InfoSec Parenting

[Music] okay start by sexy loud alright okay I thought I'd start by kind of introducing myself my name is Tom elegante I'm pretty new to the scene last year was my first year of b-sides and I guess that I enjoyed it so much I thought I'd put together a little presentation this year so kind of and you'll get an idea of where the term InfoSec parenting come from King comes from this is something some my co-workers and I have talked about over the past year my background is primarily in the financial industry got 12 or 13 years in the financial industry ten of which has been in some sort of risk management function it's been an

operational risk technology risk security risk so that's kind of where my talk is based is a lot in risk management having those discussions with our business partners to be perfectly honest five six years ago I didn't even know security existed back when I was getting my bachelor's and master's degree you know you'd go through web programming class maybe they talk about it you know you'd sit in a database admin class maybe you talked about security but it really wasn't a big thing as it is now so I really didn't know that this field existed but it's I enjoy it it's a fun field there's some challenges in it but I enjoy the fact that we get a lot of opportunity to

learn and to grow there's always something new there's a lot of brilliant people in the industry that to learn from one of my favorite things about it is I enjoy kind of talking about what I do for a living because it's fun to kind of solicit responses from people this is this is kind of what my grandma thinks I do and that's a teller my grandma bless her heart and which is fine my son of course thinks I'm a security guard this is what most friends and family think I do and it's some kind of helpdesk right of course there's the the portrayal of what media thinks we do and then there's kind of that grim reality

where we sit in a grey cubicle all day but my limited exposure and security there's a couple things that I've learned from sitting and conferences like this talking to people there's a couple challenges that I think we as a security professional space and it's that those challenges that I wanted to talk about today so in addition to Finance I've spent some time in education and I'm actually married to an educator and so I've spent a lot of time talking about human development child learning child growth that kind of stuff and there's a bunch of theories out there and it kind of depends on who you what theory you pertain to but they all kind of categorize child growth and

child development it's a bunch of different categories and it's all based on kind of the cognitive learning cycle that children go through and if you think about some of the children that are in the infancy and early stages they don't really have a good understanding about the world around them they don't really know much about about the world around them we as parents take care of them we meet all their needs they don't understand hot from cold all right but as they progress they learn more and more about the world around them then they become teenagers right and kind of that adolescent stage they have a pretty good understanding of what's going on around them what that bring some

challenges right because first of all they can kind of get that idea that they know everything and so it's kind of a contentious conversation sometimes the other challenge is I one of the things I enjoy teaching youth sports especially girls softball I love coaching girls softball it's a lot of fun soccer is fun there's a few other things but if you've ever had a chance to talk to a teenager I have been in conversations with my beautiful daughter at times where she has walked away and I've turned to my wife and asked my wife what she was talking about so there's this communication gap that we that we have now sometimes in security I feel like we're parenting I

don't know if any of you have had kind of a similar feeling I think a lot of the quote from The Incredibles you remember back the early part of the movie mr. incredible is kind of going through the reels and is being interviewed and he says you know sometimes I feel like the maid in here I just cleaned up that's kind of how I sometimes feel as the security professional right you just address the vulnerability take care of some security issue and the next day there's something new well I propose to you that our business partners and I like to use the term business partners because that's what they are we should have this partnership with the rest of the

business and that can be IT it can be marketing it could be operations it could be accounting right but we should have this partnership with them where we're working towards the same goal where we're trying to accomplish the same thing I think our business partners are a lot like teenagers right they have a pretty good understanding of the world around them they have this they have this general concept of Technology right our business partners they all have smartphones which have more power in them then then you know a lot of the computers we grew up on they have IOT devices they all use Wi-Fi they use bluetooth they have all these this technology so they have some basic

understanding and sometimes they think they know more than they do but sometimes there's that communication gap when we're talking to our business partners we don't always see things on the same level they've got different goals than we do sometimes so that's one of the challenges that we face the other challenge that we face is that I think sometimes as security professionals we tend to overreact I've seen this a lot a couple of my co-workers and I were talking today and it happened in our organization just a couple days ago so it happens quite a bit where we as security professionals tend to kind of freak out I had I had an old boss that used to call this the the knee-jerk

reaction right we find a vulnerability and we kind of freak out now there are times when that freakout is worn did and there are times when it's not so much the problem is it kind of develops that boy who cries wolf syndrome where we kind of lose some trust with our with our business partners and so we kind of build this wall and it kind of gives us a bad name so over the next 15-20 minutes I want to talk about how I like to address these challenges ways that we can work with our business partners to accomplish goals to basically secure the organization and the best way that I know to do that is

