed per month • Supported on 1000+ device types • 1/3 of evening Internet traffic (c) 2011 Sandvine
Our Culture • High Performance, • Some core values: Engineering-Focused • “Freedom & • Fail Fast, Learn Fast ... Responsibility” Get Results • “Loosely-Coupled, • Data- and Metrics-Driven Highly-Aligned” • Take Smart Risks • “Context not control”
Today: DataCenters & Cloud • Tooling • Risk Assessments, Treatments • Business Processes • ~99% Cloud-based today • Goal: Pure-Cloud Streaming
Demand 1 Cloud: On- Demand # Servers Capacity 2 1. Demand: Typical pattern of customer requests rise & fall over time Utilization 2. Reaction: System automatically adds, removes servers to the application pool 3 3. Result: Overall utilization stays constant
The Netflix Simian Army • Chaos Monkey - Kills randomly instances • Striving for continuous • Chaos Gorilla - Evacuates entire data centers testing, monitoring • Chaos Kong - Evacuates entire regions • Identify and test common failure modes • Janitor Monkey – Ensures a clean inventory • Automation everywhere • Security Monkey – Various security checks to manage risk
InfoSec Challenge in an IaaS Cloud :: Confidentiality/ Possession
Key Management :: HSMs • Motivation: • Decouple DC and Cloud • Trust our Cloud more fully • Others probably want this too • Challenges: • Need crypto keys near the Cloud • HSMs are in the data center • Can’t entirely trust our CSP • Solution: • A real HSM: FIPS 140-2 certified hardware • Keys stay in hardware • “HSM as a Service”
Security: Thriving in an Agile Enterprise
Future Bets 2015: Org Demands • Fluid, Virtual Teams of specialists / specialties • Dynamically form & dissolve to address opportunities, challenges • Emphasis on collaboration, roaming • Analytic, data-driven
Future Bets 2015: Team Dynamics, Skills •Teams will •Be Risk/Security Advisors, coaches, business analysts •Speak their language •Skill sets will become •Less: people clicking on GUIs •More: analytics, automation, gluing systems together (APIs)
SaaS: In use Today? next Year? 1. Email/chat/ 8. Risk management 15. Data analytics/BI/ calendar DSE 9. HRIS, ERM 2. File Storage/ 16. Project 10. Source code backups Management repository 3. Service Ticketing 17. SIEM 11. Blogs, websites 4. On-call paging 18. VPN 12. Doc collaboration 5. Log management 19. MDM 13. Risk assessments 6. Authentication/ 20. Anti-Virus/Anti- 14. Encryption / key IAM malware management 7. App vulnerability scanning
Future Bets 2015: Data, Application Security • Business Forcing Function: Third-party cloud apps will innovate faster than your IT department can • Cloud/SaaS will be IT tools, not competitors • Data will be encrypted automatically off-network, off-device • Automated, continuous assessments of your controls
Future Bets 2015: Device Security •All-wireless office, Gigabit Wireless •Smartphone building badges •MDM layers: managed VPN, device- and app-wrapping
Future Bets 2015: Network Security • You will be breached –  Not “if” but “when”? • How fast can you respond, contain? • Mix of trust: corporate, vendor, employee owned devices • Verify every device, user
Future Bets 2015: Automated protection • We will no longer talk about BYO[everything] • Zero-Trust / NAC will be common • Networks will dynamically quarantines, inspects, tests • Large-scale event correlation, analytics => reaction
Future Bets 2015: What about the users? • Awareness Training will • Be automated • Be context-relevant, bite- sized • Phish your employees before they do! • Actively test for vulnerabilities, quarantine • Gamifiy, (“peer pressure”) on compliance, activity • Be developed collaboratively
Future Bets: Areas of Focus Today The best way to predict the future is to invent it. – Alan Kay The future is already here - it's just not evenly distributed. —William Gibson
Future Bets 2015: Targeted Training
Future Bets 2015: Security Analytics DATA MP LE SA
Future Bets 2015: Security Analytics Security Control A/B Testing DATA MP LE SA
Thank you! @x509v3 Bill.Burns@Netflix.com

Recomendados

Cybersecurity Legos - We're all part of something bigger
Cybersecurity Legos - We're all part of something biggerCybersecurity Legos - We're all part of something bigger
Cybersecurity Legos - We're all part of something biggerBen Boyd
 
Picking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkPicking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkDavid Strom
 
#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and securityMicro Focus
 
How to keep track of cloud costs
How to keep track of cloud costsHow to keep track of cloud costs
How to keep track of cloud costsDavid Strom
 
Rubik cloud risks-jun2012
Rubik cloud risks-jun2012Rubik cloud risks-jun2012
Rubik cloud risks-jun2012Shelf Companies Aust
 
Backups and Disaster Recovery for Nonprofits
Backups and Disaster Recovery for NonprofitsBackups and Disaster Recovery for Nonprofits
Backups and Disaster Recovery for NonprofitsCommunity IT Innovators
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 

Recomendados

Cybersecurity Legos - We're all part of something bigger
Cybersecurity Legos - We're all part of something biggerCybersecurity Legos - We're all part of something bigger
Cybersecurity Legos - We're all part of something biggerBen Boyd
 
Picking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkPicking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkDavid Strom
 
#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and securityMicro Focus
 
How to keep track of cloud costs
How to keep track of cloud costsHow to keep track of cloud costs
How to keep track of cloud costsDavid Strom
 
Rubik cloud risks-jun2012
Rubik cloud risks-jun2012Rubik cloud risks-jun2012
Rubik cloud risks-jun2012Shelf Companies Aust
 
Backups and Disaster Recovery for Nonprofits
Backups and Disaster Recovery for NonprofitsBackups and Disaster Recovery for Nonprofits
Backups and Disaster Recovery for NonprofitsCommunity IT Innovators
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......centralohioissa
 
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...Accellis Technology Group
 
Cloudtenna Hour With An Expert Webinar
Cloudtenna Hour With An Expert WebinarCloudtenna Hour With An Expert Webinar
Cloudtenna Hour With An Expert WebinarMitch Crane
 
Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16TechSoup
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
DCD Converged Brazil 2016
DCD Converged Brazil 2016 DCD Converged Brazil 2016
DCD Converged Brazil 2016 Scott Carlson
 
Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)Vasanth Ganesan
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mindcentralohioissa
 
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Kaseya
 
Dizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion, Inc.
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owaspShannon Lietz
 
Outpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyJames Mulhern
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNow
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNowAvoid the IT War Room: Integrate Mainframe and IBM i into ServiceNow
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNowPrecisely
 
Webinar bitglass - complete deck-2
Webinar bitglass - complete deck-2Webinar bitglass - complete deck-2
Webinar bitglass - complete deck-2Bitglass
 
Bitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud SecurityBitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud SecurityBitglass
 
Bitglass Webinar - 5 Cloud Security Best Practices for 2018
Bitglass Webinar - 5 Cloud Security Best Practices for 2018Bitglass Webinar - 5 Cloud Security Best Practices for 2018
Bitglass Webinar - 5 Cloud Security Best Practices for 2018Bitglass
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
The CIO & CISO - Shoulder To Shoulder
The CIO & CISO - Shoulder To ShoulderThe CIO & CISO - Shoulder To Shoulder
The CIO & CISO - Shoulder To ShoulderVishal Kapoor
 
IANS 2015 RSA Presentation
IANS 2015 RSA PresentationIANS 2015 RSA Presentation
IANS 2015 RSA PresentationAndrew Sanders
 

Más contenido relacionado

La actualidad más candente

Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......centralohioissa
 
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...Accellis Technology Group
 
Cloudtenna Hour With An Expert Webinar
Cloudtenna Hour With An Expert WebinarCloudtenna Hour With An Expert Webinar
Cloudtenna Hour With An Expert WebinarMitch Crane
 
Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16TechSoup
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
DCD Converged Brazil 2016
DCD Converged Brazil 2016 DCD Converged Brazil 2016
DCD Converged Brazil 2016 Scott Carlson
 
Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)Vasanth Ganesan
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mindcentralohioissa
 
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Kaseya
 
Dizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion, Inc.
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owaspShannon Lietz
 
Outpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyJames Mulhern
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNow
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNowAvoid the IT War Room: Integrate Mainframe and IBM i into ServiceNow
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNowPrecisely
 
Webinar bitglass - complete deck-2
Webinar bitglass - complete deck-2Webinar bitglass - complete deck-2
Webinar bitglass - complete deck-2Bitglass
 
Bitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud SecurityBitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud SecurityBitglass
 
Bitglass Webinar - 5 Cloud Security Best Practices for 2018
Bitglass Webinar - 5 Cloud Security Best Practices for 2018Bitglass Webinar - 5 Cloud Security Best Practices for 2018
Bitglass Webinar - 5 Cloud Security Best Practices for 2018Bitglass
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 

La actualidad más candente (20)

Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
 
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...
Small but Not Forgotten: Cybersecurity for the Small Firm Presented by Accell...
 
Cloudtenna Hour With An Expert Webinar
Cloudtenna Hour With An Expert WebinarCloudtenna Hour With An Expert Webinar
Cloudtenna Hour With An Expert Webinar
 
Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16Webinar: 12 Tips to Stay Safer Online - 2018-10-16
Webinar: 12 Tips to Stay Safer Online - 2018-10-16
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
DCD Converged Brazil 2016
DCD Converged Brazil 2016 DCD Converged Brazil 2016
DCD Converged Brazil 2016
 
Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)Cloud Computing - Security (BIG Data)
Cloud Computing - Security (BIG Data)
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your MindBrian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
 
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
 
Dizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the waterDizzion Channel Partner Training blow sales objections out of the water
Dizzion Channel Partner Training blow sales objections out of the water
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
 
Outpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud security
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategyCyber Attacks aren't going away - including Cyber Security in your risk strategy
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
 
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNow
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNowAvoid the IT War Room: Integrate Mainframe and IBM i into ServiceNow
Avoid the IT War Room: Integrate Mainframe and IBM i into ServiceNow
 
Webinar bitglass - complete deck-2
Webinar bitglass - complete deck-2Webinar bitglass - complete deck-2
Webinar bitglass - complete deck-2
 
Bitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud SecurityBitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud Security
 
Bitglass Webinar - 5 Cloud Security Best Practices for 2018
Bitglass Webinar - 5 Cloud Security Best Practices for 2018Bitglass Webinar - 5 Cloud Security Best Practices for 2018
Bitglass Webinar - 5 Cloud Security Best Practices for 2018
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 

Destacado

The CIO & CISO - Shoulder To Shoulder
The CIO & CISO - Shoulder To ShoulderThe CIO & CISO - Shoulder To Shoulder
The CIO & CISO - Shoulder To ShoulderVishal Kapoor
 
IANS 2015 RSA Presentation
IANS 2015 RSA PresentationIANS 2015 RSA Presentation
IANS 2015 RSA PresentationAndrew Sanders
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisonooralmousa
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hourcentralohioissa
 
Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesAaron Carpenter
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Emotional intelligence at the workplace day 1
Emotional intelligence at the workplace day 1Emotional intelligence at the workplace day 1
Emotional intelligence at the workplace day 1Fabian Thomas
 

Destacado (9)

The CIO & CISO - Shoulder To Shoulder
The CIO & CISO - Shoulder To ShoulderThe CIO & CISO - Shoulder To Shoulder
The CIO & CISO - Shoulder To Shoulder
 
IANS 2015 RSA Presentation
IANS 2015 RSA PresentationIANS 2015 RSA Presentation
IANS 2015 RSA Presentation
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for ciso
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hour
 
Building security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO SeriesBuilding security leaders ISSA Virtual CISO Series
Building security leaders ISSA Virtual CISO Series
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
NTXISSACSC4 - A Day in the Life of a CISO
NTXISSACSC4 - A Day in the Life of a CISONTXISSACSC4 - A Day in the Life of a CISO
NTXISSACSC4 - A Day in the Life of a CISO
 
NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?NTXISSACSC4 - Cyber Insurance – Did You Know?
NTXISSACSC4 - Cyber Insurance – Did You Know?
 
Emotional intelligence at the workplace day 1
Emotional intelligence at the workplace day 1Emotional intelligence at the workplace day 1
Emotional intelligence at the workplace day 1
 

Similar a Ciso executive forum 2013

Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computingikanow
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
Cloudy with a chance of downtime
Cloudy with a chance of downtimeCloudy with a chance of downtime
Cloudy with a chance of downtimeAFCOM
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Smarter cyber security v8
Smarter cyber security v8Smarter cyber security v8
Smarter cyber security v8John Palfreyman
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
 
Mobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanMobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanOsama Abushaban
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24
 
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan FinnDefending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan FinnJohn Moran
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Valencell, Inc.
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managersNitin T Bhat
 
Securing and governing a multi-tenant data lake within the financial industry
Securing and governing a multi-tenant data lake within the financial industrySecuring and governing a multi-tenant data lake within the financial industry
Securing and governing a multi-tenant data lake within the financial industryDataWorks Summit
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEE2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEe2-labs
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 

Similar a Ciso executive forum 2013 (20)

Dr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud ComputingDr. Michael Valivullah, NASS/USDA - Cloud Computing
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Cloudy with a chance of downtime
Cloudy with a chance of downtimeCloudy with a chance of downtime
Cloudy with a chance of downtime
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Smarter cyber security v8
Smarter cyber security v8Smarter cyber security v8
Smarter cyber security v8
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Mobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanMobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama Abushaban
 
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
 
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan FinnDefending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managers
 
Securing and governing a multi-tenant data lake within the financial industry
Securing and governing a multi-tenant data lake within the financial industrySecuring and governing a multi-tenant data lake within the financial industry
Securing and governing a multi-tenant data lake within the financial industry
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITEE2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 

Ciso executive forum 2013

  • 1. CISO Survival In The Real World Bill Burns Director, Information Security ISSA CISO Executive Forum Feb 24, 2013
  • 2. “Thrive”, not Survive • Context • A few contributions • Future Bets & Areas of Focus
  • 3. Future Bets 2015: Forcing Functions • Social + Mobility + Cloud • Traditional Controls Are Lacking • Analytics
  • 4. Netflix Business • World’s largest TV network • 33 million members in 40 countries • Over a billion hours streamed per month • Supported on 1000+ device types • 1/3 of evening Internet traffic (c) 2011 Sandvine
  • 5. Our Culture • High Performance, • Some core values: Engineering-Focused • “Freedom & • Fail Fast, Learn Fast ... Responsibility” Get Results • “Loosely-Coupled, • Data- and Metrics-Driven Highly-Aligned” • Take Smart Risks • “Context not control”
  • 6. Today: DataCenters & Cloud • Tooling • Risk Assessments, Treatments • Business Processes • ~99% Cloud-based today • Goal: Pure-Cloud Streaming
  • 7. Demand 1 Cloud: On- Demand # Servers Capacity 2 1. Demand: Typical pattern of customer requests rise & fall over time Utilization 2. Reaction: System automatically adds, removes servers to the application pool 3 3. Result: Overall utilization stays constant
  • 8. The Netflix Simian Army • Chaos Monkey - Kills randomly instances • Striving for continuous • Chaos Gorilla - Evacuates entire data centers testing, monitoring • Chaos Kong - Evacuates entire regions • Identify and test common failure modes • Janitor Monkey – Ensures a clean inventory • Automation everywhere • Security Monkey – Various security checks to manage risk
  • 9. InfoSec Challenge in an IaaS Cloud :: Confidentiality/ Possession
  • 10. Key Management :: HSMs • Motivation: • Decouple DC and Cloud • Trust our Cloud more fully • Others probably want this too • Challenges: • Need crypto keys near the Cloud • HSMs are in the data center • Can’t entirely trust our CSP • Solution: • A real HSM: FIPS 140-2 certified hardware • Keys stay in hardware • “HSM as a Service”
  • 11. Security: Thriving in an Agile Enterprise
  • 12. Future Bets 2015: Org Demands • Fluid, Virtual Teams of specialists / specialties • Dynamically form & dissolve to address opportunities, challenges • Emphasis on collaboration, roaming • Analytic, data-driven
  • 13. Future Bets 2015: Team Dynamics, Skills •Teams will •Be Risk/Security Advisors, coaches, business analysts •Speak their language •Skill sets will become •Less: people clicking on GUIs •More: analytics, automation, gluing systems together (APIs)
  • 14. SaaS: In use Today? next Year? 1. Email/chat/ 8. Risk management 15. Data analytics/BI/ calendar DSE 9. HRIS, ERM 2. File Storage/ 16. Project 10. Source code backups Management repository 3. Service Ticketing 17. SIEM 11. Blogs, websites 4. On-call paging 18. VPN 12. Doc collaboration 5. Log management 19. MDM 13. Risk assessments 6. Authentication/ 20. Anti-Virus/Anti- 14. Encryption / key IAM malware management 7. App vulnerability scanning
  • 15. Future Bets 2015: Data, Application Security • Business Forcing Function: Third-party cloud apps will innovate faster than your IT department can • Cloud/SaaS will be IT tools, not competitors • Data will be encrypted automatically off-network, off-device • Automated, continuous assessments of your controls
  • 16. Future Bets 2015: Device Security •All-wireless office, Gigabit Wireless •Smartphone building badges •MDM layers: managed VPN, device- and app-wrapping
  • 17. Future Bets 2015: Network Security • You will be breached –  Not “if” but “when”? • How fast can you respond, contain? • Mix of trust: corporate, vendor, employee owned devices • Verify every device, user
  • 18. Future Bets 2015: Automated protection • We will no longer talk about BYO[everything] • Zero-Trust / NAC will be common • Networks will dynamically quarantines, inspects, tests • Large-scale event correlation, analytics => reaction
  • 19. Future Bets 2015: What about the users? • Awareness Training will • Be automated • Be context-relevant, bite- sized • Phish your employees before they do! • Actively test for vulnerabilities, quarantine • Gamifiy, (“peer pressure”) on compliance, activity • Be developed collaboratively
  • 20. Future Bets: Areas of Focus Today The best way to predict the future is to invent it. – Alan Kay The future is already here - it's just not evenly distributed. —William Gibson
  • 22. Future Bets 2015: Security Analytics DATA MP LE SA
  • 23. Future Bets 2015: Security Analytics Security Control A/B Testing DATA MP LE SA
  • 24. Thank you! @x509v3 Bill.Burns@Netflix.com