The Chief Financial Officer (CFO) plays a critical role in Enterprise Security - but rarely gets a direct glimpse at some of the challenges, and no-frills realities of the challenge of defending an enterprise. This talk provides 5 key take-aways for CFOs.

1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Enterprise Security and the
CFO
Five things you need to know
Rafal Los, Principal – Strategic Security Services HP ES
June 5th, 2013

2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Enterprise Security is a
boardroom topic.

3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
“Enterprise Security” in
transition

4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
From a ‘blunt tech
instrument’..

5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
..to a strategic business asset.

6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
CFOs aren’t the enemy

7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
I know a little about this-

8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
From SMB to Fortune 50

9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
CFOs should understand
security

10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
CFOs should support security

11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
But…

12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Security poses a challenge

13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
of breaches
are reported
by a 3rd party94%

14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
average time to detect
breach
416days
2012 January February March April May June July August September October November December 2013 January February
March April

15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
71%
Since 2010, time to resolve an attack has grown

16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Arming the CFO for reality

17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
First-

18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
A breach event is imminent

19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
<uncomfortable silence>

20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
This is an uncomfortable
reality

21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
Many have tried to be ‘secure’

22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
All eventually fail.

23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
$64,000.00 question: Why?

24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Every new ‘thing’ …

25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
..can pose a threat

26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26
..can contain a vulnerability

27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
This isn’t a solvable
problem…

28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
..detection is not perfect

29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
..compromises must be made

30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
..risk can never be eliminated.

31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
Humans will always be a
weakness

32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
You can not demand ‘secure’.

33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33
Second-

34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
Prevention is producing
diminishing returns

35. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.35
75% budget on network
security

36. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36
84% breaches at application
level

37. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37
This should tell us something

38. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.38
WhathappensWHENyou’re
breached

39. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.39
Re-assess security budget

40. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.40
What to focus on now?

41. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41
Detection of malice, or attack

42. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42
Find the attacker within,
earlier

43. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43
Understand the attack, sooner

44. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44
Response to an incident

45. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45
More than just technology!

46. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46
Legal, PR, marketing –
response

47. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.47
“What do you do then?”
Hint: Panic is not an
option.

48. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.48
Processes need to be built

49. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.49
People need to be trained

50. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.50
Mock scenarios must be run

51. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.51
Yes, technology is needed

52. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.52
Efficiency of response is
critical

53. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.53
Detected, Responded, now..

54. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.54
Service recovery/restoration

55. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.55
Restore business processes

56. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.56
Bring back critical systems

57. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.57
BUT – they have to be ‘fixed’
first

58. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.58
( Lots of costs hidden here )

59. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.59
Spend $ here before it
happens

60. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.60
Spend $$$ here after the fact

61. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.61
The bottom line:

62. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.62
Spend more on preparedness

63. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.63
Third-

64. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.64
Technology alone isn’t a
solution
aka “boxes don’t stop attackers”

65. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.65
Don’t forget the people!

66. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.66
The general cycle of products-

67. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.67
1. Architect a solution

68. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.68
2. Purchase the solution

69. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.69
3. Install the solution

70. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.70
4. Done?

71. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.71
This is where the real work
starts

72. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.72
Have you integrated?

73. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.73
Have you operationalized?

74. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.74
How do you respond to red
lights?

75. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.75
Fourth-

76. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.76
Bigger budget may mean less
effective security

77. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.77
How is that possible?

78. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.78
More stuff = better security

79. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.79
Right?

80. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.80
Not if you don’t operationalize

81. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.81
Simple example-

82. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.82
An analyst has finite
capability

83. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.83
If 1 analyst can do 1 task
effectively

84. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.84
They can do 2 tasks less
effectively

85. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.85
..and 5 tasks poorly.

86. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.86
Gets worse from there down.

87. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.87
But this is what enterprises
ask!

88. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.88
Howisyourenterprisemost
effective?

89. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.89
Technology should enable

90. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.90
Technology should adapt to
people

91. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.91
NOT people adapting to
technology

92. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.92
Fifth-

93. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.93
You, Hackers motivated
similarly

94. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.94
Hackers want it.

95. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.95
You try to spend it wisely.

96. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.96
This gives us insight!

97. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.97
So how do you win?

98. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.98
Increase the attacker’s costs

99. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.99
Play their game, on your
terms.

100. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.100
As the CFO you have a
responsibility

101. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.101
Empower your security
organization

102. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.102
Provide strategic financial
guidance

103. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.103
Not just $pending capital.

104. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.104
Talk to me for more
information…

105. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.105
HP can help you fight smarter.

106. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.106
. Rafal Los
Principal, Strategic Security Services
HP Enterprise Security Services
Member “HP Cloud Advisors”
http://h18004.www1.hp.com/products/solutions/cloud_advisors/index.html
Cloud Security Alliance
OWASP (Open Web Application Security Project)
10+ year Information Security industry veteran
Security generalist to Business Security Leader
Blogger, speaker
Email: Rafal@HP.com
Phone: +1 (404) 606-6056
Skype: Wh1t3Rabbit

107. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you