through risk and of course my backgrounds in risk management so that's kind of where I tend to lean but risk helps us paint a picture it helps us tell a story about what's going on it helps us present how much badness there is in security right so we can have discussions on terms with our business partners talking about security now one of the nice things is that recently the term risk is being used quite a bit and so that's that's good it's kind of being talked about the unfortunate part about that is I think a lot of people don't quite understand what risk is and how and how to fully address it so this is

actually one of my favorite definitions of risk this comes from a paper in 2009 it's called a new approach for managing operational risk it was written by a whole is a joint effort written by a whole bunch of actuaries and really you know technical statisticians and stuff the report itself is based on the financial crisis and it's kind of from an operational risk standpoint but I think a lot of the the things within it are germane to security risk so it's basically any any deviation from the expected outcome so I had a know had an old boss that owned a couple of skate and board shops in Montana and Utah and he would always put aside X amount of

money every year for theft that's not risk he was expecting to lose a certain amount of money every year due to theft anything above that was risk for him so another basic definition is is this and this is one I use quite a bit where risk is really the convergence of three things you need an asset which is something of value you need a vulnerability which is some kind of weakness and then you need a threat something or someone to act upon that weakness and try to take advantage of that asset now an example that I like to use because it's it kind of relates things back to our personal lives is our daily commutes my daily commute right so

every day I get my car and drive to work now based on empirical evidence that I've had and collected over the years I know that I should arrive at work within a given amount of time and that the probability of arriving there is near 100% you know and I've got an asset I've got my life my car things of value to me I have weaknesses my brake shoes my tires you know my reaction time things that are kind of weaknesses I have threats out there other drivers the weather so every day I get my car and drive to work well there were several times this year then I'd get in my car to drive to work and it had snowed a

foot and so that expected outcome that that had deviated enough from what I expected that I decided to work from home that day so that's just kind of a simple example of how we used risk in our daily lives so risk is really about making a forecast it's about trying to forecast something right and there's two primary components of risk and we're all kind of familiar in them with them in some aspect on the first one is probability right it's that likelihood it's the how likely is an event to take place and we're all familiar with this on on some level if you if you watch you know weather forecasting is a great one you ever see

that there's a 60% chance of snow in the morning that's sixty percent chances probability you flip a coin ten times you know six times it's going to end up snow piece of that is impact right what's what are we going to lose if that event happens right with weather forecast when they predict three to five three or five inches of snow that three to five inches of snow is impact now when we're speaking to our business partners that impact is typically dollars we want to put it in dollar amount so that they can understand it because that's that's real value to them if we can forecast risk in real dollars we can help them understand

how important security is and how to prioritize and address security now those two concepts together we often see probability times impact equals risk which really isn't the case but it shows you kind of how they they interoperate and how they work together and we see something like this this is a typical risk matrix that you see in a lot of the traditional ways of thinking where you have impact on probability and that gives you some kind of risk statement the problem is and I love this if you get a chance that the document that I referenced a few slides ago is a great document and a great paper written and it talks about some of the thoughts

around this but if you notice the red stuff because we as humans inherently think something that's red is bad is something that happens often and cost a lot of money well that isn't really risk that's called bankruptcy that's bad business if you've got an event that's happening quite often and costing a lot of money you're going to be out of business pretty quick so really risk looks something like this where you're more worried about those high-impact situations that don't happen very often those Black Swan events right so this is actually one of my favorite kind of scenarios ways to talk about risk comes from a company that I trained with several years ago called risk lens and

it's called the ball tire scenario and it's really kind of giving you thinking about how much risk there really is so if you think about I want you to think about a ball tire tires pretty bald there's really no tread on the tire the question is is how much risk is there take that same ball tire and hang it from a tree with a rope and the question is how much risk is there right now take that same tire hang it from that tree with that rope but that rope is fraying how much risk is there and then finally you've got that same tree hanging from our excuse me the same tire hanging from the same tree with a frayed rope but

instead hanging over an 80-foot cliff with jagged rocks on the bottom how much risk is there the answer really is there's none because who cares if an old dirty ball tire Falls 80 feet down to a cliff right now we as humans intend of our mentality when we first think of a ball tire we've put it on a car right and we're concerned about the driver or those around him and then as in some of those other scenarios we picture a kid on a tire swing you know and the poor kid falls and breaks his leg or in the in the last scenario he falls 80 feet to whose doom but the problem is there's no

context around that and this is this kind of goes back to that knee-jerk reaction that as security professionals we a lot of times don't have a lot of contacts around security issues we have a general idea of security and what it might impact and that's where we need to spend time with our business partners in working with them and getting to understand really putting some context around security so there's a couple couple schools of thought out there around risk the first is a very traditional concept and it's qualitative right this is where you add a label on to risk you see things like this high medium low green yellow red I even saw this a few weeks ago some because there

