Use by permission DAN LOHRMANN, CHIEF STRATEGIST & CSO SECURITY MENTOR, INC. SEPTEMBER 6, 2017

Size: px

Start display at page:

Download "Use by permission DAN LOHRMANN, CHIEF STRATEGIST & CSO SECURITY MENTOR, INC. SEPTEMBER 6, 2017"

Clarissa Boone
5 years ago
Views:

1 DAN LOHRMANN, CHIEF STRATEGIST & CSO SECURITY MENTOR, INC. SEPTEMBER 6, 2017

2 WHAT S ON THE AGENDA... INTRO ON CULTURE CYBER THREAT TRENDS GLOBAL CHALLENGE IOT + OTHER REGULATIONS COMING THREE STORIES HOW CAN WE PREPARE FOR FUTURE CYBER CHALLENGES? THE JOURNEY TO A CULTURE THAT ANTICIPATES CYBER RISK FINAL THOUGHTS 2

The Power of Culture Peter Drucker: Culture eats strategy for breakfast. Culture isn't the enemy of strategy and performance, but an equal player in the game, not to be underestimated or overlooked.

3 The Power of Culture Peter Drucker: Culture eats strategy for breakfast. Culture isn't the enemy of strategy and performance, but an equal player in the game, not to be underestimated or overlooked. David Novak, co-founder and former CEO of YUM Brands, on how he built YUM brands: Success is all about culture. and Build your team with a set of core values and staff recognition. Say thank you. 3

MIT Sloan: Achieving Digital Maturity Based on a 2017 global survey of more than 3,500 managers and executives and 15 interviews with executives and thought leaders, MIT Sloan Management Review third

4 MIT Sloan: Achieving Digital Maturity Based on a 2017 global survey of more than 3,500 managers and executives and 15 interviews with executives and thought leaders, MIT Sloan Management Review third annual study of digital business reveals five key practices of companies that are developing into more mature digital organizations. 1) Implementing systemic changes in how they organize and develop workforces, spur workplace innovation, and cultivate digitally minded cultures and experiences. Reference: 4

5 Future of Work: Alternative Workforce 5

6 Deloitte s Future of Work: Culture Still Key 6

What was security like after the 9/11 Do

7 Small group: Break into groups of 3-5 Where Were you on 9/11/01? 1) 2) 3) What was security like before the event (offline + online)? What was security like after the 9/11 event (offline + online)? Do you have a culture of security now? Yes or No and why? 7

8 CYBERTHREAT RECAP

9 CYBER THREATS

CYBER THREATS 2017 - CHANGE & GROW Symantec: Ransomware will attack the cloud McAfee: IoT malware opens a backdoor into the home Kaspersky: Commodification of financial attacks LogRhythm: Entire

10 CYBER THREATS CHANGE & GROW Symantec: Ransomware will attack the cloud McAfee: IoT malware opens a backdoor into the home Kaspersky: Commodification of financial attacks LogRhythm: Entire Internet will go down for a day Everyone: More DDoS attacks via IoT Everyone: Lack of trust More Fake News White Hat Security: Nothing will change. Forcepoint: Rise of the Corporate Incentivized Insider Threat FireEye: Security integration and orchestration considered the benchmarks of new technology investment You Ain t Seen Nothing Yet IDC: 2017 will be worse in every aspect of information security 10

11 Global Cyber Emergency Ransomware Epidemic 11 11

12 INTERNET OF THINGS AT RSA17 & GARTNER RISK SUMMIT A NEW BUZZWORD FOR ALL TECH? HUNDREDS OF IOT HEADLINES - NEW PRODUCT ANNOUNCEMENTS - INTERNET OF THINGS (IOT) THEMES RELATED TO ATTACKING DEVICES - CONSUMER - CRITICAL INFRASTRUCTURE COMPONENTS - GOVERNMENT SMART (EVERYTHING) - PANELS - MENTIONED IN MOST PRESENTATIONS ACCEPTED - HANDS-ON IOT DISPLAYS IN BASEMENT OF MARRIOTT MARQUIS BOTTOM LINE: IOT WAS THE #1 TOPIC AT THE RSAC 2017 IN SAN FRANCISCO 12

13 Homework: Regulating the Internet of Things By: Bruce Schneier 13

14 How Can We Build A Culture That Anticipates Cyber Risk Three Stories to Help 14

INTERNET OF THINGS - INITIAL DEPLOYMENTS

15 #1 LEARN FROM HISTORY SECURITY REPEATS ITSELF, WITH A TWIST MICHIGAN S WIRELESS ADVENTURE. FROM WIRELESS TO CLOUD TO MOBILE TO INTERNET OF THINGS - INITIAL DEPLOYMENTS LACK SECURITY. TWO OPPOSING CAMPS EMERGE: LEADING-EDGE ADOPTERS AND SECURITY NAYSAYERS. 15

