More Related Content Similar to 5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013 (20) 5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20131. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Enterprise Security and the
CFO
Five things you need to know
Rafal Los, Principal – Strategic Security Services HP ES
June 5th, 2013
2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Enterprise Security is a
boardroom topic.
3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
“Enterprise Security” in
transition
4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
From a ‘blunt tech
instrument’..
5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
..to a strategic business asset.
6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
CFOs aren’t the enemy
7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
I know a little about this-
8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
From SMB to Fortune 50
9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
CFOs should understand
security
10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
CFOs should support security
11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
But…
12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Security poses a challenge
13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
of breaches
are reported
by a 3rd party94%
14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
average time to detect
breach
416days
2012 January February March April May June July August September October November December 2013 January February
March April
15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
71%
Since 2010, time to resolve an attack has grown
16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Arming the CFO for reality
17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
First-
18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
A breach event is imminent
19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
<uncomfortable silence>
20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
This is an uncomfortable
reality
21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
Many have tried to be ‘secure’
22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
All eventually fail.
23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
$64,000.00 question: Why?
24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Every new ‘thing’ …
25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
..can pose a threat
26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26
..can contain a vulnerability
27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
This isn’t a solvable
problem…
28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
..detection is not perfect
29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
..compromises must be made
30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
..risk can never be eliminated.
31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
Humans will always be a
weakness
32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
You can not demand ‘secure’.
33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33
Second-
34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
Prevention is producing
diminishing returns
35. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.35
75% budget on network
security
36. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36
84% breaches at application
level
37. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37
This should tell us something
38. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.38
WhathappensWHENyou’re
breached
39. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.39
Re-assess security budget
40. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.40
What to focus on now?
41. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41
Detection of malice, or attack
42. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42
Find the attacker within,
earlier
43. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43
Understand the attack, sooner
44. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44
Response to an incident
45. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45
More than just technology!
46. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46
Legal, PR, marketing –
response
47. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.47
“What do you do then?”
Hint: Panic is not an
option.
48. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.48
Processes need to be built
49. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.49
People need to be trained
50. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.50
Mock scenarios must be run
51. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.51
Yes, technology is needed
52. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.52
Efficiency of response is
critical
53. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.53
Detected, Responded, now..
54. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.54
Service recovery/restoration
55. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.55
Restore business processes
56. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.56
Bring back critical systems
57. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.57
BUT – they have to be ‘fixed’
first
58. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.58
( Lots of costs hidden here )
59. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.59
Spend $ here before it
happens
60. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.60
Spend $$$ here after the fact
61. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.61
The bottom line:
62. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.62
Spend more on preparedness
63. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.63
Third-
64. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.64
Technology alone isn’t a
solution
aka “boxes don’t stop attackers”
65. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.65
Don’t forget the people!
66. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.66
The general cycle of products-
67. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.67
1. Architect a solution
68. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.68
2. Purchase the solution
69. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.69
3. Install the solution
70. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.70
4. Done?
71. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.71
This is where the real work
starts
72. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.72
Have you integrated?
73. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.73
Have you operationalized?
74. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.74
How do you respond to red
lights?
75. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.75
Fourth-
76. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.76
Bigger budget may mean less
effective security
77. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.77
How is that possible?
78. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.78
More stuff = better security
79. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.79
Right?
80. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.80
Not if you don’t operationalize
81. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.81
Simple example-
82. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.82
An analyst has finite
capability
83. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.83
If 1 analyst can do 1 task
effectively
84. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.84
They can do 2 tasks less
effectively
85. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.85
..and 5 tasks poorly.
86. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.86
Gets worse from there down.
87. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.87
But this is what enterprises
ask!
88. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.88
Howisyourenterprisemost
effective?
89. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.89
Technology should enable
90. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.90
Technology should adapt to
people
91. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.91
NOT people adapting to
technology
92. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.92
Fifth-
93. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.93
You, Hackers motivated
similarly
94. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.94
Hackers want it.
95. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.95
You try to spend it wisely.
96. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.96
This gives us insight!
97. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.97
So how do you win?
98. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.98
Increase the attacker’s costs
99. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.99
Play their game, on your
terms.
100. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.100
As the CFO you have a
responsibility
101. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.101
Empower your security
organization
102. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.102
Provide strategic financial
guidance
103. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.103
Not just $pending capital.
104. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.104
Talk to me for more
information…
105. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.105
HP can help you fight smarter.
106. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.106
. Rafal Los
Principal, Strategic Security Services
HP Enterprise Security Services
Member “HP Cloud Advisors”
http://h18004.www1.hp.com/products/solutions/cloud_advisors/index.html
Cloud Security Alliance
OWASP (Open Web Application Security Project)
10+ year Information Security industry veteran
Security generalist to Business Security Leader
Blogger, speaker
Email: Rafal@HP.com
Phone: +1 (404) 606-6056
Skype: Wh1t3Rabbit
107. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you