was some risk right so this is you're throwing a label on to risk your which is a good start qualitative is a good start and there's definitely some good models out there to begin your journey if you're not familiar with risk it's a good place to start but there are some challenges with qualitative and one of the challenges that we often faces is the idea of what what does it mean right something that's yellow - you could have different meaning that's something that's yellow to me there's a little different context around it right one of the other challenges that we face is qualitative risk is that it's sometimes hard to defend right if you tell somebody we

have moderate risk or we have yellow risk a lot of times that's just kind of a thumb in the wing type decision and so it's hard to really defend that that's why I'm a big fan of quantitative risk right quantitative risk allows us to put numeric values around things it allows us to kind of talk on the same page it allows us to have those to have backing to some of our risk based decisions to our securities decision so when we go back to talking probability there's there are several good models and and taxonomy is out there and trainings out there to help you develop impact or excuse me probability so you can start putting

some numeric values around probability right and we're all you know we're kind of familiar with this if you study floods you'll see things like a 1 and 100-year flood alright that's that's a probability statement impact is little is a little easier because we want to throw things in dollar amounts so our business partners when we have discussions with our business partners they understand dollars right when we're helping them make decisions around security we're helping them by using dollar amounts and there's actually we'll get to that in a minute but it allows us to help with put together a business case we can help them prioritize and provide and secure funding for those risks for those

security decisions again there's a lot of models out there with quantitative fairs which stands for factor analysis of information risk is one of my favorites developed by Jack Jones you get a chance to look at it it's a great quantitative model that uses probability and impact it uses its own taxonomy for it but it's a great little model uses very basic introductory statistics to put impact and probability in quantitative results I've also seen quite a few hybrid models which is where you take dollar values and then wrap it around a label so you'll see things like moderate you know moderate impact might mean 1 million to 5 million dollars all right and so what we do the the place that I

work in some of my team members some of the things we do is we do a lot of risk assessments when it comes to security work because in insecurity we are all risk managers whether we think about it in those terms or not so and these comes in all these come in all different forms and of risk statements so sometimes these risk statements will be just a bullet point in a report sometimes their full report that goes up to the board or to executive management but to think about it in terms of security when a security vulnerability comes out regardless of what it is it could be something as simple as patch you know the most recent set of taxes from

Microsoft it could be something you know that the media stirs up you know where there's a vulnerability that kind of hits mainstream media and executive management wants to know about it so the first thing that we do kind of walking you through the mindset of doing risk work with security the first thing we do is kind of take a look at what it means to us what systems are affected by it how many systems are affected by it we kind of get a lay of the land then we start diving into probability all right which is where we start looking at the threats who's going to be attacking us how are they going to be attacking us do

you need the top tier of hackers to pull this off or can you no script kitty pull it off you know you start walking through the controls that you have in place how are we protected that allows you to kind of put some probability around it of all right how susceptible are we to this vulnerability and then the last piece of that is impact right so again we try to put this into law spell values for our business partners so that they can understand it but that is alright if we were to lose this asset what's it going to cost us how much is it going to cost us and ultimately what our goal is is to

help provide the business or some kind of decisioning right we want to help the business make a decision because in the end a lot of us not all of us some of us some of us are in places of employment where security is our business but a lot of us were not and so it's our business partners that are making the money and they've got different goals than we have they have revenue growth they have operation expenses that they want to decrease right and then here we are as a security group trying to tell them that they need to spend another $20,000 to fix something and that's not in their budget they don't want to right but if

we can put terms in if we can develop a business plan a business case for them where we can tell them how much they're going to lose and what the probability of loss is they can look at that and say you know what it's worth it let's go ahead and address this vulnerability right now there may be times when that's not the case where maybe the case of implementing the control and operating the control is too much and it doesn't make sense to fix it but we can help have those discussions and prioritize working with our business partners to prioritize security and so really as a security professional that's that's what we really are striving for is this kind of Nirvana

where the world is full of unicorns and rainbows and everybody's happy and working towards the same goal so one of the ways that we can get there is by changing the way we as security professionals think and the way we communicate and work with our business partners if we can put things in terms that they understand helping them understand it in dollar values and realizing giving security a place to that at the table we can kind of change that discussion and hopefully really our goal is to is to kind of secure the organization right but if we do it in the right way we can have this kind of utopia where us and our business

partners ite marketing whatever kind of working towards the same goal so anyway that's kind of my two cents my rant on risk if you're doing risk management working security great if not I would strongly suggest looking at ways implement it it'll help bridge some of those discussions and so anyway I'd like to thank you all for taking the time today and I appreciate it