16 SECURITY LEADER BALANCING ACT ONE EXTREME TO THE OTHER SECURITY IS A DISABLER. THE ANSWER IS: NO! (WHAT WAS THE QUESTION?) ALL NEW IDEAS ARE BAD, NOT SECURE. COOL FEATURES NOW GO FOR VIRAL. FIRST TO MARKET, WE LL ADD SECURITY LATER. WHAT SECURITY? Find the middle road. Make security an ENABLER! 16

17 SECOND STORY FROM CYBER STORM ONE Cyber Storm I 2006 Global, multi-national exercise Michigan one of three states participating in both How much would you pay for a new mainframe in a crisis? 17

WHAT NEFARIOUS PURPOSE COULD BE APPLIED TO WHATEVER I M INVENTING IN IOT? 2.

18 SECURITY LESSON #2: FUTURE ENEMIES ARE NOT ALWAYS OBVIOUS CYBER THREATS (AND ACTORS) ARE EVOLVING QUESTIONS TO ASK: 1. WHAT NEFARIOUS PURPOSE COULD BE APPLIED TO WHATEVER I M INVENTING IN IOT? 2. WHAT PROTECTIONS ARE IN PLACE? 3. WE VE BRAINSTORMED TO SOLVE THE PROBLEMS, BUT WHAT NEW PROBLEMS ARE WE CREATING? 18

19 THIRD LESSON WE MUST CONSTANTLY LEARN & ADAPT TO NEW CULTURES 19

KEY QUESTIONS: WHAT NEW NORMAL IS BEING CREATED WITH TECHNOLOGY INFRASTRUCTURE PLATFORMS? WHAT ASSUMPTIONS ARE BEING BUILT INTO YOUR CULTURE?

20 KEY QUESTIONS: WHAT NEW NORMAL IS BEING CREATED WITH TECHNOLOGY INFRASTRUCTURE PLATFORMS? WHAT ASSUMPTIONS ARE BEING BUILT INTO YOUR CULTURE? WE ALL HAVE BLIND SPOTS? ASK: WHAT IF? CULTURE CHANGE: WILL THERE BE A CYBER 911 CHALLENGING ASSUMPTIONS? ONE EXAMPLE: IDENTITY MANAGEMENT SMARTPHONE BECOMES A UNIVERSAL REMOTE 20

21 The Pragmatic Journey: 7 Keys to Strengthen Your Cybersecurity Culture 1)Genuine Executive Priority and Support 2)Honest Risk Assessment to Measure Security Culture Now 3)A Clear Vision of Where You Want Your Security Culture to Be 4)A Cyber Plan (Roadmap) to Arrive at Your Destination 5)Clear Cybersecurity communication to the Masses 6) End User Security Awareness Training for Everyone 7) Celebrate Success with Food and Fun. Say thank you! Reference: 21

22 The Journey: In Other Terms 22

23 MISTAKES: MAKING TRAINING A PUNISHMENT 23

24 How about you? Is this another ipad-like craze? 24

25 MY (FITBIT) WATCH: 1) 2) 3) 4) RESULTING IN: 1) 2) 3) 4) 5) 25

26 Final Thought - Phone a Friend - We need partnerships to succeed 26

PARTNER: YOU CAN T DO IT ALONE OUR VALUED ECOSYSTEM INCLUDES (OPS AND PLANNING): DEPARTMENT OF HOMELAND SECURITY

GOVERNMENTS, PRIVATE SECTOR CONTRACTS MICHIGAN INTELLIGENCE OPERATIONS CENTER (MIOC) RESOURCES: Stay Safe Online:

org/re-cyber/ THE NO MORE RANSOM PROJECT: HTTPS The Department of Homeland Security (DHS) Critical Infrastructure

27 PARTNER: YOU CAN T DO IT ALONE OUR VALUED ECOSYSTEM INCLUDES (OPS AND PLANNING): DEPARTMENT OF HOMELAND SECURITY (DHS) MICHIGAN INFRAGARD MULTI-STATE INFORMATION SHARING & ANALYSIS CENTER (MS-ISAC) FBI, OTHER STATES, LOCAL GOVERNMENTS, PRIVATE SECTOR CONTRACTS MICHIGAN INTELLIGENCE OPERATIONS CENTER (MIOC) RESOURCES: Stay Safe Online: THE NO MORE RANSOM PROJECT: HTTPS The Department of Homeland Security (DHS) Critical Infrastructure Cyber Community or C³ (pronounced C Cubed ): The Federal Trade Commission s Start with Security: 27

28 THANK YOU! Contact Information: Dan Lohrmann, Chief Strategist & CSO Security Mentor, Inc., Blog: Lohrmann on Cybersecurity & Infrastructure: Connect on LinkedIn or 28

What It Takes to be a CISO in 2017

What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge