adversaries to allies
TRANSCRIPT
![Page 1: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/1.jpg)
Adversaries to Allies
Turning
![Page 2: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/2.jpg)
Robert KeeferCISSP, C|EH, Security+, MCSE16+ years experience in IT and InfoSecHealthcare, Automotive, Manufacturing, Software Development, and other verticals
![Page 3: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/3.jpg)
Sound Familiar?• You’re told about a new project—as it’s being put in
place.• Security assessments are recycled more often than
read• Security initiatives go nowhere, slow• Every issue you bring up becomes an argument
![Page 4: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/4.jpg)
Scenario OneHigher Ed• Each Department ran their own IT; only vaguely
reported to CIO• “Shadow IT” was the norm• Hard to get buy-in, Directors didn’t oversee IT well• Communication problems• Security awareness, but each group does their own
thing
![Page 5: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/5.jpg)
Scenario TwoDevelopment house• ISO was in Detroit, but development team in Seattle• Remote location makes communication difficult (West
Coast)• Previous experience with InfoSec poor, setting up for
resistance• Need to develop quickly—Agile development• Customer heavily invested in security
![Page 6: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/6.jpg)
Scenario threeHealthcare• Highly changeable• IT very resistant due to bad experience• Network team took over much of InfoSec duties• HIPAA sole guideline for InfoSec• Compliance-focused instead of security-focused
![Page 7: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/7.jpg)
Common Issues• Information Security seen as additional cost or work• Previous bad experiences causing “bad blood”• Resistance to adopting InfoSec
requirements/initiatives• InfoSec not always related well to business goals• Little buy-in or support from management• Compliance focus instead of/priority over security
focus
![Page 8: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/8.jpg)
Scenario OneApproach• Treat each department separately: what are their
needs/fears?• Keep programs small and flexible, customize as
needed• Work with each team as experts in their fields, do not
dictate solutions• Management buy-in is hard, but means greater ability
to act• Create opportunities for collaboration
![Page 9: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/9.jpg)
Scenario TwoApproach• Leverage the customer need• Work with devs as experts; provide requirements and
let them solve• Many face-to-face meetings, don't be a voice on the
phone• Work towards a "yes" instead of from a "no"
![Page 10: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/10.jpg)
Scenario ThreeApproach• Be approachable• Keep communication lines open• Adjust technical content to the audience• Transparent with methods as well as results• Prioritize on risk—Journey, not destination
![Page 11: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/11.jpg)
Common Solutions• Clear requirements, goals, and reasons• Tie InfoSec requirements to business goals (Business
Enabled Security)• Stay reasonable; know when to say “yes”• Focus on good risk management• Gratitude!
![Page 12: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/12.jpg)
Common PitfallsWatch Your Step
![Page 13: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/13.jpg)
Dictating Solutions• Demanding specific solutions, “My way or the
highway”• Supply requests and requirements• Ask for solutions, let the SME’s supply them• Multiple solutions exist for any problem• Prepare to be flexible
![Page 14: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/14.jpg)
The Bogeyman• Hackers, HIPAA, Government Audits• Fear as a motivator• Government standards are seen as a ceiling instead of
a floor• Remember that compliance !=secure, but secure is
usually compliant• Focus on business-enabled security, not fear-based
security
![Page 15: Adversaries to allies](https://reader035.vdocuments.mx/reader035/viewer/2022062904/588419091a28ab95518b7439/html5/thumbnails/15.jpg)
Gatekeeping• Similar to Dictating Solutions• Insisting that all risks must be resolved or project will
be blocked• Risk Management is key• Some risks are mitigated, some are accepted• Business must keep doing business!